David Luponis, Mazars: A number of organisations, including the World Economic Forum, are highlighting cyber risk as one of the biggest security risks of the 21st century. Is this growing awareness taken into account by decision makers?
Jean-Louis Menann-Kouamé, Orange Bank Africa: In corporate governance, there are bodies - board of directors, specialist committees - to support the executive with cyber risks. Within the board of Orange Bank Africa, we have an executive council which delegates specific tasks to a specialist committee like the risk committee. This is where risks are discussed and the committee rules on: risk mapping, risk mitigation elements, critical elements of cyber risk, the concept of business continuity plans, IT contingency plans, among other matters. The audit committee also deals with audit missions that have raised information security issues.
To respond to your question, yes, financial services organisations take fraud and cyber risk seriously, and governance must be well established to allow operational teams to deal with this threat.
Mohamed Saad, Casablanca Stock Exchange: That may be the case of Orange Bank, which is a mature structure, but in 2018 we carried out a survey that found 95-96% of the economy in Morocco, made up of SMEs, have not yet considered this risk to be one of the subjects to be addressed by their management boards. In big financial or telecoms companies, these audit and risk committees will look at risk mapping, the security budget, reviewing incidents, and more. But it is more complicated for SMEs and they have a lot to lose.
JLMK: Customers are always asking for more digital services. Faced with the digitisation of banking services, hackers are becoming more and more ingenious. With the development of e-banking and mobile money, there are more and more attacks.
There is underinvestment in cyber-security and a shortage of qualified staff globally. This is even more pronounced in Africa. Corporate investment comes through tools, good practices, respect for international standards and well-trained staff. This is the course which must be steered to tackle fraudsters.
MS: With the advent of customer-centric approaches, there has been a boom in mobile and new technologies like big data and machine learning. The most advanced banking structures will, for instance, be able to identify that a consumer is making a payment from their mobile phone while at the same time their account is being used for another transaction in a different country. So, using machine learning helps. There is also the ‘bug bounty programme’: where companies pay a lot of money to researchers to find vulnerabilities and breaches. There is a real dark web industry out there, not just students doing a bit of hacking for fun.
JLMK: Education is a key issue. In Ivory Coast, for example, there are only two schools focusing on cyber risks. While computing is attracting more and more young people, they tend to go into web development, network maintenance. It is also a subject that attracts very few women. The lack of awareness of the issue means that training on the job is not keeping up with the times. And, of course, there is the cost of training. Given the range of jobs in the sector, it is absolutely vital to develop specialist courses and seminars, and to go into schools to raise awareness among young people.
MS: Within a company, the new recruit, the trainee, the service provider all need training and be made aware of this risk. Children also need to be trained from an early age, similar to how they learn the highway code. We need to do the same thing for information superhighways. Children are digital natives and it is crucial to raise awareness at an early age. In Africa today we drastically lack cybersecurity resources and experts.
JLMK: Absolutely. Private and public operators (police, judiciary) and regulators need to work together. And, looking upwards, international collaboration is essential. In Ivory Coast, there have been many laws in recent years along with the adoption of regional directives through ECOWAS. These regional directives have to be incorporated into local law. Countries in the region are raising the bar in order to bring about an effective response to cyber-crime.
MS: Today, each country has its own rules and regulations, but cyber-crime is a global business. This is why governments need to organise to hunt in packs. Sometimes attacks just take milliseconds. Responsive task forces are needed to share information and communicate it quickly. A common regional, or even continental, approach is vital.
MS: The Covid-19 pandemic has led to the rise of remote working. As a result, staff end up using multiple professional and personal laptops on a consumer network with a domestic router that is entirely outside the company's security policy. VPNs can also be corrupted. So, the number of risks increases. Hackers have taken advantage of the negligence of some users. There are many lessons to be drawn from this period.
JLMK: For the private sector, the issue of governance – risk committee, audit committee, procedures - is key. We also need CIOs to be included in all business development projects. The issue also calls for substantial budgets: investing in big data and AI is no longer optional. [Mazars has surveyed global business leaders on the investment necessary for workplace technologies. Read our Tech Train report here.]
The IT aspect needs to be incorporated into all projects upstream rather than waiting until later. Staff and clients need to be educated. You also need a strategy to combat cyber-crime in the public sphere. And to have a legislative and regulatory framework which is coercive enough, so that hackers are faced by a police force that can investigate and a justice system that condemns severely and dissuades.
MS: The response to cybercrime must be driven by management. Cybersecurity, like quality and any good governance issue, needs to come from the top and be incorporated into projects from the start. That's how you avoid risk: educate, educate, educate. And educate the illiterate population as well. Training is the key word for a generation and a population. The AUSIM have published open source reports and white papers to raise awareness of best practices and counter cyber risks.
JLMK: Unfortunately, it is not currently the case. Local insurers should already be able to provide this type of insurance. But when these policies exist the investment is well worth it. As attacks are increasingly numerous - three-digit growth in some areas - investment in cyber insurance is a must.
MS: This already exists. At the extremes there are insurance products which can even cover a ransom. Emotet, ransomware as a service, is one of the biggest risks. The dark web is a real marketplace. People buy services to conduct attacks and they target companies and executives.
JLMK: I can't tell you if this scale of budget is the right one but you have to invest appropriately in connection with your industry. The Orange group has invested significant resources into this subject. The budget needed will be significant but appropriate for the nature of the company.
MS: We are effectively at this, but everything depends on the company, the technologies used. Today, in the financial sector, for instance, if there is one area of the budget that is not currently being trimmed, it is this one. The risks are too great and the price to pay would be too high. Market authorities, central banks, telecoms regulators monitor, control and put in place regulatory frameworks for compliance.
MS: We talk about trojan horses, we talk about ransomware and malware, and now we talk about ‘droppers’ where the virus installs itself. So rebound attacks exist. Cyber-crime knows no borders. Contagion has existed from the beginning in IT and IT services in each department need to be separated from each other to contain an attack and prevent risks being contagious.
Moderator and panellists:
Go here to find out more about the Africa Financial Industry Summit.
To read our report on global technology implementation and investment levels – including AI, blockchain, ERP, IoT and RPA – see here.
14/04/2021 Global cybercrime costs are increasing each year and cybercrime is appointed as one of business leaders’ biggest concerns. Africa – a world leader in mobile banking – is a prime target for cybercrime and, as phishing and fraud get more sophisticated, businesses on the continent need to find new ways to protect themselves, including strengthening legal frameworks, regulation and cyber education.
09/04/2021 The African start-up ecosystem is booming: over the last decade it has become a global leader in mobile financial services, with M-Pesa in Kenya just one example of the continent’s success. Now regulation has to keep up with innovation for the good of fintech and the people who use it.
25/03/2021 Africa finds itself in a precarious predicament when it comes to climate change: it is one of the regions most at risk of its consequences but contributes just 4% of global CO2 emissions. At the same time, the financial resources necessary to mitigate the impact are scarce, with the IMF estimating a $50bn deficit in green finance initiatives that could help societies adapt to the changing...
This website uses cookies.
Some of these cookies are necessary, while others help us analyse our traffic, serve advertising and deliver customised experiences for you.
For more information on the cookies we use, please refer to our Privacy Policy.
This website cannot function properly without these cookies.
Analytical cookies help us enhance our website by collecting information on its usage.
We use marketing cookies to increase the relevancy of our advertising campaigns.