Better to be Resilient than Overreact to Cyber Threats

Oct 31 , 2020
By Bashir Semakula

---

The threat of cyberattacks on institutions grows by the day. Financial organisations should thus take effective measures to ensure cyber resilience, instead of just responding to cyber attacks, writes Bashir Semakula (sem3bash@gmail.com), a cyber security expert based in Australia.

---

Cyber attacks are growing in frequency and sophistication, and many organisations across the world are struggling to keep up. Right here in Africa, financial organisations are being targeted. The most recent attacks allegedly affected major banks in Uganda and Nigeria, Stanbic Bank and Central Bank of Nigeria, respectively.

These attacks reinforce the results of a survey titled "Banking Fraud in Sub-Saharan Africa," by the Morocco-based information security firm Dataprotect, which found that more than 85pc of 148 banks examined had fallen victim to at least one cyber attack resulting in losses. The survey also found that banks are vulnerable to these sorts of attacks due to unqualified staff and lack of investment in cybersecurity.

As the threat landscape changes and banks explore emerging technologies to provide innovative products and services, these cyberattacks will only increase.

Financial organisations must take effective measures to ensure cyber resilience. Taken holistically, there are efforts that can be used to improve efficiency and effectiveness, enable innovation, support digital transformation and business strategy and, most importantly, enhance cyber resilience.

Perhaps the most detrimental of these measures is establishing efficient governance structures. Critical to consider is that managing cyber risk is a leadership issue, not a technology one.

“Being resilient requires those at the highest levels of a company, organisation or government to recognise the importance of avoiding and proactively mitigating risks,” a 2017 World Economic Forum report, "Advancing Cyber Resilience: Principles and Tools for Boards," affirmed. “While it is everyone’s responsibility to cooperate in order to ensure greater cyber resilience, leaders that set the strategy for an organisation are ultimately responsible, and have increasingly been held accountable for including cyber resilience in organisational strategy.”

Cyberattacks can disrupt business operations, affect customer confidence and may attract regulatory fines. This reputational damage will ultimately affect the bottom line of the business. Executive leadership must maintain oversight on cyber resilience activities to achieve strategic objectives.

Since the board is ultimately responsible for oversight of cyber risk and resilience, it must define and quantify risk tolerance consistent with business strategy. To oversee the cyber risk management, the board must establish a cyber risk committee comprised of senior business, technology and risk leaders.

A chief information security officer with access to the board and sufficient authority, must chair this committee and regularly report to the board using business-aligned and relevant cyber metrics. The organisation should also establish an operational governance committee to oversee the implementation of cybersecurity controls and report to the cyber risk committee.

Another critical matter is developing and implementing high-value cyber resilience strategies.

A hacking team associated with North Korea — referred to as BeagleBoyz — resumed targeting banks in multiple countries including nine in Africa, to initiate fraudulent international money transfers and ATM cash outs through remote access, according to US government agencies such as the Cybersecurity & Infrastructure & Security Agency (CISA) and Federal Bureau of Investigation (FBI).

The BeagleBoyz have been responsible for sophisticated cyber-enabled bank robberies since 2015 and most famously stole 81 million dollars from the Bank of Bangladesh in 2016.

Cyber criminals have different motivations for their activities. The BeagleBoyz seem financially motivated, while the attack of Nigeria's central bank by the anonymous hacking group could be hacktivism — socially or politically motivated reason — though the bank denied the attacks happened.

To maintain resilience against a variety of cyber threats, executive leadership must ensure continued focus on the most critical information assets whose compromise could adversely affect business operations and reputation. To develop high-value strategies, banks must take a risk-based approach to cyber resilience and ensure cyber investments are allocated to initiatives with the most significant benefit to cyber resilience.

It is just as necessary to manage supplier risk. This is because as organisations pursue efficiencies and effectiveness, they are increasingly relying on third parties and business partners to deliver services. Fifty-nine percent of companies had experienced a data breach caused by a third party, and more than 75pc of organisations believed that third-party cyber incidents were increasing, according to a 2018 study by Opus and Ponemon Institute, "Data Risk in the Third-Party Ecosystem," after surveying a thousand chief information security officers and other security and risk professionals.

Although outsourcing has great benefits, it also introduces cyber risk to an organisation. Outsourcing means the information assets will be stored, processed or transmitted by a third party. The risk exposure must be identified, prioritised and managed.

To manage this risk effectively, banks must assess the security controls of suppliers when onboarding, classify suppliers based on criticality to the business, and identify all possible threats associated with every particular supplier. Designing a risk-based cyber assurance programme for suppliers and business partners will foster agility and allow innovation to thrive.

Security must also be enforced by design. Organisations are prompted by emerging technologies to assess their viability and how they can be used to innovate and adapt their products and services. The use of technologies like cloud computing and the Internet of Things involves both great opportunities and cyber risk, and if not managed effectively, could undermine the gains of innovation.

These technologies have data privacy issues and are insecure by design as most services prioritise functionality over security. Due to this, the number of cyber incidents associated with new technologies is increasing. Indeed, a fifth of breaches investigated were in cloud environments, according to a 2020 report by Trustwave, a security services provider.

For organisations to adapt their product and services, they must experiment with emerging technologies. Executive leadership must ensure security requirements are considered early in the design phase and effective governance structures must be embedded in innovate programmes to manage the risk exposure and ensure the appropriate security controls are implemented in these products before roll out to customers.

But perhaps the most consistent factor in all major cybersecurity incidents across the world is the human factor. These are frontline personnel, call centre staff, system administrators and senior executives. Having the latest cybersecurity tools alone cannot guarantee cyber resilience.

“Major sources of cyber threats are not technological. They are found in the human brain in the form of curiosity, ignorance, apathy and hubris,” stated a Harvard Business Review article, "The Best Cybersecurity Investment You Can Make Is Better Training."

Cyber attackers are aware of this fact and through various scams and tactics, can bring multimillion-dollar organisations to their knees.

A cyber-aware workforce is critical to the success of any cyber resilience strategy. Executive leadership and support are required to achieve and maintain the cultural shift through cyber awareness programmes. Executive leadership must also demonstrate an unwavering commitment to cybersecurity by consistently communicating the importance of cybersecurity.

What all of this points to is that as cyberattacks become more sophisticated and persistent, organisations need to shift priority from cybersecurity to cyber resilience.

“Nature was designed with the recognition that things can and inevitably will go wrong,” a report by Accenture, a professional services company, ‘The Nature of Effective Defense: Shifting from Cybersecurity to Cyber Resilience’ stated. “That’s equally true of security incidents. There’s no question that they will occur.”

Organisations must prepare to minimise the impact of incidents as it is impossible to predict when they will occur.

As executive leadership sets the mission and defines strategies, they are best placed to determine how cyber incidents will affect the organisation. Executive leadership must drive the cybersecurity to cyber resilience cultural shift and champion its importance throughout the entire organisation.

A cyber resilient organisation must continuously focus on the most critical assets, enforce security by design approach throughout its digital transformation programmes, prioritise and manage third-party risk and set the cyber resilience tone at the top.

Organisations need to stop reacting, starting prioritising and become cyber resilient.

---

PUBLISHED ON Oct 31,2020 [ VOL 21 , NO 1070]

---