Skip to content

Cybersecurity Basics Every Kenyan Business Leader Should Know

Cybersecurity is not an IT problem you can delegate away, it is a business risk you own. Here are the basics every Kenyan business leader can understand and act on without being technical.

By Karani Geoffrey, Founder & CEO, Upeosoft
In short

Cybersecurity for a business leader is not about technical mastery, it is about a few high-impact basics: strong unique passwords with two-factor authentication, trained staff who spot phishing, controlled access per person, regular backups, updated software, and compliance with the Kenya Data Protection Act. Most breaches exploit these basics being missing, not clever hacking.

Key takeaways
  • Most breaches exploit basic gaps and human error, not sophisticated hacking.
  • Two-factor authentication is the single highest-value control you can turn on today.
  • Phishing targets people, so trained staff are a core part of your defence.
  • Give each person their own login with access limited to what their role needs.
  • The Kenya Data Protection Act makes protecting customer data a legal duty.
  • Backups and updates are boring, unglamorous, and what actually saves you.

Security is a business risk, not just an IT task

Many founders treat cybersecurity as something technical that gets delegated to whoever handles the computers. That framing is the first mistake, because the decisions that actually determine your exposure are business decisions: who can access what, how money moves, how staff are trained, what data you hold and how carefully.

As a leader you do not need to understand encryption algorithms. You need to understand that a breach can drain your accounts, expose your customers, break the law and destroy trust, and that preventing it is mostly about discipline rather than technology. The businesses that get hurt are rarely outmatched by genius hackers. They are usually undone by basics nobody took ownership of, which is exactly the kind of problem a leader is meant to solve.

Passwords and two-factor authentication

The humble password remains the front door to almost everything, and in most businesses that door is barely locked. People reuse the same password everywhere, so one leak elsewhere unlocks your business too, and they choose passwords weak enough to guess.

Two fixes carry enormous weight. First, use long, unique passwords for every account, made manageable by a password manager so nobody has to memorise them. Second, and most important, turn on two-factor authentication everywhere it is offered, especially email, banking and your business systems. With 2FA, a stolen password alone is not enough to get in. If you do only one thing after reading this, enable 2FA on your email today, because whoever controls your email can reset the passwords to everything else.

Your people are the real front line

The most common way attackers get in is not through your software, it is through your staff. A convincing phishing message, an email pretending to be you asking for an urgent payment, a WhatsApp from a fake supplier changing their bank details, exploits human trust and haste, not technical flaws.

That makes awareness a core control, not a soft extra. Teach your team a few reflexes: be suspicious of urgency, because attackers manufacture panic to stop people thinking; verify any unusual request, especially about money or credentials, through a separate channel like a phone call to a known number; and never enter a password after clicking a link in a message. A staff member who pauses and checks is worth more than most security software.

  • Treat urgency and pressure as warning signs, not reasons to hurry.
  • Verify payment and password requests through a second, known channel.
  • Never enter credentials via a link in an email, SMS or WhatsApp.
  • Confirm any change to supplier bank details before paying.
  • Make it safe to report a mistake fast, because speed limits the damage.

Control who can access what

A quiet but serious risk is that everyone in the business can reach everything. Shared logins, blanket admin rights and passwords stuck to monitors mean a single compromised account, or a single disgruntled person, can touch your whole operation.

The principle here is least privilege: each person has their own login and can access only what their role genuinely needs. A cashier does not need the payroll, a salesperson does not need the bank reconciliation. This limits the blast radius when an account is compromised, because the attacker inherits only that person's narrow access, not the keys to everything. It also creates accountability, since every action ties to a named person rather than an anonymous shared account. Access control is where security and anti-fraud become the same discipline.

Backups and updates: boring, essential, decisive

The least glamorous controls are the ones that save you. Ransomware, where attackers encrypt your data and demand payment, is devastating only if you have no backup to restore from. With good backups it becomes an inconvenience; without them it can end a business.

So keep backups that are automatic, stored off-site or in the cloud, and actually tested by restoring them. Separately, keep software updated, because most attacks exploit known flaws that a patch already fixed, and running outdated systems is like leaving a repaired lock unfitted. Neither of these is exciting, and that is precisely why they get neglected until the day they would have mattered. Leaders who insist on boring backups and boring updates are the ones who sleep through the incidents that wreck their competitors.

A secure system is easier than a pile of tools

Trying to bolt security onto a sprawl of spreadsheets, personal devices, WhatsApp groups and disconnected apps is exhausting, because every one of them is a separate door to watch. Security gets dramatically easier when your business runs on a single, well-built system of record instead.

In a proper system, access is controlled per person from one place, data is backed up automatically, updates are managed centrally, and every action leaves an audit trail so you can see what happened if something goes wrong. You are defending one well-built house rather than a scattering of unlocked sheds. Consolidating how your business operates is not only about efficiency; it quietly removes most of the surface an attacker would otherwise exploit.

How Upeosoft helps

Upeosoft builds Kenyan businesses on ERPNext and Frappe with security and access control designed in, so protecting your business is part of how the system works rather than a scramble of add-ons. Each person gets an individual login with role-based access, data is backed up automatically, and a complete audit trail records who did what.

We help you consolidate scattered spreadsheets and apps into one system that is genuinely defensible, and we build with the Kenya Data Protection Act in mind so that protecting customer data supports your compliance rather than fighting it. You do not need to become a security expert. You need the basics enforced by the system your business runs on. If that is not the case today, talk to us about getting there.

Frequently asked questions

Do I need to be technical to handle cybersecurity as a leader?

No. Your job is not to configure firewalls, it is to make sure the basics are in place and taken seriously across the business. The most damaging breaches come from weak passwords, staff clicking bad links and missing backups, not from elite hacking. Those are leadership and culture issues you can own without writing a line of code.

What is two-factor authentication and why does it matter so much?

Two-factor authentication, or 2FA, requires a second proof of identity beyond your password, usually a code from your phone. It matters because even if a password is stolen or guessed, the attacker still cannot get in without that second factor. It is free, quick to enable on email, banking and business systems, and stops the large majority of account takeovers.

What is phishing and how do we protect against it?

Phishing is a fake message, an email, SMS or WhatsApp, designed to trick someone into revealing a password, sending money or clicking a malicious link. Protection is mostly human: train staff to slow down, distrust urgency, verify unusual requests through a second channel, and never enter credentials from a link. Combined with 2FA, awareness stops most attacks.

What does the Kenya Data Protection Act require of my business?

The Act governs how you collect, store, use and share personal data about customers and staff. In broad terms it requires you to protect that data, use it only for legitimate purposes, keep it secure, and respect people's rights over their own data. Holding customer data carelessly is now a legal risk, not just a reputational one. Treat security as compliance too.

What is the most common cause of a small business breach?

Human error and weak basics: a reused password, a staff member fooled by a phishing message, an unpatched system, a shared login nobody can trace, or a device with no lock. Attackers rarely need to be clever when the front door is open. This is good news, because it means basic discipline prevents most incidents.

Karani Geoffrey
Karani Geoffrey
Founder & CEO, Upeosoft

Karani Geoffrey is the Founder & CEO of Upeosoft, a software and automation company rooted in Kenya. He builds custom software, AI systems, and production-grade ERPNext for businesses across East Africa, and writes about the Kenyan realities - eTIMS, M-Pesa, SHIF, unreliable internet and power - that make or break real systems.

Next step

Want this working in your business?

Upeosoft builds and hardens the systems behind this article - for real Kenyan operations, with eTIMS, M-Pesa and offline realities handled.

Keep reading

Risk, Continuity and Governance

Insuring Your Business: What Founders Often Overlook

Insurance is only as good as the fit of your cover and the strength of your records. Here is what founders routinely overlook, and why a claim so often turns on the paperwork you kept before disaster struck.

8 min readRead article →
Risk, Continuity and Governance

What Happens to Your Business If You Lose Your Phone or Laptop?

A lost phone or laptop is only a disaster if your business lives inside that device. Here is what actually happens, and how to make a lost device a nuisance instead of a crisis.

8 min readRead article →
Risk, Continuity and Governance

Business Continuity: Preparing for Disruptions You Can't Predict

You cannot forecast the fire, the flood or the sudden absence, but you can decide in advance how your business survives one. Business continuity is that decision, made while things are calm.

7 min readRead article →