Cybersecurity: Lessons for African central banks
What you need to know:
- Strengthening cybersecurity in Africa requires capacity building, updated IT infrastructure, and policies that foster a security-first mindset
In its most recent publication, the Financial Inclusion Global Initiative (Figi) reported that African central banks face three major threats, namely; threat to integrity, threat to availability and threat to confidentiality.
The factors that have made Africa an attractive target for attackers include lack of cybersecurity awareness at the enterprise level and lack of capacity to handle cybercrime. There needs to be capacity building programmes sponsored by donors,as well as credit facilities to allow African companies to acquire up-to-date equipment.The majority of African countries use outdated IT assets that make it difficult to implement security protocols.This problem is compounded by the problem of pirated software that lacks security guarantees.
The factor is budget constraints.Many African organisations do not have cybersecurity budgets,making it difficult to plan for or man age cyberattacks.
The absence of formal employment in many African countries has also made some youth look at cybercrime as a job alternative.
Strengthening cybersecurity of the financial sector is the responsibility of the supervising authority. Also,creating policies that encourage a security mindset,conducting regular cybersecurity audits and security awareness training can be a good first installment.
It is further recommended that financial institutions share with each other information and intelligence on threats. There is also need for cybercrime database that is accessible to researchers, journalists, investigators and law enforcement. When it comes to law enforcement in Africa,the police do not have the skills to investigate such crimes.
The rising incidents of cybercrime require that organisations integrate cybersecurity into their core business processes.A business process is a series of structured activities that produce a predictable and desired outcome.
A good example of business processes is the cash withdrawal at the ATM demonstrated below in a simple manner.
There seems to be lack of knowledge in business process engineering in the mobile money subsector,case in point is the MTN Mobile money withdrawal,which has eight business processes instead of three.
Another problem encountered is the flagrant violation of the principles of management at Bank of Uganda (BoU).Management principles dictate that functions should be listed in the organogram, according to seniority with the most senior at the top.
However, in the BoU organogram, one finds some personal assistants on a higher level than executive directors. This kind of exception can create problems in business process engineering. Privileges accorded to a personal assistant are already programmed in the system and anyone with a similar title will enjoy only those privileges.
Privileged Access Management (PAM) dictates the premises an officer may access.These permissions are transcribed on the company access badge.For this reason,the visitor’s card
cannot give access beyond the reception area. I looked at a dozen organograms of central banks,including the National Bank of Rwanda, Nigerian,Kenya,Cote d’ivoire,Botswana, Uganda,England etc.The National Bank of Rwanda has the best organogram,followed by Botswana.Impressively,Rwanda is able to state its mandate on top of its organogram,while Uganda and Nigeria put medical services on their organograms which are not their mandate.
Organisations that integrate cybersecurity into their business processes will gain a competitive advantage over rivals by reducing customer complaints and damage control, among others.
The author, Mr Peter Kisitu is a cybersecurity analyst