Kenya reels under 2.5 billion cyber-attacks in three months
The findings are contained in the Cyber Shujaa Industry Report 2025, which warns that hackers are exploiting weak passwords, outdated software, and poorly secured networks
Kenya experienced more than 2.5 billion cyber-attacks between January and March 2025, exposing critical weaknesses in government systems, banks, and telecommunications firms, while the country continues to face a severe shortage of cybersecurity experts.
The findings are contained in the Cyber Shujaa Industry Report 2025, which warns that hackers are exploiting weak passwords, outdated software, and poorly secured networks as the demand for trained defenders far outstrips supply.
Universities are producing about 1,500 graduates annually, compared to an estimated 45,000 jobs in the field, leaving institutions vulnerable to growing digital threats.
The Communications Authority (CA) issued 13.2 million advisories during the three-month period, underlining the scale of attacks. Yet the report shows that many graduates lack the practical skills required by employers, worsening the gap.
“On the supply side, many young people struggle to find jobs despite the growing demand for digital skills. On the demand side, companies often compete for the limited number of skilled professionals, leading to a talent gap,” Cyber Shujaa Curriculum and Training Director Paula Musuva said.
Musuva warned that the country faces a 96 per cent skills deficit in key areas such as digital forensics and incident response, roles critical for tracing breaches and restoring systems after attacks.
She noted that the need for cloud security specialists, DevSecOps engineers, software security architects, and ethical hackers continues to exceed supply, exposing organisations to financial and operational losses.
Employers have also raised alarm over a mismatch between academic training and workplace demands, citing gaps in knowledge of cybersecurity law, malware analysis, and digital forensics.
The report highlights that despite thousands of job openings, more than one-third of cybersecurity graduates remain unemployed.
Data Commissioner Immaculate Kassait, speaking at the launch of the report, described the situation as a national security threat.
“We are no longer fighting wars on physical borders. That has shifted. The war has moved to cyberspace. Every single day, we are confronted by cybersecurity threats, and those entering this field carry a responsibility almost as heavy as doctors and nurses caring for patients in intensive care,” she said.
Kassait stressed the close link between cybersecurity and data protection, warning that the two must go hand in hand.
“Cybersecurity focuses on protecting systems from attack, while data protection ensures that personal information is handled with dignity and fairness. Neither can exist in isolation,” she said.
She further urged that privacy safeguards be built into all digital projects from the start.
“Kenya must move from simply complying with legal requirements to building a culture of privacy by design and by default,” Kassait said.
The report also pointed to gender gaps in the industry, noting that many women exit technology careers early.
However, it praised Cyber Shujaa for raising female participation in cybersecurity to 41 per cent.
