Kenyan companies are hemorrhaging billions of shillings to cybercriminals despite significant investments in security, a problem rooted not in technology but in the boardroom. A staggering KES 29.9 billion was lost to cybercrime in the 2024/2025 period, according to the latest Africa Cybersecurity Report, exposing a flawed strategy that isolates cyber defence within IT departments.

This costly oversight means that while companies are spending heavily on security tools, the ultimate decision-makers often lack the strategic understanding to combat evolving threats effectively. The issue is now a critical threat to Kenya's burgeoning digital economy, impacting everything from mobile money systems to government services and eroding public trust.

A Costly Disconnect

The core of the problem, as highlighted by the report from the Africa Cyber Immersion Centre (ACIC), is structural. When cybersecurity is managed solely as a technical function, its broader business implications—reputational damage, regulatory fines, and loss of customer trust—are dangerously overlooked. This leaves companies vulnerable, even with a 3:1 spend-to-loss ratio, which is considered a benchmark for resilience in Africa.

The consequences are severe and widespread. Kenya saw an explosion in cyber threats, with the National Kenya Computer Incident Response Team (KE-CIRT/CC) detecting 4.5 billion threat events between April and June 2025 alone, an 80.7% jump from the previous quarter. These are not abstract numbers; they represent tangible attacks on the nation's economic pillars:

• Financial Sector: Payment fraud, fueled by sophisticated social engineering and attacks on real-time transfers, remains the most common type of incident.
• Government Services: Critical platforms like eCitizen have been paralyzed by coordinated attacks, demonstrating the vulnerability of national infrastructure.
• Identity-Based Attacks: Phishing, credential theft, and Business Email Compromise (BEC) now account for nearly half of all incidents in the country.

The Boardroom's New Mandate

Experts and regulatory bodies are unanimous: the paradigm must shift. Cybersecurity can no longer be delegated to the IT department alone; it must become a standing agenda item in the boardroom. This reflects a global trend where boards are held directly accountable for overseeing cyber risk, a standard increasingly expected by international investors and partners.

The path forward requires a fundamental change in corporate governance. Boards must actively engage with cyber risk, demand clear metrics, and ensure that security strategy is woven into the overall business strategy. This involves empowering Chief Information Security Officers (CISOs), investing in continuous employee training to mitigate human error, and moving beyond mere compliance to build genuine, measurable cyber resilience.

As Kenya's digital transformation accelerates, the stakes have never been higher. Treating cybersecurity as a strategic business imperative is not just about preventing losses; it is a crucial investment in safeguarding the nation's digital future.