Information and communications technology experts have asked commercial banks in the East African region to step up their investment in cyber security, to combat the growing threat.
According to the African Cyber Security Report 2016, banking is the leading risk sector. The report by Serianu, a Tanzania-based non-governmental organisation, notes that African countries lost $2 billion in cyber attacks last year. In East Africa, Kenya lost $171 million to cyber criminals; Tanzania lost $85 million, while Uganda lost $35 million.
A cyber security roundtable at the World Economic Forum in Davos in January also heard that the biggest banks face up to two billion cyber attacks a year. While this number is growing by double digits annually, many medium and large corporations do not devote sufficient resources to cyber risk management.
Michael Niyitegeka, an IT expert and ICDL Africa country manager for Uganda said that the amount lost to cybercrime is likely to rise if players in the sector do not prioritise and invest in cyber security.
“The evolving nature of cyber crime makes it more complicated for banks and businesses in general. An anti-virus bought today may not work tomorrow; you cannot have a watertight system,” said Mr Niyitegeka.
Mr Niyitegeka also noted that the limited number of certified professionals makes the war against cybercrime in the financial sector difficult.
According to the report, at 1,400, Kenya has the highest number of professionals in East Africa, followed by Uganda at 300, while Tanzania has the lowest number at 250. Half of them are not trained or get ad hoc training when an incident occurs.
The cost of investment is also prohibitive in some cases, forcing bank officials worried about their bottom line and shareholder dividend demands to leave cyber security to chance, hoping no attack will take place, experts observe.
According to the report, 96 per cent of African organisations including banks spend less than $5,000 on cyber security annually, an investment that does not match up to the levels of concern registered.
Stanbic Bank chief executive Patrick Mweheire puts the bank’s investment at about $10 million annually though he did not indicate whether this applies to its Uganda operations alone or across the region. He has called for better co-operation in the sector.
The chairperson of the Uganda Bankers Association Fabian Kasi said that members invest 20 per cent of operational costs in cyber security. UBA also hopes to strengthen its members’ response to cyber-crime through a certified computer emergency response team, which is an investment by all the banks because it is an expensive venture.
Mustapha Mugisa, a certified fraud examiner and chief executive of Summit Consulting, suggests that “ethical hackers” be employed to detect the nature and level of threat through a mock cyber attack.
“In the area of cyber security, to catch a thief you must first think like one. So if I’m going to protect you, I want you to give me a challenge and say, Mustapha prove to me that I am actually exposed. We can then work together to fix that problem. This will also help the bank assess its level of responsiveness,” he said.
Mr Mugisa, however, noted that institutions need to look inward too, as the more advanced attacks are usually perpetuated by internal staff.
“The banks’ top managers need to be digitally competent to understand the nature of the threat. There is therefore, a need to change the mindset and awareness at the highest levels of decision-making in the bank,” he said.