Enforce cybersecurity guidelines to bolster reforms – expert tells BoG

The central bank must enforce the cybersecurity guidelines it issued in the last quarter of 2018, or the reforms it introduced to sanitise and strengthen the banking sector will have no positive effect on the industry, Dele Aden, Managing Partner at Delta3 International – a cybersecurity firm, has said.

“Without enforcing the guidelines and making banks adhere to them, cybercriminals will still be having a field-day – and that is not good for a banking industry which recently witnessed a wide range of reforms, from increased stated capital to new guidelines on corporate governance, cybersecurity and fit and proper,” he told the B&FT.

The Bank of Ghana, in October 2018, unveilled a detailed directive on cybersecurity known as the Cyber and Information Security Directive, to among other objectives create a secure environment within ‘cyberspace’ for the financial services industry and generate adequate trust and confidence in ICT systems as well as transactions in the cyberspace.

The directives are also meant to create an assurance framework for designing security policies and for promotion of compliance to global security standards and best practices by way of cyber and information security assessment.

It is also to strengthen the regulatory framework for ensuring a secure environment within cyberspace and enhance the protection and resilience of the financial systems’ operation, and provide security practices related to the design, acquisition, development and use of operation information resources.

But Mr. Aden pointed out, however, that the extent to which the banking industry will adhere to it depe“Most importantly, how far and how much the regulator will enforce those good stuff in the guidelines is key,” he said.

Although Ghana is doing a lot when it comes to fighting cybercrime, money laundering and all the e-crimes associated with the underworld, it is still not doing enough when compared to some Asian countries, Europe, USA and Canada, he said.

“In Ghana, once you take the banks out of the equation, nobody else wants to invest in cybersecurity because they think cybercrime is something that happens to western nations.

“I do a lot of work for clients in Europe regarding General Data Protection Regulation (GDPR), cyber essentials, risks, PCIDSS and other regulations that ensure the company’s cyber integrity is in shape, electronic data is protected, breaches of such data are significantly reduced, and money laundering does not take place. Is it the same in Ghana? Not really,” he said.

He cited the example of the Bangladesh Bank robbery that took place in February 2016, when thirty-five fraudulent instructions to withdraw close to US$1billion from the account of Bangladesh Bank held at the Federal Reserve Bank of New York were issued via the SWIFT network.

Five of the thirty-five fraudulent transfer instructions issued by security hackers, worth US$101million, succeeded – with US$20million traced to Sri Lanka and US$81million traced to the Philippines.

But the Federal Reserve Bank of New York blocked the remaining thirty transactions, amounting to US$850million, due to suspicions raised by a misspelled instruction. It was later suspected that Dridex malware was used for the attack.

“There is the concept of defence-in-depth in cybersecurity. If this is your most precious data, you build a series of defences around it: so much that it becomes attack-proof. In Europe and the UK, there are some data you cannot get access to, and only few people can have access to it at particular times.

“There are some data which are disconnected from the whole system, and as and when that data is needed it is connected electronically. Banks must build in-depth defences around their data, segregate it or get some of the best talent to manage that data,” he advised.

The Economist Intelligence Unit noted that cybercrime cost Africa an estimated US$3.5billion in 2017 as government agencies, individuals and businesses – particularly small and medium-sized enterprises (SMEs) – struggled to implement basic cyber-security measures.

Mr. Aden was speaking to the B&FT ahead of the maiden Ghana InfoSec and Information Technology (IT) Leaders Conference in Accra, on the theme ‘Mitigating Cyber Risks through Effective Leadership’.

The conference, scheduled to come off in Accra on Thursday, March 28 at the Marriot Hotel, seeks to bring together business leaders to meet with thought-leaders and decision-makers in IT and cybersecurity to foster collaboration and partnership toward the country’s fight against cyber-related crimes and attacks.