- Banks to appoint CISOs
- Seek regulator’s approval for cloud service
- Set-up cyber security sub-committee at board level
The Bank of Ghana’s Cyber and Information Security Directive, expected in the coming months, will mandate all banks to appoint a CISO with direct access to senior management, set-up a security sub-committee at the board level, and seek the regulator’s approval before signing up with any cloud service provider.
The stringent directives are in response to the growing threat inherent in the adoption of technology to meet the needs of increasingly sophisticated customers, and for Ghana-based banks to remain resilient to cyberthreats as they transact business with other banks globally.
A study by the African Union Commission, in partnership with Symantec in November 2016, found that Ghana is among the top-10 most attacked countries in Africa – behind Nigeria, Kenya, Tanzania and Uganda.
The study further reveals that there were more than 400,000 Malware incidents, 44 million Spam incidents, and 280,000 Bots incidents in Ghanaian institutions during 2016.
The Serianu Cyber Security Survey 2017 also found that the continent lost US$3.5billion to cyber-attacks in 2017 alone.
Mr. Djabanor Narh, Partner-Advisory Services, Ernst and Young (EY), at a cyber security seminar to update banks, telecommunication service providers and other IT-dependent institutions on how to effectively implement the impending BoG directives said: “There are a number of a new regulations coming up for the financial services sector, and it’s therefore important that financial institutions prepare themselves to respond to these regulations”.
A research by EY about cyber security systems of financial institutions in Ghana revealed that organisations are making it easy for the attackers.
“This is what we found for a bank in Ghana, within one day: Dark net – 1,356 credentials discovered (username and password); Website document data analysis – 67 email addresses identified and three (3) usernames discovered; 69 IP addresses of servers identified – 2 servers with insecure methods discovered; and 6 internal software discovered from the web,” EY said in a presentation.
He said: “Ghana is doing a lot, but because the issues are dynamic and they’re changing a lot it’s important that we hold ourselves in readiness. So, this is our contribution to help create awareness and support institutions to mitigate any of these cyber-threats”.
He added that financial institutions depend on telecommunication companies and third parties, and therefore if any of those third-party systems are weak they can also be exploited.
Mr. Narh was emphatic that the reason why most financial institutions are prone to cyber-attacks is the absence of awareness. “The situation is threatening because of lacking awareness, and that is really the issue. Technology is becoming very sophisticated. Because we gain access, a lot of us by CCTV cameras within organisations and at home – and a number of these CCTV cameras have access to the Internet – you can easily become exposed.”
The issue of cyber security is a global one with huge local consequences. He said almost every financial institution has some form of exposure on the World Wide Web.
“A lot of the new equipment – even from vehicles to overhead projectors that we buy – all have access to the Internet. So, you think of your traditional laptop as being the weakest point but now all these other devices also have weak points. So, it’s a threat – but once we can increase awareness and have the necessary projections in place we can protect ourselves.
“There isn’t one solution to the cyber security threats, but I would advise companies to get more of their board members to understand and appreciate that the issue of cyber security is not just a technology one because it is actually a business issue. When this is done, then we are on the way to protecting ourselves. Once the decision-makers become aware and don’t stay away saying that it might be too technical, then the chances of us being safe get higher,” he said.
He said Ernst and Young has made significant investments in cyberspace, both locally and globally, to meet the needs of banks and others. “Because we have a lot of clients in both the public and private sectors who experience these threats, we have invested a significant amount of resources to support the different sectors such as telecoms, financial services and the public sector. So, we’re sharing with the Ghanaian financial community these sorts of services.”
Mr. Djabanor Narh, Partner, Advisory Services, Ernst and Young (EY)