Editorial | Dec 05,2018
October 31 , 2020
By Bashir Semakula ( Bashir Semakula (email@example.com), a cyber security expert based in Australia. )
The threat of cyberattacks on institutions grows by the day. Financial organisations should thus take effective measures to ensure cyber resilience, instead of just responding to cyber attacks, writes Bashir Semakula (firstname.lastname@example.org), a cyber security expert based in Australia.
Cyber attacks are growing in frequency and sophistication, and many organisations across the world are struggling to keep up. Right here in Africa, financial organisations are being targeted. The most recent attacks allegedly affected major banks in Uganda and Nigeria, Stanbic Bank and Central Bank of Nigeria, respectively.
These attacks reinforce the results of a survey titled "Banking Fraud in Sub-Saharan Africa," by the Morocco-based information security firm Dataprotect, which found that more than 85pc of 148 banks examined had fallen victim to at least one cyber attack resulting in losses. The survey also found that banks are vulnerable to these sorts of attacks due to unqualified staff and lack of investment in cybersecurity.
As the threat landscape changes and banks explore emerging technologies to provide innovative products and services, these cyberattacks will only increase.
Financial organisations must take effective measures to ensure cyber resilience. Taken holistically, there are efforts that can be used to improve efficiency and effectiveness, enable innovation, support digital transformation and business strategy and, most importantly, enhance cyber resilience.
Perhaps the most detrimental of these measures is establishing efficient governance structures. Critical to consider is that managing cyber risk is a leadership issue, not a technology one.
“Being resilient requires those at the highest levels of a company, organisation or government to recognise the importance of avoiding and proactively mitigating risks,” a 2017 World Economic Forum report, "Advancing Cyber Resilience: Principles and Tools for Boards," affirmed. “While it is everyone’s responsibility to cooperate in order to ensure greater cyber resilience, leaders that set the strategy for an organisation are ultimately responsible, and have increasingly been held accountable for including cyber resilience in organisational strategy.”
Cyberattacks can disrupt business operations, affect customer confidence and may attract regulatory fines. This reputational damage will ultimately affect the bottom line of the business. Executive leadership must maintain oversight on cyber resilience activities to achieve strategic objectives.
Since the board is ultimately responsible for oversight of cyber risk and resilience, it must define and quantify risk tolerance consistent with business strategy. To oversee the cyber risk management, the board must establish a cyber risk committee comprised of senior business, technology and risk leaders.
A chief information security officer with access to the board and sufficient authority, must chair this committee and regularly report to the board using business-aligned and relevant cyber metrics. The organisation should also establish an operational governance committee to oversee the implementation of cybersecurity controls and report to the cyber risk committee.
Another critical matter is developing and implementing high-value cyber resilience strategies.
A hacking team associated with North Korea — referred to as BeagleBoyz — resumed targeting banks in multiple countries including nine in Africa, to initiate fraudulent international money transfers and ATM cash outs through remote access, according to US government agencies such as the Cybersecurity & Infrastructure & Security Agency (CISA) and Federal Bureau of Investigation (FBI).
The BeagleBoyz have been responsible for sophisticated cyber-enabled bank robberies since 2015 and most famously stole 81 million dollars from the Bank of Bangladesh in 2016.
Cyber criminals have different motivations for their activities. The BeagleBoyz seem financially motivated, while the attack of Nigeria's central bank by the anonymous hacking group could be hacktivism — socially or politically motivated reason — though the bank denied the attacks happened.
To maintain resilience against a variety of cyber threats, executive leadership must ensure continued focus on the most critical information assets whose compromise could adversely affect business operations and reputation. To develop high-value strategies, banks must take a risk-based approach to cyber resilience and ensure cyber investments are allocated to initiatives with the most significant benefit to cyber resilience.
It is just as necessary to manage supplier risk. This is because as organisations pursue efficiencies and effectiveness, they are increasingly relying on third parties and business partners to deliver services. Fifty-nine percent of companies had experienced a data breach caused by a third party, and more than 75pc of organisations believed that third-party cyber incidents were increasing, according to a 2018 study by Opus and Ponemon Institute, "Data Risk in the Third-Party Ecosystem," after surveying a thousand chief information security officers and other security and risk professionals.
Although outsourcing has great benefits, it also introduces cyber risk to an organisation. Outsourcing means the information assets will be stored, processed or transmitted by a third party. The risk exposure must be identified, prioritised and managed.
To manage this risk effectively, banks must assess the security controls of suppliers when onboarding, classify suppliers based on criticality to the business, and identify all possible threats associated with every particular supplier. Designing a risk-based cyber assurance programme for suppliers and business partners will foster agility and allow innovation to thrive.
Security must also be enforced by design. Organisations are prompted by emerging technologies to assess their viability and how they can be used to innovate and adapt their products and services. The use of technologies like cloud computing and the Internet of Things involves both great opportunities and cyber risk, and if not managed effectively, could undermine the gains of innovation.
These technologies have data privacy issues and are insecure by design as most services prioritise functionality over security. Due to this, the number of cyber incidents associated with new technologies is increasing. Indeed, a fifth of breaches investigated were in cloud environments, according to a 2020 report by Trustwave, a security services provider.
For organisations to adapt their product and services, they must experiment with emerging technologies. Executive leadership must ensure security requirements are considered early in the design phase and effective governance structures must be embedded in innovate programmes to manage the risk exposure and ensure the appropriate security controls are implemented in these products before roll out to customers.
But perhaps the most consistent factor in all major cybersecurity incidents across the world is the human factor. These are frontline personnel, call centre staff, system administrators and senior executives. Having the latest cybersecurity tools alone cannot guarantee cyber resilience.
“Major sources of cyber threats are not technological. They are found in the human brain in the form of curiosity, ignorance, apathy and hubris,” stated a Harvard Business Review article, "The Best Cybersecurity Investment You Can Make Is Better Training."
Cyber attackers are aware of this fact and through various scams and tactics, can bring multimillion-dollar organisations to their knees.
A cyber-aware workforce is critical to the success of any cyber resilience strategy. Executive leadership and support are required to achieve and maintain the cultural shift through cyber awareness programmes. Executive leadership must also demonstrate an unwavering commitment to cybersecurity by consistently communicating the importance of cybersecurity.
What all of this points to is that as cyberattacks become more sophisticated and persistent, organisations need to shift priority from cybersecurity to cyber resilience.
“Nature was designed with the recognition that things can and inevitably will go wrong,” a report by Accenture, a professional services company, ‘The Nature of Effective Defense: Shifting from Cybersecurity to Cyber Resilience’ stated. “That’s equally true of security incidents. There’s no question that they will occur.”
Organisations must prepare to minimise the impact of incidents as it is impossible to predict when they will occur.
As executive leadership sets the mission and defines strategies, they are best placed to determine how cyber incidents will affect the organisation. Executive leadership must drive the cybersecurity to cyber resilience cultural shift and champion its importance throughout the entire organisation.
A cyber resilient organisation must continuously focus on the most critical assets, enforce security by design approach throughout its digital transformation programmes, prioritise and manage third-party risk and set the cyber resilience tone at the top.
Organisations need to stop reacting, starting prioritising and become cyber resilient.
PUBLISHED ON Oct 31,2020 [ VOL 21 , NO 1070]
Editorial | Dec 05,2018
Radar | Dec 12,2020
Viewpoints | Dec 26,2020
Sunday with Eden | Apr 17,2021
Editorial | Mar 16,2019
Covid-19 | May 09,2020
Commentaries | May 16,2020
Viewpoints | Feb 27,2021
View From Arada | Dec 10,2018
Covid-19 | Mar 21,2020
Fortune News | 37071 Views | Jul 18,2020
Fortune News | 16458 Views | Oct 12,2019
Exclusive Interviews | 15277 Views | Aug 10,2019
Fortune News | 15253 Views | Mar 19,2020
March 27 , 2021 . By BAMLAK FIKADU
An application developer who has recently taken up hiking to get some exercise, Migno...
February 13 , 2021 . By TADESSE TSEGAYE
In Arada, I stopped over by a hotel in front of Cinema Empire. I sat alone inside wit...
January 30 , 2021 . By FASIKA TADESSE
The Council of Ministers approved a regulation that will establish the Liability &...
January 16 , 2021
It was a sunny day on September 12, 1974. A machine gun mounted on top of a tank was...
Leaders of the National Election Board are in a charm offensive mood, of a sort. Last week, they organised a rare tour for members of the me...
When the country’s most senior diplomats and envoys return back to their posts after two-week debriefings, they leave behind a point or tw...
April 17 , 2021
There is not a facet of life in Ethiopia today that is not convulsed by the moral cri...
April 10 , 2021
It is not often the case for regional states' leaders to swallow their vanity and dec...
April 3 , 2021
As an Auditor General, he was not the most conspicous of officials in the mainstream...
March 27 , 2021
In an unprecedented turn of irony, just as Ethiopia began an attempt to open up to th...
PM Abiy Ahmed (PhD) at a Gala Dinner Called for the Awarding of the Félix Houphouët-Boigny Peace Prize
May 6 , 2019
About a week ago, in the neghbourhood known as Bole Brass, close to Bole International Airport, two young women were talking about their asp...
April 17 , 2021 . By NEJAT AHMED
Voter registration for the upcoming national elections has been far below expectation...
April 17 , 2021 . By HAWI DADHI
When shareholders of the Bank of Abyssinia decided three weeks ago to beef up their p...
April 17 , 2021 . By NEJAT AHMED
The Development Bank of Ethiopia (DBE) is amending its lease-financing policy in the...
April 17 , 2021 . By NEJAT AHMED
Dashen Bank has kicked off international e-commerce gateway services with three major...
Or see contact page