Africa’s rapid digital transformation since COVID-19 leaves critical infrastructure vulnerable to cybercrime, which cost the continent an estimated $4.12 billion last year. Banks and insurance companies are increasingly becoming prime targets. What are the emerging threats? And how should institutions balance reinforcing internal capabilities versus outsourcing expertise?
By Kingsley Kobo
High demand for new financial services such as mobile banking coupled with the evolving nature of end-point devices has given rise to malicious apps and other attack vectors.
More than 700 millions threat detections were recorded by INTERPOL’s partner, Trend Micro, in Africa between January 2020 and February 2021. And with more than 90% of African businesses still operating without the necessary cyber security protocols, escaping the grim fate of cyber insecurity remains a tough grind.
A workable governance structure
According to experts Africa’s financial institutions (FIs) need not only establish a corporate cybersecurity governance structure but must also maintain it to identify and remediate emerging threats. “A chief information security officer (CISO), who can steer cyber governance within the organization, is vital, in response to the expanding threat landscape,” says Franck Kié, Director at Ciberobs, an Ivorian cybersecurity firm.
Adetola Adegbayi, Executive Director, Technical Services/Operations at Leadway, one of Nigeria’s largest insurance companies, argues the CISO must be given an executive-level role to be able to function effectively.
“We have gone past the days when a cybersecurity officer’s job is regarded as a technical duty, operating only in the technology space. The job now embraces a plethora of responsibilities and should be a key component of any corporation alongside the roles of senior executives and managers,” she says.
“The IT/Cyber Security sector of financial institutions must get maximum support from board leaders to enable a successful cybersecurity governance program. We keep seeing a division between governance and management which results in different leadership perspectives. A joint effort between technical and non-technical teams is crucial to fend off cybercriminals.”
Outsourcing versus in-house expertise
There have been recurring debates on whether to build an in-house Security Operations Centre (SOC) or partner with a Managed Security Service Provider (MSSP). An SOC is a centralised unit established by a company to handle its security issues while an MSSP is a third-party company that provides a multitude of cybersecurity products and services to a business.
Most regional experts are proponents of MSSP due to its lower cost and faster installation time.
“A huge number of African financial institutions already outsource their security solutions which I think is preferable because building an in-house security operations centre is costly and takes time to mature and start running properly, coupled with the challenge of finding qualified and experienced cybersecurity experts, who are not only rare, but expensive,” says Antoine Ondoua, Chief Analyst at Cameroonian information security company, Zuoix.
“MSSPs seem to be more up-to-date with the fast-moving and evolving treacherous environment because they deal with old and new threats all the time due to their vast client base spread across many regions. Therefore, using such services will help free up time for banks and insurance firms to concentrate on developing their businesses.”
However, the need for data confidentiality – personal data, trade secrets, and other private business data – supports the case for in-house security expertise, which offers greater control and autonomy over the company’s environment, according to Accra-based Philip Debrah, an independent IT/Cyber Security engineer, who works with top Ghanaian banks.
“Larger organizations, which can afford it, should never ignore the establishment of a high-end security operations center. Its proximity facilitates the raising of awareness among employees across all levels of the organization. You never know where the next threat will be coming from. Providers themselves are at risk of attacks from cybercriminals.”
From ransomware to supply chain attacks: The growing threats
While FIs strive to beef up their security protocols to forestall data and systems breaches, cybercriminals keep developing new and sophisticated tactics with a specific focus to evade endpoint protection solutions.
Ransomware is responsible for most cyber security incidents and remains one of the biggest threats to large financial institutions. The global banking industry experienced a 1,318% year-on-year increase in ransomware attacks in the first half of 2021, according to a report by Trend Micro. More than 61% of companies in Africa were affected by ransomware in 2020, according to the Africa Center for Strategic Studies.
The scheme consists of encrypting company vital files and locking users out, with the hackers then demanding ransoms in exchange for the encryption key to decrypt the data and system. The payment of ransoms is not a guarantee that corrupted systems will be restored.
According to Kaspersky, more than 1.5 million ransomware detections were made in Africa in 2020. In the first quarter of 2021, Egypt, South Africa, and Tunisia recorded the highest detection counts across the continent.
Ecobank Transnational Incorporated, which operates an in-house SOC staffed with more than 100 experts, thwarted 500 attempted attacks between January and March 2022, according to its director for operations and technology, Tomisin Fashina.
Experts have called for implementation of the “prevent and protect principles” to curb the threat.
Cloud-based cyberattacks are also a significant threat as more software systems and data are stored in the cloud, making it a fertile ground for attackers. Organisations must ensure that their cloud infrastructure is securely configured against breaches, security analysts warn.
“While Distributed Denial of Service (DDoS) attacks have considerably reduced they remain a threat. However, one of the most dreadful threats going forward is the supply chain attack,” says Ondoua.
Supply chain attacks occur when hackers target a software vendor and deliver malicious codes to customers in the form of products or updates that look legitimate. The intention is to compromise the distribution systems, which in turn helps the criminals gain access to the networks of suppliers and their customers.
Creating an effective regulatory framework
As new security challenges emerge, many observers claim that public authorities are not supportive enough.
At the 1st Cybersecurity Summit co-organised by the government of Togo and the United Nations Economic Commission for Africa (ECA) in Lomé last March, member states adopted the “Lomé Declaration on cybersecurity and the fight against cybercrime”, which was simply a commitment by member states to sign and ratify the initial African Union’s “Malabo Convention“.
Adopted in 2014, the aim of the Convention is to establish a unified legal framework across the continent. Described as one of the most elaborate conventions in the world on cybersecurity, it is yet to be effective because only few countries have ratified it. For it to come into force, at least 15 countries out of the 55 must ratify it.
From five countries which signed the convention and one which ratified it initially, the number has grown to 14 signatories and 13 ratifications. But regional giants like Nigeria, South Africa, Egypt and Kenya are yet to either sign or ratify.
Some experts say the reticence from countries is due to the evolving regulatory policies in individual jurisdictions especially in the finance sector.
“Many countries have enhanced their cyber-security banking regulations or supervisory tools, which I believe makes the Malabo Convention now a secondary issue. But having an additional common front is crucial because cyber threats are mostly cross border,” says Ethan Mudavanhu, policy analyst at Access Partnership.
A few examples of national policies are the Nigerian National Cybersecurity Policy and Strategy (NCPS) enacted in 2021, Ghana’s Cyber Security Act 2020, Kenya’s National Cybersecurity Strategy of 2022.
Is purpose-built regulation needed for the financial sector?
There is also a debate as to whether an overarching cyber security regulation is enough or if specific regulations are needed for financial institutions. Many policy analysts lean towards specific regulations for financial institutions over general IT regulations due to the increasingly digitised method of doing business in the sector.
“There are myriad of threats posed by rising cybercrimes. There are myriad of legislations on cyber security. However, if knowledge is not thoroughly spread within financial institutions and public awareness is not adequately raised amongst customers, cyber criminals will always have their way,” says Mohamed Yassin, systems analyst chief at United Bank of Egypt.