One Monday morning not too long ago, Stella Njoroge woke up to a flurry of complaints about an outage at her workplace, K-Unity Sacco.
Her team went into action, looking to restore the mobile banking system, which had developed issues over the weekend.
K-Unity Sacco is a cooperative union with more than 100,000 members that has become a household name in Kiambu, Nairobi, Nakuru, Narok and Nyandarua counties.
It came about from the amalgamation of Limuru Marketing Co-operative Union and Kiambu Dairy Marketing Union in 1974.
Unknown to Stella, the Head of Finance at the Sacco, the outage was only a symptom of a bigger problem. Their system had been compromised and the shutdown had been triggered by a series of suspicious transactions.
So many were the transactions that her team was being called upon to confirm that they were legitimate.
“This attack exposed our vulnerability. Initially, we did not consider the risk high. Until our system was penetrated despite having controls including firewalls, monitoring and audit protocols. We had thought that this sufficed but they were all by-passed,” Stella recalls.
Hackers had penetrated the core banking system, identified accounts that had funds and funneled them through the mobile banking system. This was the first time the organization was being hit from outside. The closest attempt it had hitherto faced was the odd inside job.
While K-Unity Sacco managed to salvage most of the funds that were already on their way to their hackers’ phones, the incident served as an eye-opener.
“We came to the realization that risks in the cyber landscape were increasing in scope and extent. That is when we decided that the role of IT would not just be to offer support but also to cater for these challenges,” explains Francis Muoria, the Head of ICT.
According to the Communications Authority of Kenya, 37.1 million threats were detected by the National Kenya Computer Incident Response Team/Coordination Centre between October and December 2019.
To forestall similar threats in the future, K-Unity Sacco sought an all-encompassing cybersecurity solution that would not only have controls, but also an intrusion detection system as well as network and threat management. This search led the firm to take up the Safaricom Managed Security Services.
After establishing the needs, a joint team comprising Safaricom and K-Unity set about establishing the system. After successful tests, it went live.
The Safaricom Managed Security Services has a wide range of security solutions to protect IT systems. It allows individuals and businesses to secure their emails, websites, manage vulnerabilities, test and audit IT systems and access real time monitoring among other services.
The solution to K-Unity Sacco has three components: Safaricom Managed Security Operations Center that gives an understanding of the level of cybersecurity exposure to detect and respond to threats; Safaricom Unified Threat Management Service to give visibility of internet traffic; and Safaricom Security Awareness Training for the leadership team and other users.
Francis says: “The system is more focused on users. The reporting is also better than the bulk alerts we previously received. This allows us to focus on what is important by identifying issues individually and selecting those that need resolution”.
The training for all users, and a specialized one for IT and Audit functions is meant to arm them with knowledge to enable them understand their role in stopping such attacks.
“Having learnt that insiders play a big part in facilitating an attack, we have been growing awareness across the organization. The IT department has also benefited from understanding security threats, how to handle and respond them and remedial activities,” he adds.
The investment in the managed security system puts K-Unity Sacco in good stead in its expansion strategy. At the moment, besides providing savings and credit services the Sacco has other business lines which include a property arm, which manages Mapa House in Kiambu and buildings in Githunguri, Kiriita, Limuru, Wangige and Kikuyu that it owns; and Mapa Insurance Agency.
K-Unity’s Head of Business Development and Marketing, Joseph Ndiritu, says that with digitalization becoming the new normal, it is the only way to deliver a great customer experience.
“Through technology, we are able to give the best and to transform lives positively. It is from digital technology that we can give a good and simple solution. We are embedding technology in our services. We also have to assure our members that their deposits are safe,” Joseph says.
Francis adds: “In order to be the preferred financial services provider that we aspire to, we must safeguard shareholder wealth and deposits. This is dependent on how secure our systems are. Can they detect attacks and block them? That is where this solution comes in.”
