Five years ago, the threat model for a 200-person Kenyan manufacturer or distributor was relatively simple: phishing, business email compromise, and the occasional opportunistic ransomware hit. Today, it looks nothing like that. And most mid-market firms haven't updated their controls to match.
Ransomware-as-a-service has created an industrialised attack economy in which a criminal with no technical skill can licence a ransomware toolkit, target a specific firm, and receive operational support through the attack. The minimum viable attacker has changed — and so has the minimum viable defence.
What's actually new
Three shifts stand out from the incidents we've responded to and advised on in the last 18 months across the East African market.
Double extortion is now standard. Attackers no longer simply encrypt your data and demand ransom to decrypt it. They exfiltrate the data first, then encrypt it. The threat is now: pay or we publish your customer records, financial data, and supplier contracts. This changes the calculus entirely for firms that might otherwise have said "we have backups, we can recover."
Initial access is almost always a human, not a technical exploit. Our 2025 incident reviews found that 78% of successful breaches began with a credential compromise — a phished password, a reused credential from a data breach, or an account that was never deprovisioned when an employee left. The entry point is social, not technical.
Dwell time in East Africa is longer than global averages. In our incident reviews, attackers were present in target networks for an average of 47 days before triggering their payload. They spent that time understanding the network, locating backups, and disabling logging. This means that detection during the dwell period is the single highest-leverage defensive investment — not just prevention at the perimeter.
The controls that actually matter
The following five controls address the three shifts above. None of them are exotic. All of them are consistently absent from mid-market firms when we first engage.
- Multi-factor authentication on all externally accessible systems. Not just email — VPN, remote desktop, and any cloud management console. MFA alone prevents the majority of credential-compromise entry points.
- Privileged access workstations for administrative accounts. The domain administrator account should not be able to browse the web or receive email. These are different machines with different security profiles.
- Immutable, off-network backup with tested restore. "We have backups" is not a recovery strategy. "We have backups, they cannot be encrypted by ransomware, and we have tested restoring them in the last 60 days" is.
- Endpoint detection and response (EDR), not just antivirus. EDR detects behavioural anomalies during the dwell period — the lateral movement, the credential dumping, the reconnaissance — not just known malware signatures.
- Identity governance with quarterly access reviews. Former employees with active accounts are a systemic risk, not an edge case. In every firm we've assessed, we find at least a handful.
ISO 27001 certification and actual security posture are not the same thing. We've been engaged to respond to incidents at certified firms. Compliance frameworks are a floor, not a ceiling — and the floor was set before double extortion became standard. Build toward the floor, then keep going.
Where to start if you haven't
If your firm has not reviewed its threat model in the last 18 months, the first step is not to buy a product. It is to run a structured tabletop exercise with your leadership team: what would happen if we were hit tomorrow? Where do we not have visibility? What would we do in the first 24 hours?
The answers to those questions tell you where your actual gaps are. The controls above are almost always in the answer set — but the order of priority depends on your specific environment. A cloud-first firm has different exposure than one running on-premises servers. A firm with 200 staff in one office has different challenges than one with 20 people in five countries.
Based on incident responses and security assessments conducted across East Africa, 2024–2026. Figures are drawn from Arton's own engagement data and cross-referenced with regional threat intelligence sources.