Like South Africa, cybersecurity breaches are becoming a dime a dozen in Kenya, and worse, companies (and people) are losing big money to attacks. According to a report by Serianu, a Kenyan cybersecurity firm, the country lost KES 29.9 billion ($231 million) to cybercrimes. Across the continent, that figure crossed $95 billion. The assessment, based on data from 280 organisations, says these attacks are becoming more coordinated.
What’s driving this surge? Payment fraud remains the top incident category, fuelled by weak monitoring tools and highly persuasive social engineering tactics. Online and email fraud alone made up 40% of incidents and 32% of losses, as the report noted that threat actors are now blending phishing, credential theft, and ransomware in AI-enabled campaigns to target public institutions. That tracks with the recent Microsoft 2025 Digital Defence Report, showing that people were 4.5 times more likely to click on a phishing email when it was written by an AI than when it was composed by a human.
The November wake-up call. Weeks before the report dropped, local media publications reported that in November, a coordinated attack disrupted access to several Kenyan government websites, including education, labour, health, energy, and water. The hackers replaced ministry websites with white supremacist messages like “We will rise again,” “White power worldwide,” and “14:88 Heil Hitler.” No group has claimed responsibility, but the websites have since been returned online.
What’s the government doing? The cabinet says a National Security Operations Centre (SOC) is being set up to centralise monitoring and incident response across ministries. Yet previous breaches show the implementation gap remains wide. Without stronger identity governance, visibility, and AI-driven security, the country risks digitally expanding faster than it can defend.
