Circular Economy Tech: What Sikili Means for East Africa

The Story Behind the Signal

Two Francophone founders - operating across two countries, from scratch - are quietly building Sikili, a business that trades in refurbished, second-hand iPhones across West Africa. Reported by TechCabal, Sikili is being positioned as more than a commerce play. It is described as an early model for what a West African circular economy could look like: affordable smartphones, reduced e-waste, and wider digital access for consumers who cannot afford new devices.

It is a genuinely compelling story. But for Chief Information Security Officers, IT Directors, and risk managers in Kenya, Somalia, Ethiopia, and across the Horn of Africa, it carries a warning that deserves immediate attention.

The Threat to East African Organizations

The rise of the circular device economy in Africa is accelerating. As models like Sikili gain traction in West Africa, equivalent informal and semi-formal markets for second-hand smartphones and laptops are already well established in Nairobi's CBD, Mogadishu's Bakara Market, and Addis Ababa's Mercato. The business model is expanding. The security posture around it is not.

The core risk is straightforward: a refurbished device is only as clean as the process used to wipe it. When employees, government officials, or contractors purchase second-hand devices through informal channels and connect them to organizational networks, they may be introducing:

• Pre-installed malware or stalkerware that survives basic factory resets on older iOS and Android builds
• Residual MDM (Mobile Device Management) profiles from previous corporate owners, creating invisible remote access backdoors
• Outdated firmware that cannot be patched to current security standards, leaving known CVEs permanently unresolved on your network
• Compromised Apple IDs or Google accounts still linked to previous users, enabling unauthorized iCloud or Google Drive synchronization of sensitive files
• IMEI-flagged devices that may trigger regulatory flags under CBK, Bank of Tanzania, or National Bank of Ethiopia device registration frameworks

Impact Assessment for East African Sectors

Banking and Financial Services

Kenya's banking sector processes billions of shillings daily through mobile and digital channels. A compromised device used by a relationship manager, teller, or remote branch officer represents a direct path to credential theft, fraudulent M-Pesa or SWIFT transactions, and PCI-DSS non-compliance. The CBK Prudential Guidelines on Cybersecurity require financial institutions to maintain visibility over all endpoint devices. A second-hand iPhone purchased outside formal procurement channels is, by definition, outside that visibility.

Government and GovTech

Somalia's federal government institutions, Ethiopia's expanding e-government platforms, and Kenya's Huduma Centre network all increasingly rely on mobile devices for service delivery. Unvetted devices entering government networks are a documented attack vector for nation-state actors and ransomware groups targeting public sector data. The Kenya Data Protection Act 2019 places the burden of data security on the data controller - not the device seller.

Critical Infrastructure and Power

Operational technology (OT) environments in East African power utilities and telecoms are increasingly managed via mobile interfaces. A second-hand device with a residual MDM profile or persistent RAT connecting to a SCADA-adjacent network is not a theoretical risk. It is a documented attack pattern seen in multiple African utility breaches in 2024 and 2025.

Immediate Actions for Your Organization

• Audit your BYOD and procurement policy today. If your policy does not explicitly prohibit or control the use of refurbished devices purchased outside approved vendors, it needs to be updated before end of this quarter.
• Deploy Mobile Device Management (MDM) enrollment as a condition of network access. No MDM enrollment, no Wi-Fi, no VPN, no access to organizational systems - full stop.
• Run a device inventory sweep. Identify every mobile device currently accessing your email, ERP, or banking systems. Flag any device not procured through your formal IT supply chain for immediate security review.
• Brief your HR and procurement teams. The purchasing decision is made long before IT sees the device. Finance officers and HR managers approving personal device allowances need to understand the downstream risk.
• Test your endpoint detection coverage. Confirm that your EDR or SIEM solution logs and alerts on new device enrollments, especially outside business hours or from unexpected geographic locations.

DRONGO Recommendation

DRONGO's endpoint security and MDM advisory practice works with East African banks, government agencies, and utilities to build device governance frameworks that reflect how people actually work in this region - including the reality of informal device markets. We help you enforce security without blocking productivity.

Is your organization protected? Request a free security assessment.