Most cybersecurity advice in Kenya falls into one of two camps: vendor-led marketing about whatever product they're selling this quarter, or generic "best practices" lifted from Western contexts that don't reflect what's actually breaking in our market. Neither helps.
This article is the third version of an internal document we use with new customers — the seven controls that, in order of priority, would have prevented the most incidents we've responded to over the last five years. Honest, ranked, and Kenya-specific.
What we actually see in incident response
The breaches we work in East Africa are mostly mundane. The dramatic stuff — APT campaigns, zero-days, sophisticated nation-state stuff — is rare. What we see almost weekly:
- Credential phishing followed by business-email compromise. The single most damaging pattern. Costs Kenyan businesses ~KES 200M+ a year that we know about.
- Ransomware via unpatched perimeter devices. Often fortinet/palo-alto VPNs three years behind on firmware.
- Insider mistakes. Sensitive data in the wrong S3 bucket, the wrong inbox, or the wrong WhatsApp group.
- Mobile malware on BYO devices that connect to corporate Wi-Fi or VPN.
- Supply-chain compromise via outsourced IT vendors.
The seven controls below would have prevented or contained the vast majority. They're not flashy. They work.
1. MFA on every external-facing account
If you do one thing this quarter, do this. Multi-factor authentication on email, VPN, admin consoles for cloud and SaaS, and any system that holds customer data. Phishing-resistant MFA where you can — passkeys, hardware tokens, Microsoft / Google authenticator apps. SMS as a last-resort fallback only.
The single biggest security ROI in your business is the day you turn on MFA across email and VPN. Everything else is rounding error compared to that.
If your CFO doesn't have MFA on email today, stop reading and go fix that. Then come back.
2. Patch on a documented schedule
Half the ransomware we respond to enters via a perimeter device that hadn't been patched in two years. Adopt a documented patching cadence: critical patches within 7 days, high within 30, medium within 90.
The hard part isn't the patching — it's having an inventory of what you actually own to patch. Most Kenyan SMEs don't have a clean asset list. Build one this month. Tools like RunZero or even a careful Nessus / Nmap sweep will get you 90% of the way.
3. Backups that have actually been tested
Every business has "backups." Few have backups that work — that have been restored end-to-end in the last six months. The ransomware payment economy exists because of this gap.
- Three copies, two media, one offline. The classic 3-2-1 rule still holds.
- Immutable / WORM storage for at least one copy. Ransomware that encrypts your backups along with your live data is now standard.
- Quarterly restore drills. Untested backups are theatre.
4. Endpoint protection that detects, not just blocks
Move beyond traditional antivirus to a modern EDR (endpoint detection and response) — CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, depending on your stack. The value isn't just "block known bad" — it's the ability to ask "what happened on this laptop between 14:00 and 16:00?" three months after the fact.
5. Email defence — DMARC, SPF, DKIM, plus filtering
Most BEC starts with a spoofed email. DMARC enforcement (with p=reject) on every domain you own. SPF and DKIM correctly configured for every system that sends mail on your behalf. Add a reputable email-security gateway (Microsoft Defender for Office 365, Google Workspace's built-in protection, Mimecast, Proofpoint) for inbound filtering.
If your auditor's first finding isn't "no DMARC enforcement," your auditor isn't doing their job. This is a 2026 baseline, not a stretch goal.— Abdulhamid Haid, Networking Engineer
6. Network segmentation that limits blast radius
If a single compromised laptop can reach your finance servers, your HR system, your customer database, and your backups — your network is one accident away from a bad day.
Basic segmentation: separate VLANs (or cloud-equivalent VPCs) for end-user devices, servers, and "high-risk" assets like finance and HR. Strict firewall rules between them. East-west traffic monitored, not just north-south.
7. An incident response plan that's been rehearsed
The single biggest determinant of whether an incident is a one-day inconvenience or a three-month disaster is whether the team has rehearsed the response. Your plan needs:
- Named incident commander (not the CTO — they'll be drowning in stakeholder calls).
- A communication tree, including: legal counsel, ODPC notification, insurer, board.
- Pre-agreed escalation triggers — at what severity does what action happen?
- A documented containment playbook for the top 3–5 scenarios.
- An annual tabletop exercise where you actually walk through a simulated incident.
A closing word
You'll notice we didn't recommend specific products. That's deliberate — the right product depends on your existing stack, scale, and team capability. What's universal is the order of priority. MFA before EDR before network segmentation. Backups before incident response. Boring before exotic.
If you're working through these and want a second pair of eyes, our security team is happy to do a free 60-minute posture review. We'll tell you which of the seven you've actually got covered — and which of them looks covered but isn't.