More aggression needed to tackle cybercrime – bankers
Bankers are of the view that financial institutions must become more aggressive in their fight against rising cyber criminals in order to retain the confidence of clients.
“Banks must be aggressive enough in combating cybercrime and the authority or mandate must come from the board level, trickle down to management executives, and then to all staff in order to keep clients,” George Mensah, Group Chief Information Officer of Fidelity Group, said.
Speaking at the second annual cyber security breakfast forum organised by Digital Jewels, an IT Governance, Risk and Compliance (GRC) firm with a focus on Information Security & IT Governance, Mr. Mensah, noted that the agenda of financial institutions against cybercrime should be how to prepare, detect, resolve and maintain integrity in case of an attack.
“We are not aggressive enough; we need more focus, more attention, more budgetary allocation and improve on the way we do things and the way we see this threat. If you do not recognise that you have a threat, nothing will move you to guard against it. There should be a continual aggression because it is with us and we cannot run away from it,” he added.
The forum, which featured a cross section of executives from the banking, telecoms and other sectors of the economy, focused on the increasing activities of electronic fraudsters and how organizations can build resilience against such attacks on the financial system with the implementation of security standards like the Payment Card Industry Data Security Standard (PCI DSS) and ISO27001, a specification for information security management system.
Kolawole Ajimoko, Executive Director of Risk at Access Bank, who fell short of using the word aggression to describe how banks should tackle cyber attacks, urged banks to be proactive and monitor what is going on and continuously review their processes and then take their defence to higher levels.
“Banks have to be a step ahead of the attackers because if the attacker is ahead, then you will be defeated. Even though you think you have done everything, if you are attacked, once your response is swift, then your customers will not suffer. Any organisation can be attacked and in recent times, some of the best organisations have been attacked,” he said.
Chief Executive Officer of Digital Jewels, Adedoyin Odunfa, in her presentation, noted that the spate of attacks and reach are increasing at an alarming rate. She called for institutions to embrace the global standards that ensure basic security and management of client transactional information and data and against ransomware.
Two of these standards: ISO27001 and Payment Card Industry Data Security Standards (PCIDSS), according to her, can help protect systems against basic attacks such as email fraud, phishing and others.
Speaking on the topic ‘Cyber Resilience: Thought Generators’, Ms. Odunfa explained that a cyber resilient institution is one that has the capacity to withstand attacks or failures – intentional or otherwise– and in such events to re-establish itself quickly back to operational mode.
She added that the benefits of becoming a cyber resilient institution are immense. “More secure processes and systems, strong controls with a strong control environment, a solid risk culture, and a digitised and automated process.”
Gilbert Addy, Deputy Chief Manager of IT at the Bank of Ghana, noted that the Central Bank is preparing to put in place a 24-hour monitoring system on how people will monitor banking transactions for irregular log ins.
“The main thing we will be putting in place is what we call the Cyber Incident Event Monitoring System (CEMS), which will be able to pick logs from various sectors because humans have difficulties in picking logs, especially for big banks that generate so much logs. The CEMS will remotely check irregular patterns and this makes monitoring and taking action easier,” he said.
Mr. Addy urged banks to commit resources to fighting cybercrime, adding that the BoG will soon introduce new regulations that will make it mandatory for all players in the financial industry, to be certified in ISO27001 and PCIDSS.
2017 has seen increased activities of cyber attacks around the globe. In March, the website of GN Bank, a local bank, was reportedly hacked by a Philippines hacker identified as Cybermoon. The website reportedly displayed “Magician Hacktivist Philippines, Hacked by Cybermoon” & played the barbie girl theme song on the website. This attack prompted the bank to quickly assure clients that no accounts were affected.
In May, the Wannacry ransomware computer worm targeting Microsoft Windows Operating system infected more than 230,000 computers in 150 countries, with the software demanding ransom payments in the cryptocurrency bitcoin in 28 languages. It shut down big hospitals and organizations.