African Central Banks and cyber-security

The rising incidents of cybercrime require that organisations integrate cybersecurity into their core business processes

COMMENT | PETER KISITU | In its most recent publication, the Financial Inclusion Global Initiative (Figi) reported that African central banks face three major threats namely; threat to integrity, threat to availability, and threat to confidentiality.

The factors that have made Africa an attractive target for attackers are: Lack of cybersecurity awareness at the enterprise level, and Lack of capacity to handle cybercrime.

There needs to be capacity building programs sponsored by donors as well as credit facilities to allow African companies to acquire up-to-date equipment. The majority of African countries use outdated IT assets that make it difficult to implement security protocols. This problem is compounded by the problem of pirated software that lacks security guarantees.

The third constraint is budgetary; many African organisations do not have cybersecurity budgets making it difficult to plan for or manage cyberattacks. Fourth is the absence of formal employment in many African countries which has made some youth to look at cybercrime as a job alternative. To prove this point, Ramon Olorunwa Abbas aka Hushpuppi, the convicted Nigerian cybercriminal is considered a role model by some Nigerian youth.

Strengthening Cybersecurity of the financial sector is the responsibility of the supervising authority. Creating policies that encourage a security mindset, conducting regular cybersecurity audits and security awareness trainings can be a good first installment.

It is further recommended that financial institutions share with each other information and intelligence on threats. There is also a need for a cybercrime database that is accessible by researchers, journalists, investigators and law enforcement.

When it comes to law enforcement in Africa, the police does not have the skills to investigate such crimes. The rising incidents of cybercrime require that organisations integrate cybersecurity into their core business processes. A business process is a series of structured activities that produce a predictable and desired outcome. A good example of business processes is the cash withdrawal at the ATM demonstrated below in a simple manner. (Business Process X is what is recommended to improve security at the business process level of ATM banking)

There seems to be lack of knowledge in business process engineering in the mobile money subsector. Case in point is the MTN Mobile money withdrawal which has eight business processes instead of three. Another problem encountered is the flagrant violation of the principles of management at the Bank of Uganda. Management principles dictate that functions should be listed in the organogram according to seniority with the most senior at the top. However, in the Bank of Uganda organogram, one finds some personal assistants on a higher level than executive directors. This kind of exception can create problems in business Process engineering. Privileges accorded to a Personal Assistant are already programmed in the system and anyone with a similar title will enjoy only those privileges. Privileged Access Management (PAM) dictates the premises an officer may access. These permissions are transcribed on the company access badge. For this reason the visitor’s card cannot give one access beyond the reception area.

I looked at a dozen organograms of central banks including the national bank of Rwanda, Nigerian, Kenya, Cote d’ivoire, Botswana, Uganda, England etc. The National bank of Rwanda has the best organogram followed by Botswana. Impressively, Rwanda is able to state their mandate on top of their organogram while Uganda and Nigeria put medical services on their organograms which are not their mandate. Worse still, Uganda places some personal assistants above executive directors, which is not professional.

Organisations that integrate cybersecurity into their business processes will have the following advantages: Gain a competitive advantage over rivals by reducing customer complaints, prevention of cyberattacks directly leads to cost savings by avoiding costly legal battles, and damage control.

How can African central banks take charge of cybersecurity?

Central banks can reclaim their leadership role by lobbying their governments to finance cybersecurity awareness on social and traditional media. African central banks can lobby for the establishment of national cybersecurity databases where all cybercrimes are recorded. Central banks can encourage all financial institutions to invest in cybersecurity.

Mobile security

Samsung, a leader in mobile phone manufacturing, predicts that by the end of 2024, 60% of the global workforce will be mobile; this means that mobile security must be a priority for all organizations. The workers will connect to corporate networks with their mobile phones, laptops, flash disks etc. Allowing employees to use devices they are most comfortable with may boost productivity, but there is a downside! Personal devices may be outdated and may have malware. Mobile devices also connect to public wifis and other insecure networks. Therefore creating a security policy for mobile devices will protect corporate assets.

Email security

Email remains the most used corporate communication tool and as such, securing it is paramount to ensure the security of information that employees send and receive. Common email protection tools include antivirus programs, email encryption, secure email gateways, multi-factor authentication and spam filters.

The colossal amounts of money required to invest in cybersecurity make it out of reach for most African companies. But there is a silver lining; it is now possible to buy email security bundles and mobile security bundles from just $10 per person per month.

*****

Peter Kisitu is a Cybersecurity Analyst