Resources & Insights

Cybersecurity Knowledge
Built for Africa.

Guides, blog posts, awareness materials, and practical tools — all grounded in the African regulatory environment and designed to help your organisation make informed security decisions.

Featured Article
🇰🇪 Kenya DPA · Must-Read
Kenya Data Protection Act 2019: The Complete Compliance Guide for Kenyan Businesses
The Office of the Data Protection Commissioner is actively investigating and fining organisations for non-compliance. This comprehensive guide covers everything Kenyan businesses need to know — from ODPC registration and data mapping to employee training and breach notification. Updated for 2025 enforcement practices.
Kenya DPA · Compliance May 2025 15 min read →
DPA Compliance Checklist
01ODPC Registration
02Data Mapping & ROPA
03Privacy Impact Assessment
04Data Retention Policies
05Staff Training Programme
06Breach Response Plan
Security Awareness · Threat Intel
The Rise of M-Pesa Phishing: How Kenyan Businesses Can Protect Their Staff
Cybercriminals are targeting Kenyan employees with highly convincing M-Pesa, KRA, and HELB phishing attacks. Here's how to recognise them and what your security awareness programme must include to protect against them.
April 20258 min read →
GRC · ISO 27001
ISO 27001:2022 for East African Businesses: What Changed and What You Must Do Now
The 2022 revision introduced significant changes to Annex A — reducing from 114 to 93 controls across four new themes. This guide explains what's different and how East African organisations can adapt their existing ISMS to the new standard.
March 202510 min read →
Security Consulting · Leadership
Do You Need a CISO? Why African SMEs Are Choosing the vCISO Model
A full-time CISO costs KES 4–8 million annually. A virtual CISO delivers the same strategic security leadership at a fraction of the cost — with flexibility that growing African businesses actually need. Here's how to decide.
February 20257 min read →
Threat Intelligence · Incident Response
Ransomware in East Africa: 2024 Threat Report and What Businesses Must Do
Ransomware attacks against Kenyan and East African businesses increased 74% in 2024. This report covers the most active threat actors targeting African organisations, their tactics, and the specific defences that stop them.
January 202512 min read →
Kenya DPA · GDPR · Compliance
Kenya DPA vs GDPR: Key Similarities, Critical Differences, and How to Comply with Both
Kenya's Data Protection Act was modelled on GDPR — but there are important differences that organisations operating in both jurisdictions must understand. This comparison guide helps you achieve both frameworks efficiently and avoid costly compliance gaps.
December 20249 min read →
Security Awareness · Culture
Building a Security Culture in African Organisations: Beyond the Annual Training Session
One annual cybersecurity training session does not create a security culture. This guide outlines the 12-month behaviour change programme approach that reduces phishing click rates by 89% on average — and how to sell it to your CEO.
November 202411 min read →
Awareness Materials

Free Security Awareness
Resources for Your Team.

Download and deploy these resources directly into your organisation — designed for the African business context, available in English and Swahili.

POSTER · PDF
Phishing Red Flags Poster
A4 poster highlighting the top 8 warning signs of phishing emails — with Africa-specific examples including fake M-Pesa and KRA notifications. Available in English and Swahili.
Awareness Poster Download Free →
CHECKLIST · PDF
Kenya DPA Quick Compliance Checklist
A practical one-page checklist covering the 12 most critical Kenya DPA requirements — designed for compliance managers to quickly assess their organisation's readiness.
Compliance Tool Download Free →
INFOGRAPHIC · PDF
Password Security Infographic
A visual guide to creating strong passwords and using password managers safely — designed for staff who are not technically minded. Includes mobile-friendly tips for African business users.
Staff Awareness Download Free →
POLICY TEMPLATE · DOCX
Acceptable Use Policy Template
A Kenya DPA-aligned Acceptable Use Policy template covering email, internet, device use, and social media. Includes guidance notes for customisation to your organisation's specific context.
Policy Template Get Template →
GUIDE · PDF
Remote Working Security Guide
A practical guide for employees working from home or in hybrid environments — covering VPN use, home Wi-Fi security, video conferencing best practices, and data handling on personal devices.
Staff Awareness Download Free →
ROADMAP · PDF
ISO 27001 Readiness Roadmap
A 12-month visual roadmap for achieving ISO 27001 certification — covering all key phases from gap analysis to certification audit, with milestone indicators and resource planning guidance.
GRC Tool Get Roadmap →
Compliance Guides

In-Depth Guides for
Compliance Decision-Makers.

Comprehensive written guides produced by SecureZaidi's compliance specialists — covering the frameworks and challenges most relevant to African businesses.

Kenya DPA 2019
The Definitive Kenya Data Protection Act Compliance Guide (2025 Edition)
42-page comprehensive guide covering all aspects of the Kenya Data Protection Act — from ODPC registration through to enforcement case studies. Essential reading for compliance officers, legal teams, and IT leaders.
ISO 27001:2022
ISO 27001 Implementation Guide for East African Organisations
A practical, step-by-step guide to implementing ISO 27001 in an East African business context — including the 2022 control updates, cultural considerations, and a realistic timeline for certification.
Security Awareness
Building a Security-First Culture: A 12-Month Programme Guide for African Businesses
How to design, deploy, and measure a security awareness programme that actually changes employee behaviour — with Africa-specific phishing templates, training module outlines, and measurement frameworks.
GRC · Risk Management
Cybersecurity Risk Assessment Guide: From Identification to Board-Level Reporting
A practical guide to conducting structured cybersecurity risk assessments using NIST and FAIR methodologies — including how to translate technical risk into financial and business terms for board-level reporting.
Glossary

Cybersecurity Terms
Explained Simply.

A plain-language glossary of key cybersecurity and compliance terms — useful for non-technical stakeholders, board members, and anyone new to the field.

ODPC
The Office of the Data Protection Commissioner — Kenya's regulatory authority responsible for enforcing the Data Protection Act 2019, handling complaints, conducting investigations, and imposing penalties on non-compliant organisations.
Kenya DPA
The Kenya Data Protection Act 2019 — legislation that establishes the rights of individuals over their personal data and the obligations of organisations that collect and process it. Modelled closely on the EU GDPR.
Data Controller
An entity that determines the purposes and means of processing personal data. Under Kenya DPA, data controllers must register with the ODPC and are responsible for ensuring compliance with the Act's requirements.
Data Processor
An entity that processes personal data on behalf of a data controller — such as a cloud provider, payroll system, or marketing agency. Processors must also register with the ODPC and comply with the DPA.
Phishing
A cyberattack method where criminals send fraudulent emails, SMS messages, or WhatsApp messages impersonating trusted organisations (M-Pesa, KRA, HELB, banks) to trick recipients into revealing credentials or sensitive information.
Ransomware
Malicious software that encrypts an organisation's files and demands a ransom payment for the decryption key. Ransomware attacks against African businesses increased 74% in 2024 and can result in weeks of operational disruption.
ISO 27001
The international standard for Information Security Management Systems (ISMS). Organisations that achieve certification have demonstrated to an independent auditor that they have implemented systematic controls to protect information security.
GRC
Governance, Risk and Compliance — an integrated approach to managing an organisation's governance framework, risk posture, and regulatory compliance obligations. A mature GRC programme gives leadership real-time visibility into security and compliance status.
vCISO
Virtual Chief Information Security Officer — a senior cybersecurity executive hired on a part-time or fractional basis rather than as a full-time employee. Provides strategic security leadership at a fraction of the cost of a full-time CISO hire.
Penetration Testing
An authorised simulated cyberattack against an organisation's systems, networks, or applications — designed to identify exploitable vulnerabilities before real attackers find them. Also known as "pen testing" or "ethical hacking."
DPIA / PIA
Data Protection Impact Assessment (also called Privacy Impact Assessment) — a process required under Kenya DPA and GDPR for assessing the privacy risks of new systems, processes, or significant changes to data processing activities.
NIST CSF
The NIST Cybersecurity Framework — a voluntary framework developed by the US National Institute of Standards and Technology that provides guidance on managing and reducing cybersecurity risk, organised around six core functions: Govern, Identify, Protect, Detect, Respond, Recover.
Multi-Factor Authentication (MFA)
A security method requiring users to provide two or more verification factors before accessing a system — typically a password plus a one-time code sent by SMS or generated by an authenticator app. MFA blocks over 99% of automated account compromise attacks.
Encryption
The process of converting data into an unreadable format using a cryptographic key — ensuring that even if data is intercepted or stolen, it cannot be read without the decryption key. Required for sensitive personal data under Kenya DPA.
Incident Response (IR)
The organised approach an organisation takes when it detects or suspects a cybersecurity breach — covering detection, containment, investigation, recovery, and lessons learned. Under Kenya DPA, data breaches must be reported to the ODPC within 72 hours.
Zero Trust
A security architecture principle that assumes no user, device, or network should be automatically trusted — even inside the organisation's perimeter. Every access request is verified, authorised, and logged regardless of where it originates.
SOC
Security Operations Centre — a team and facility responsible for continuously monitoring an organisation's IT infrastructure for cybersecurity threats, detecting incidents, and coordinating response activities 24 hours a day, 7 days a week.
Vulnerability Assessment
A systematic review of security weaknesses in an organisation's information systems — identifying, classifying, and prioritising vulnerabilities so they can be remediated before attackers exploit them.