Kenya hit by 2.5 billion cyber-attacks in three months, facing crippling skills gap
Findings show that universities are producing an average of only 1,500 cybersecurity graduates annually, far below the 45,000 positions available in the sector.
Over 2.5 billion cyber-attacks targeted Kenyan systems from January to March 2025, affecting banks, government agencies and telecom companies.
According to a new report dubbed Cyber Shujaa Industry Report 2025, criminals are exploiting weak passwords, unpatched software and poorly secured networks, while Kenya struggles to field enough trained professionals to defend its systems.
More To Read
- 1,200 arrested, Sh12 billion seized in major Interpol cybercrime crackdown across Africa
- Kenyan banks tighten oversight of third-party tech firms amid rising cyber threats
- Kenya records historic cyber attack surge with 4.6 billion threats in four months this year
- Kenya's cyber threats soar 202 per cent in Q1, hitting 2.5 billion
- Were Judiciary staff locked out by hackers seeking to stall IEBC appeal?
- AI won’t replace computer scientists any time soon – here are 10 reasons why
The report also reveals a dangerous shortage of cybersecurity experts in the country. Findings show that universities are producing an average of only 1,500 graduates annually, far below the 45,000 positions available in the sector. The report also notes that graduates lack the practical skills demanded by employers, leaving organisations vulnerable to attacks.
During this period, the Communications Authority (CA) issued 13.2 million advisories, highlighting the scale of the threat. Criminals exploited weak passwords, outdated software, and poorly secured networks, while Kenya’s cybersecurity workforce remains critically low.
“On the supply side, many young people struggle to find jobs despite the growing demand for digital skills. On the demand side, companies often compete for the limited number of skilled professionals, leading to a talent gap,” Cyber Shujaa Curriculum and Training Director Paula Musuva said.
She warned that with cyber threats on the rise, the skills shortage must be urgently addressed. The report estimates a crippling 96 per cent skills gap, particularly in specialised areas such as digital forensics and incident response, essential for investigating and recovering from attacks.
Demand for software security architects, cloud security specialists, and DevSecOps engineers far exceeds supply. According to the report, hackers, professionals tasked with identifying vulnerabilities before criminals exploit them, are also scarce, leaving companies exposed to financial and operational losses.
Employers have raised concerns about a mismatch between university training and workplace requirements. Critical gaps include knowledge of cybersecurity law, digital forensics, and malware analysis. Consequently, despite thousands of vacancies, more than a third of cybersecurity graduates remain unemployed.
Data Commissioner Immaculate Kassait, speaking at the report launch, described the shortage as a national security threat.
“We are no longer fighting wars on physical borders. That has shifted. The war has moved to cyberspace. Every single day, we are confronted by cybersecurity threats, and those entering this field carry a responsibility almost as heavy as doctors and nurses caring for patients in intensive care,” she said.
She emphasised the inseparable link between cybersecurity and data protection.
“Cybersecurity focuses on protecting systems from attack, while data protection ensures that personal information is handled with dignity and fairness. Neither can exist in isolation,” Kassait said.
Kassait added that Kenya must embed privacy safeguards into digital projects from the outset.
“Kenya must move from simply complying with legal requirements to building a culture of privacy by design and by default,” she said.
The report also flagged gender disparities in the sector. Many women leave tech careers early, but Kassait praised Cyber Shujaa for raising female participation to 41 per cent.
“No country can afford to leave half of its talent behind. Kenya’s digital workforce must reflect Kenya’s diversity,” she said.
The Cyber Shujaa Programme, launched in March 2022 and led by Serianu Limited, USIU-Africa, and the Kenya Bankers Association (KBA), has trained over 5,000 youths and placed more than 2,000 in cybersecurity jobs. The programme provides hands-on training in security analysis, cloud and network security, digital forensics, governance, risk, compliance, and data protection, with globally recognised certifications from Microsoft, EC-Council, ISACA, (ISC)², CompTIA, AWS and Cisco.
“Cyber Shujaa has provided a powerful answer. In just three years, this initiative has trained more than 5,000 young people, placed over 2,000 into decent jobs, and supported dozens to launch their own enterprises. It has done more than build technical skills; it has built resilience, confidence, and hope,” Kassait said
Zilpher Awiti, Acting CEO of the ICT Authority, added, “The Cyber Shujaa programme has proven that when government, academia, and industry collaborate, we can transform youth unemployment into a source of resilience, innovation, and national security. Today’s graduates are not only securing systems; they are securing Kenya’s digital future.”
The report emphasised the need to mainstream cybersecurity into national development, expand training beyond Nairobi, and enhance gender inclusion initiatives.
“With initiatives like Cyber Shujaa, we are showing the world that Kenya can not only participate in the global digital economy but also lead in building a secure and inclusive digital society,” Kassait said.
Top Stories Today
