David Luponis, FOrvis Mazars: A number of organisations, including the World Economic Forum, are highlighting cyber risk as one of the biggest security risks of the 21st century. Is this growing awareness taken into account by decision makers?
Jean-Louis Menann-Kouamé, Orange Bank Africa: In corporate governance, there are bodies - board of directors, specialist committees - to support the executive with cyber risks. Within the board of Orange Bank Africa, we have an executive council which delegates specific tasks to a specialist committee like the risk committee. This is where risks are discussed and the committee rules on: risk mapping, risk mitigation elements, critical elements of cyber risk, the concept of business continuity plans, IT contingency plans, among other matters. The audit committee also deals with audit missions that have raised information security issues.
To respond to your question, yes, financial services organisations take fraud and cyber risk seriously, and governance must be well established to allow operational teams to deal with this threat.
Mohamed Saad, Casablanca Stock Exchange: That may be the case of Orange Bank, which is a mature structure, but in 2018 we carried out a survey that found 95-96% of the economy in Morocco, made up of SMEs, have not yet considered this risk to be one of the subjects to be addressed by their management boards. In big financial or telecoms companies, these audit and risk committees will look at risk mapping, the security budget, reviewing incidents, and more. But it is more complicated for SMEs and they have a lot to lose.
DL: Mobile banking has a very strong presence in Africa, does that present additional risk?
JLMK: Customers are always asking for more digital services. Faced with the digitisation of banking services, hackers are becoming more and more ingenious. With the development of e-banking and mobile money, there are more and more attacks.
There is underinvestment in cyber-security and a shortage of qualified staff globally. This is even more pronounced in Africa. Corporate investment comes through tools, good practices, respect for international standards and well-trained staff. This is the course which must be steered to tackle fraudsters.
MS: With the advent of customer-centric approaches, there has been a boom in mobile and new technologies like big data and machine learning. The most advanced banking structures will, for instance, be able to identify that a consumer is making a payment from their mobile phone while at the same time their account is being used for another transaction in a different country. So, using machine learning helps. There is also the ‘bug bounty programme’: where companies pay a lot of money to researchers to find vulnerabilities and breaches. There is a real dark web industry out there, not just students doing a bit of hacking for fun.
DL: We have mentioned education - how do you judge education in this area in Africa? Are there any lessons to be learned from elsewhere?
JLMK: Education is a key issue. In Ivory Coast, for example, there are only two schools focusing on cyber risks. While computing is attracting more and more young people, they tend to go into web development, network maintenance. It is also a subject that attracts very few women. The lack of awareness of the issue means that training on the job is not keeping up with the times. And, of course, there is the cost of training. Given the range of jobs in the sector, it is absolutely vital to develop specialist courses and seminars, and to go into schools to raise awareness among young people.
MS: Within a company, the new recruit, the trainee, the service provider all need training and be made aware of this risk. Children also need to be trained from an early age, similar to how they learn the highway code. We need to do the same thing for information superhighways. Children are digital natives and it is crucial to raise awareness at an early age. In Africa today we drastically lack cybersecurity resources and experts.
DL: There is also the issue of regulation. Is continental coordination feasible to provide broader interdisciplinary cover and collaboration?
JLMK: Absolutely. Private and public operators (police, judiciary) and regulators need to work together. And, looking upwards, international collaboration is essential. In Ivory Coast, there have been many laws in recent years along with the adoption of regional directives through ECOWAS. These regional directives have to be incorporated into local law. Countries in the region are raising the bar in order to bring about an effective response to cyber-crime.
MS: Today, each country has its own rules and regulations, but cyber-crime is a global business. This is why governments need to organise to hunt in packs. Sometimes attacks just take milliseconds. Responsive task forces are needed to share information and communicate it quickly. A common regional, or even continental, approach is vital.
DL: Did the Covid-19 pandemic change anything? Did it accelerate cybercrime?
MS: The Covid-19 pandemic has led to the rise of remote working. As a result, staff end up using multiple professional and personal laptops on a consumer network with a domestic router that is entirely outside the company's security policy. VPNs can also be corrupted. So, the number of risks increases. Hackers have taken advantage of the negligence of some users. There are many lessons to be drawn from this period.
DL: Looking forwards, what is best practice for responding to cyber risks?
JLMK: For the private sector, the issue of governance – risk committee, audit committee, procedures - is key. We also need CIOs to be included in all business development projects. The issue also calls for substantial budgets: investing in big data and AI is no longer optional. [Mazars has surveyed global business leaders on the investment necessary for workplace technologies. Read our Tech Train report here.]
The IT aspect needs to be incorporated into all projects upstream rather than waiting until later. Staff and clients need to be educated. You also need a strategy to combat cyber-crime in the public sphere. And to have a legislative and regulatory framework which is coercive enough, so that hackers are faced by a police force that can investigate and a justice system that condemns severely and dissuades.
MS: The response to cybercrime must be driven by management. Cybersecurity, like quality and any good governance issue, needs to come from the top and be incorporated into projects from the start. That's how you avoid risk: educate, educate, educate. And educate the illiterate population as well. Training is the key word for a generation and a population. The AUSIM have published open source reports and white papers to raise awareness of best practices and counter cyber risks.
DL: The cyber insurance market is growing in the Western world. Do you believe it will also develop in Africa?
JLMK: Unfortunately, it is not currently the case. Local insurers should already be able to provide this type of insurance. But when these policies exist the investment is well worth it. As attacks are increasingly numerous - three-digit growth in some areas - investment in cyber insurance is a must.
MS: This already exists. At the extremes there are insurance products which can even cover a ransom. Emotet, ransomware as a service, is one of the biggest risks. The dark web is a real marketplace. People buy services to conduct attacks and they target companies and executives.
DL: There are questions from the audience on the scale of investment. In Europe, the recommendation is to set aside a cyber-security budget of 10% of the budget. What do you think?
JLMK: I can't tell you if this scale of budget is the right one but you have to invest appropriately in connection with your industry. The Orange group has invested significant resources into this subject. The budget needed will be significant but appropriate for the nature of the company.
MS: We are effectively at this, but everything depends on the company, the technologies used. Today, in the financial sector, for instance, if there is one area of the budget that is not currently being trimmed, it is this one. The risks are too great and the price to pay would be too high. Market authorities, central banks, telecoms regulators monitor, control and put in place regulatory frameworks for compliance.
DL: Another audience question - Is cyber risk contagious? Can an attack have repercussions for a partner or supplier?
MS: We talk about trojan horses, we talk about ransomware and malware, and now we talk about ‘droppers’ where the virus installs itself. So rebound attacks exist. Cyber-crime knows no borders. Contagion has existed from the beginning in IT and IT services in each department need to be separated from each other to contain an attack and prevent risks being contagious.
Moderator and panellists:
- David Luponis, Partner, Forvis Mazars (moderator)
- Jean-Louis Menann-Kouamé, Managing Director, Orange Bank Africa
- Mohamed Saad, Deputy Managing Director, Casablanca Stock Exchange and President of AUSIM
Go here to find out more about the Africa Financial Industry Summit.
To read our report on global technology implementation and investment levels – including AI, blockchain, ERP, IoT and RPA – see here.