Sunday with Eden | Jun 08,2019
October 31 , 2020
By Bashir Semakula ( Bashir Semakula (email@example.com), a cyber security expert based in Australia. )
The threat of cyberattacks on institutions grows by the day. Financial organisations should thus take effective measures to ensure cyber resilience, instead of just responding to cyber attacks, writes Bashir Semakula (firstname.lastname@example.org), a cyber security expert based in Australia.
Cyber attacks are growing in frequency and sophistication, and many organisations across the world are struggling to keep up. Right here in Africa, financial organisations are being targeted. The most recent attacks allegedly affected major banks in Uganda and Nigeria, Stanbic Bank and Central Bank of Nigeria, respectively.
These attacks reinforce the results of a survey titled "Banking Fraud in Sub-Saharan Africa," by the Morocco-based information security firm Dataprotect, which found that more than 85pc of 148 banks examined had fallen victim to at least one cyber attack resulting in losses. The survey also found that banks are vulnerable to these sorts of attacks due to unqualified staff and lack of investment in cybersecurity.
As the threat landscape changes and banks explore emerging technologies to provide innovative products and services, these cyberattacks will only increase.
Financial organisations must take effective measures to ensure cyber resilience. Taken holistically, there are efforts that can be used to improve efficiency and effectiveness, enable innovation, support digital transformation and business strategy and, most importantly, enhance cyber resilience.
Perhaps the most detrimental of these measures is establishing efficient governance structures. Critical to consider is that managing cyber risk is a leadership issue, not a technology one.
“Being resilient requires those at the highest levels of a company, organisation or government to recognise the importance of avoiding and proactively mitigating risks,” a 2017 World Economic Forum report, "Advancing Cyber Resilience: Principles and Tools for Boards," affirmed. “While it is everyone’s responsibility to cooperate in order to ensure greater cyber resilience, leaders that set the strategy for an organisation are ultimately responsible, and have increasingly been held accountable for including cyber resilience in organisational strategy.”
Cyberattacks can disrupt business operations, affect customer confidence and may attract regulatory fines. This reputational damage will ultimately affect the bottom line of the business. Executive leadership must maintain oversight on cyber resilience activities to achieve strategic objectives.
Since the board is ultimately responsible for oversight of cyber risk and resilience, it must define and quantify risk tolerance consistent with business strategy. To oversee the cyber risk management, the board must establish a cyber risk committee comprised of senior business, technology and risk leaders.
A chief information security officer with access to the board and sufficient authority, must chair this committee and regularly report to the board using business-aligned and relevant cyber metrics. The organisation should also establish an operational governance committee to oversee the implementation of cybersecurity controls and report to the cyber risk committee.
Another critical matter is developing and implementing high-value cyber resilience strategies.
A hacking team associated with North Korea — referred to as BeagleBoyz — resumed targeting banks in multiple countries including nine in Africa, to initiate fraudulent international money transfers and ATM cash outs through remote access, according to US government agencies such as the Cybersecurity & Infrastructure & Security Agency (CISA) and Federal Bureau of Investigation (FBI).
The BeagleBoyz have been responsible for sophisticated cyber-enabled bank robberies since 2015 and most famously stole 81 million dollars from the Bank of Bangladesh in 2016.
Cyber criminals have different motivations for their activities. The BeagleBoyz seem financially motivated, while the attack of Nigeria's central bank by the anonymous hacking group could be hacktivism — socially or politically motivated reason — though the bank denied the attacks happened.
To maintain resilience against a variety of cyber threats, executive leadership must ensure continued focus on the most critical information assets whose compromise could adversely affect business operations and reputation. To develop high-value strategies, banks must take a risk-based approach to cyber resilience and ensure cyber investments are allocated to initiatives with the most significant benefit to cyber resilience.
It is just as necessary to manage supplier risk. This is because as organisations pursue efficiencies and effectiveness, they are increasingly relying on third parties and business partners to deliver services. Fifty-nine percent of companies had experienced a data breach caused by a third party, and more than 75pc of organisations believed that third-party cyber incidents were increasing, according to a 2018 study by Opus and Ponemon Institute, "Data Risk in the Third-Party Ecosystem," after surveying a thousand chief information security officers and other security and risk professionals.
Although outsourcing has great benefits, it also introduces cyber risk to an organisation. Outsourcing means the information assets will be stored, processed or transmitted by a third party. The risk exposure must be identified, prioritised and managed.
To manage this risk effectively, banks must assess the security controls of suppliers when onboarding, classify suppliers based on criticality to the business, and identify all possible threats associated with every particular supplier. Designing a risk-based cyber assurance programme for suppliers and business partners will foster agility and allow innovation to thrive.
Security must also be enforced by design. Organisations are prompted by emerging technologies to assess their viability and how they can be used to innovate and adapt their products and services. The use of technologies like cloud computing and the Internet of Things involves both great opportunities and cyber risk, and if not managed effectively, could undermine the gains of innovation.
These technologies have data privacy issues and are insecure by design as most services prioritise functionality over security. Due to this, the number of cyber incidents associated with new technologies is increasing. Indeed, a fifth of breaches investigated were in cloud environments, according to a 2020 report by Trustwave, a security services provider.
For organisations to adapt their product and services, they must experiment with emerging technologies. Executive leadership must ensure security requirements are considered early in the design phase and effective governance structures must be embedded in innovate programmes to manage the risk exposure and ensure the appropriate security controls are implemented in these products before roll out to customers.
But perhaps the most consistent factor in all major cybersecurity incidents across the world is the human factor. These are frontline personnel, call centre staff, system administrators and senior executives. Having the latest cybersecurity tools alone cannot guarantee cyber resilience.
“Major sources of cyber threats are not technological. They are found in the human brain in the form of curiosity, ignorance, apathy and hubris,” stated a Harvard Business Review article, "The Best Cybersecurity Investment You Can Make Is Better Training."
Cyber attackers are aware of this fact and through various scams and tactics, can bring multimillion-dollar organisations to their knees.
A cyber-aware workforce is critical to the success of any cyber resilience strategy. Executive leadership and support are required to achieve and maintain the cultural shift through cyber awareness programmes. Executive leadership must also demonstrate an unwavering commitment to cybersecurity by consistently communicating the importance of cybersecurity.
What all of this points to is that as cyberattacks become more sophisticated and persistent, organisations need to shift priority from cybersecurity to cyber resilience.
“Nature was designed with the recognition that things can and inevitably will go wrong,” a report by Accenture, a professional services company, ‘The Nature of Effective Defense: Shifting from Cybersecurity to Cyber Resilience’ stated. “That’s equally true of security incidents. There’s no question that they will occur.”
Organisations must prepare to minimise the impact of incidents as it is impossible to predict when they will occur.
As executive leadership sets the mission and defines strategies, they are best placed to determine how cyber incidents will affect the organisation. Executive leadership must drive the cybersecurity to cyber resilience cultural shift and champion its importance throughout the entire organisation.
A cyber resilient organisation must continuously focus on the most critical assets, enforce security by design approach throughout its digital transformation programmes, prioritise and manage third-party risk and set the cyber resilience tone at the top.
Organisations need to stop reacting, starting prioritising and become cyber resilient.
PUBLISHED ON Oct 31,2020 [ VOL 21 , NO 1070]
Sunday with Eden | Jun 08,2019
Editorial | Jan 18,2020
Verbatim | Dec 07,2019
Life Matters | Mar 21,2020
Sunday with Eden | Apr 17,2021
Editorial | Jun 27,2020
My Opinion | Dec 10,2018
Editorial | Jul 03,2021
Agenda | Aug 24,2019
Radar | Dec 12,2020
Photo Gallery | 53071 Views | May 06,2019
Fortune News | 45981 Views | Jul 18,2020
Photo Gallery | 44818 Views | Apr 26,2019
Fortune News | 44754 Views | Sep 01,2021
Commentaries | Jun 25,2022
Life Matters | Jun 25,2022
My Opinion | Jun 25,2022
Sunday with Eden | Jun 25,2022
Agenda | Jun 25,2022
Editorial | Jun 25,2022
November 27 , 2021
Against my will, I have witnessed the most terrible defeat of reason and the most sa...
November 13 , 2021
Plans and reality do not always gel. They rarely do in a fast-moving world. Every act...
October 16 , 2021 . By HAWI DADHI
Residing in a country with no capital market, an organised marketplace for trading se...
August 28 , 2021 . By HAWI DADHI
The streets of Addis Abeba are as varied as they are many, although too many of them have yet to be named. From the narrow alleyways of the...
Leaders of the National Election Board are in a charm offensive mood, of a sort. Last week, they organised a rare tour for members of the me...
When the country’s most senior diplomats and envoys return back to their posts after two-week debriefings, they leave behind a point or tw...
June 25 , 2022
It is not the best of times to be in charge of governance in Ethiopia, whether at the...
June 18 , 2022
Some of Ethiopia's economic policymakers may take solace from realising that inflatio...
June 11 , 2022
The stereotype many people have of parliamentarians is as clueless seat fillers who exist to rubber stamp legislative bi...
June 4 , 2022
It was an institution confident in its mission, capabilities and progress that was on...
PM Abiy Ahmed (PhD) at a Gala Dinner Called for the Awarding of the Félix Houphouët-Boigny Peace Prize
May 6 , 2019
Last year, I met a young and charming medical doctor through a mutual friend. Our friendship quickly grew. She told me about her engagement...
Some live in a distant universe where they are oblivious to norms. There are unspoken rules. For instance, if two friends dine together, unl...
June 25 , 2022 . By TSION HAILEMICHAEL
Regional state officials and cement distribution agents are in an uproar over new rul...
June 25 , 2022 . By BERSABEH GEBRE
Mayor Adanech Abiebie has won the approval of the Addis Abeba City Cabinet to give re...
The Addis Abeba City Administration is undergoing an extensive reshuffling leading th...
June 25 , 2022 . By RUTH TAYE
Dashen Bank has rolled out a data centre for nearly a quarter of a billion Birr. Installed by two local firms, the centr...
Or see contact page