Banks and other businesses in the country are simply paying lip-service to the critical issue of cyber security, with regulatory inaction being a major contributory factor, Del Aden, Managing Partner at cyber security firm, Delta 3 International, has said.
“There is a lot of talk but not enough action or collaboration with other organisations to protect people, and activities are being handled by few people. But it should be more collaborative,” the cyber security expert told the B&FT in an interview.
He pointed out that inaction on the part of regulators – Bank of Ghana and Data Protection Commission – has made businesses reluctant about bolstering their cyber security mechanisms.
“Organisations in Ghana are still not getting the message when it comes to cyber security. Most likely, what is going to wake them up is when something happens in Ghana or Nigeria or any of the African countries that will shake the institution to its foundation or the banking sector. Then people will start sitting up to cyber security,” he noted.
The Bank of Ghana, in the third quarter of 2016, introduced cyber security guidelines to all banks to attain ISO27001 and PCIDSS certification, two of the basic forms of protection in the banks and payments system.
The Central Bank later withdrew the guidelines, due to lobbying from the banks about their inability to meet the deadline, and announced later that year that it was in the process of issuing guidelines for the establishment of cyber security protocols and procedures for routine and physical security measures for IT centres and control rooms to ensure data security at the highest level.
Not much has happened since, and Del Aden believes the Central Bank and the Data Protection Commission are not applying enough pressure on institutions for them to abide by basic cyber security measures.
“In the Data Protection Act of 2012, the Data Protection Commission is charged with educating the population on cybercrime and protection of their data and forcing businesses to be compliant with the protection of clients’ data.
But when was the last time you heard of them in public awareness? There is a day or two set aside as Data Protection Day and a few organisations are invited to a forum and the next is sending of mails to train data protection officers, which the big organisations can afford but what about the small businesses? Meanwhile, they need to be educated in terms of their responsibilities.
Also, what other compliance is being put in place apart from data protection? You and I know that ISO27001 is key to strong cyber environment and PCIDSS is also key but to the best of my knowledge, there is no policing of these two basic frameworks. But over and above these two frameworks, there is something called cyber essential.
Only a few banks in the country are cyber security complaint but the rest have relaxed. We intend to ask the banks a simple question: are you ISO27001 and PCIDSS compliant? Most of them tend to duck the question and refer to the head office, which mostly is not in the country,” he said.
Electronic fraud constitutes more than 80percent of all complaints and fraud cases the central bank receives, data from the Consumer Reporting Unit of the Central Bank’s Financial Stability Department has shown.
A report released by Kenyan-based IT firm, Serianu Limited, reveals that Ghana’s economy lost a total of US$50 million to cybercrime in 2016.
Mr. Aden believes the situation could be worse this year. According to his projections, if efforts are not stepped up, the economy stands to lose US$100 million dollars to cyber-crime in 2018.
“It is all about collaborative implementation, instead of keeping it in the hands of a few. If you look at the fight against cybercrime in Europe and other developed economies, they get everyone involved, small companies, private organisations, public sector, government and higher institutions of learning. It is a collaborative effort rather than it being in the hands of few people.
In the case of Ghana, my view is that the public sector organisations that are responsible for governance, regulation and compliance are not working or getting enough private sector involved,” he added.