Kenya’s prospects for stronger national cyber resilience now appear brighter following the National Assembly’s approval of the establishment of the National Cybersecurity Agency (NCSA). The autonomous agency is expected to coordinate cybersecurity initiatives in the country and safeguard the critical information infrastructure that supports government services and operations, economic activity, and national security.
Why Institutional Reform Alone Is Not Enough
Indeed, for a country of Kenya’s stature that is desperately pursuing its ambition to become a regional and global tech powerhouse, this move was long overdue and necessary. But is it sufficient?
If the government is to build a truly safe and secure cyberspace, it must invest not only in defending networks but also in building public trust and strengthening cyber awareness among the public.
We often view cybersecurity through the lens of technicalities and jargon such as servers, firewalls, government networks, and critical infrastructure. Yet one key lesson from countries with stronger cyber defences is that the weakest link in any digital ecosystem is not technology. Rather, it is people. Without public trust and cyber awareness, even the most sophisticated cybersecurity institutions will struggle to deliver a safe and secure cyberspace.
Cybersecurity and Public
Public trust is particularly important because citizens are increasingly being asked to share personal information, conduct transactions online, and rely on digital government services. However, this trust cannot be taken for granted.
For a long time, our government has had to contend with low public confidence in digital systems, aggravated by concerns over data privacy, allegations of data exposure, and justifiable anxieties about how citizens’ information is handled by both government and private-sector actors. These concerns have, in some instances, fuelled skepticism about the ability of our agencies and institutions to adequately protect personal data and respond effectively to cyber threats.
Also Read: Kenya Parliament Approves National Cybersecurity Agency to Boost Digital Security
For this reason, the government must now move beyond institutional reform alone and deliberately invest in public-facing cybersecurity measures that empower citizens to become active participants in digital security.
Estonia’s Blueprint: Building a Cyber-Conscious Society
On this front, Estonia offers valuable lessons. Frequently ranked among the world’s leading digital societies, Estonia has built one of the highest levels of digital trust globally. Estonians routinely use digital identity systems and interact with a highly digitised public service ecosystem with confidence. This trust was neither accidental nor instantaneous. It was deliberately cultivated over time.
Following major cyberattacks in 2007, the Baltic state recognised that cybersecurity was not solely a technical problem, but also a societal one. Since then, its cybersecurity strategy has increasingly emphasised public awareness, digital literacy, and shared responsibility.
Its current framework, Cyber-Conscious Estonia 2024–2030, clearly reflects this approach. It recognises that every citizen forms part of the country’s cyber defence. The strategy emphasises a shared understanding of threats, common situational awareness, and agreed responses to cyber risks.
The Estonian Information System Authority (RIA) also plays a central role in translating this strategy into practice. It coordinates annual nationwide awareness campaigns, workshops, social media engagement, and targeted educational initiatives. In addition, the country’s public awareness platform, itvaatlik.ee, provides practical guidance on safe online behaviour and is available in multiple languages to ensure easy accessibility. The platform also hosts interactive cyber tests that allow citizens to assess their ability to identify phishing attempts and secure their devices.
Importantly, Estonia does not treat its citizens as a homogeneous lot. Older adults receive targeted training, while schools introduce cybersecurity concepts early in the education system. In fact, children are taught to recognise online threats from primary school, moves that have helped the government to institutionalize cyber hygiene from an early age.
Adapting Estonian Success to Kenya’s Context
These approaches have strengthened both public trust in digital systems and citizens’ ability to navigate the cyberspace safely, and these are tangible lessons that we can adapt to local realities.
It is no secret that cybercrime is increasingly becoming part of everyday life for many Kenyans. While platforms such as eCitizen have significantly expanded access to government services, many citizens remain cautious, uninformed, or skeptical about digital platforms and about the government’s ability to protect their data and respond effectively to cyber threats.
Therefore, building trust becomes as important as building secure systems. For Kenya, this means moving beyond institutional reform alone and deliberately investing in public confidence, digital literacy, and behavioural cyber awareness. The NCSA presents a timely opportunity to lead this shift.
Also Read: SACCOs Warned of Cybersecurity Threats on ATMs, Mobile Money, and Pay-Bill Float
In collaboration with the National Computer and Cybercrimes Coordination Committee (NC4), the Communications Authority of Kenya (CAK), county governments, and other stakeholders, the agency could strengthen partnerships with schools, universities, our telecos, banks, civil society organisations, and digital content creators to roll out sustained and scalable national awareness campaigns.
Interactive online assessments – similar to Estonia’s annual cyber readiness surveys and tests for members of the public – could help Kenyans evaluate their own digital safety practices. Public education campaigns could also popularise simple yet essential everyday cyber hygiene habits such as keeping software and firmware up to date, using strong passwords, enabling multi-factor authentication, and exercising caution against phishing and online scams.
The Road Ahead: Creating a Cyber-Conscious Kenya
Of course, no system is foolproof. Even Estonia, despite its strong cyber defence architecture, continues to face the existing and emerging cyber threats. This challenge underscores the reality that even the digitally literate societies in the world remain vulnerable. The lesson is not that awareness programmes also fail, but that cyber education must continuously evolve alongside the existing and emerging threats. And this is only possible where there is a high level of public trust.
Ultimately, protecting critical infrastructure remains essential, but true cyber resilience depends on informed citizens who trust their country’s digital systems, understand the evolving risks, and practise everyday cyber hygiene.
The National Cybersecurity Agency (NCSA) is, therefore, a significant milestone in our digital journey. But the government’s success in this journey will not be measured only by how well it defends our systems. It will also be measured by whether it helps build a cyber-conscious society – one where wananchi trust digital services, confidently engage with online platforms, and are equipped to protect themselves in an increasingly evolving cyberspace.
This Article was written by Mugoi Onderi. He is a Public Communications Specialist and consultant at The Brand Experts Kenya.
Follow our WhatsApp Channel and X Account for real-time news updates.
