Last year, was the first time I read the Cyber Security report by TESPOK and Serianu, a security company. I remember thinking “why is this report so hollow?” but I thought it was because it was the first year and they didn’t have the materials.
You can imagine the question I asked this time round, when I read this report on TESPOK website. You can read my story for the IT World.
So, what are my issues with the report?
1. Shoddy, sketchy work
If you read the report, the point where you find the statistics, is the honey pot side, which is a security system put in place at TESPOK to capture data from all the ISPs peering or exchanging content at the Kenya Internet Exchange Point.
If you read the other information on areas such as banking, the data is devoid of any statistics or any information that can add value. They may just as well have given this desk research to a journalist and they probably would have come up with a better write up.
The intro is written by a guy from Equity bank, who could at least have alluded to all the fraud and security issues that security experts say Equity Bank is vulnerable to. Not to admit but all that marketing rubbish of how they have the systems in place, even though we know it is a lie.
Some of that info may not be disclosed by if you are security experts, you will have insiders who will indicate how much, say, every bank or at least the major banks are losing to cyber threats.
In short, that report could have been consolidated by the folks at TESPOK, either they are just lazy or they feel that partnering with Serianu given TESPOK more credibility, its an industry body, they needed Serianu to just compile?
2. Advertising for Serianu
If you read the report, it has several pages advertising what Serianu does and very minimal or none of what TESPOK does. Again, I ask, who needed who? If TESPOK just needed to advertise Serianu, don’t call it research, call it an advertorial or white paper or something.
3. Naming and shaming ISPs
The report talks about ISPs that are prone to malware, again, this is from the Honey pot. The report names the 20 ISPs but doesn’t give their names. When will they ever learn if the information is hidden?
I know that exposing an ISP’s cybersecurity vulnerability affects its bottom line but they will improve if consumers are able to know which ISPs are most secure. Its more like touting yourself as a researcher in media and corruption, then instead of naming the most corrupt media houses, you just give us number one to ten then present the percentages, how does that help us?
Yes, ISPs are members of TESPOK and do not want to be shamed but if you want the ISPs to take the research seriously, then name them, make use of the honey pot and forget these essays that we can google and download.
The closest I got to identifying the ISPs was in the publication of AS numbers for the IPs considered lethal. With the AS numbers I identified Access Kenya, JTL, Safaricom, among others as the culprits.
4. Role of KE CERT
I think the best statement was towards the end, when the report says there is a need for a strong CERT in Kenya, this was like a kick to the CCK and their dismal efforts, which you can read on their website.
Of course this is just my opinion…….you can read the report and be the judge.