According to the Africa CyberSecurity Report 2017, the continent loses about US$3.5b annually through cyber-attacks. The report revealed that ninety percent (90%) of businesses in Africa are operating below what it describes as the cybersecurity poverty line (many companies, especially SMEs, lack the basic resources to assure them of the minimum security required).
In Ghana, the Cybercrime Unit of the Ghana Police Service recently revealed that the country lost about US$230million between 2016 and August 2018 through cybercrime in which the banking sector is the main target. Having recognised the real and persistent threats of cyber-attacks to the financial institutions it regulates, the Bank of Ghana in October 2018 issued the Cyber & Information Security Directive as a framework to ensure a secure environment within the cyberspace.
The 131-page Directive in a part states: “All institutions supervised by the BoG shall be ISO 27001 certified and should adopt ISO 27032”. With emphasis, “all institutions supervised by the BoG shall be ISO 27001 certified and should adopt ISO 27032”. What is it about ISO 27001 or ISO 27032 so deserving of special attention? What are the main drivers and benefits making the requirement mandatory for the banks and the Specialised Deposit-Taking Institutions to implement it? Will there be implementation challenges? What are the cost implications?
This brief script attempts to discuss these issues with insights into ISO 27001 Global Reports. To note, ISO 27001 is one of many in the International Organization for Standardisation’s (ISO) family of standards. It ‘specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system’ in an organisation. The ISO 270011 standard is generic and applicable to all organisations, regardless of type, size or nature.
The UK-based IT Governance, which is at the forefront of cybersecurity and data protection in recent years, conducted research into the implementation of ISO 27001 standard in many sectors including financial services. It sought responses from professionals around the world, including those in the UK, India, USA, Netherlands, Portugal and South Africa. The participants have either implemented the 27001, are in the process of implementing it, or intend to implement it to make them compliant. The separate findings culminated in the ISO 27001 Global Reports for the years 2016 and 2018 respectively, and revolved around the same issues which I strongly believe (will) come(s) into play in our situation in Ghana. What are those issues therein?
The Global Report (2016) established that 69% of the respondents identified the biggest driver for them implementing the ISO 27001 was to improve their companies’ information security posture. The same reason registered a percentage increase to 70% in the Global Report (2018). This, in effect, confirms the increasing need for resilient information management systems to secure business operations from cyber-attacks.
In Ghana, one of our banks in 2018 was able to avert a serious cyber-attack on its systems. Hence, players in the industry are aware of digital espionage and will embrace the drive to adopt ISO 27001. Apart from legal and regulatory compliance (nature of the industry requiring players to align with information security best practice), other reasons the participants gave for being ISO 27001 compliant include: it is required when tendering for new businesses and to gain competitive advantage.
In addition to the key drivers, the reports identified some of the benefits for adopting the ISO 27001. These include the obvious reasons: it improves information security across an entire organization; it creates new business opportunities; improves a company’s image/reputation; and its staff awareness of information security as well as the company’s competitiveness. Other benefits of ISO 27001 are: it helps companies to improve their internal processes, and reduce costs due to data breaches while retaining existing customers. But with new projects, the benefits do not come without initial hurdles.
The two reports also enumerated the main challenges companies faced or face when implementing the ISO 27001 standard. The 2018 report, for instance, revealed that 51% of the respondents cited obtaining employees’ support and raising their awareness as the topmost challenge when implementing the standard. This invariably confirms the assertion that employees are the biggest threat to cybersecurity in any company, and should buy into the new idea through intensive awareness activities for the implementation to succeed.
Other implementation challenges constituting the remaining 49% related to: understanding the requirements of the Standard; mobilising the ISO 27001 implementation team; identifying the required controls; developing the scope; and creating and managing the system’s documentation. The reports identified other challenges relating to: how to conduct information security risk assessment; reporting on and maintaining the system; having the right level of competence and expertise; how to obtain certification to the Standard and securing the required budget.
The Directive obliges management of the institutions to allocate all necessary resources for their cyber and information security framework and policies. Indeed, based on the experiences and the real insurgence in cyber-attacks, any back-of-the-envelope cost-benefit analysis will reveal that the benefits of implementing the ISO 270001 far outweigh the project costs – but can companies enjoy those benefits if they are unable to implement it due to the costs?
Based on the reports, the participants’ experiences revealed that the average cost of implementing an ISO 27001-compliant ISMS (Information Security Management System) project a few years ago, excluding certification fees, was between US$6,500 and US$26,000. Some companies elsewhere spent between US$73,000-US$145,000 excluding certification fees, while others spent over US$70,000 on pre-certification consulting alone. Cost variations depend on the company’s size and other factors, and may not necessarily be within these ranges.
While many banks can contain the costs within their budgets, some of our lower-tier financial institutions (Microfinance Institutions) will have a big challenge meeting the requirement due to funds. The Directive came at the time when some of them were unable to mobilise enough funds to recapitalise. Though there is flexibility in the ISO 27001 that increases the extent to which it can easily be adopted, the initial implementation cost cannot be ignored – unlike some of the other directives which have no direct or immediate cost implications.
What is more, we recognise that ISO 27001 is to be implemented or certified with the adoption of ISO 27032, which we also need to understand. ISO 27032 provides the cybersecurity guidelines. It covers the standard security practices for stakeholders in the Cyberspace. This Standard requires institutions adopting it to consider “an overview of Cybersecurity, an explanation of the relationship between Cybersecurity and other types of security (information security, network security, Internet security, and critical information infrastructure protection (CIIP)”.
ISO 27032 also provides for “a definition of stakeholders and a description of their roles in Cybersecurity; guidance for addressing common Cybersecurity issues; and a framework to enable stakeholders collaborate on resolving Cybersecurity issues”. With a deeper understanding of the Directive and the Standards, we can therefore say that the Directive is the central bank’s blueprint to show its commitment as a stakeholder required under ISO 27032 guidelines to mitigate Cybersecurity threats to the banking sector. Thank you for your time. God bless!
This script was written by a Chartered Banker with a flair for feature writing. Apart from his work schedules, he edits or proof-reads corporate material for his colleagues, executive managers – including distinguished professionals working in various fields outside Banking. Through this column, his articles feature on third-party online media platforms in Ghana and outside. Email: [email protected]