Kenya Cyber Security Report 2015
Cyber Security Perspective from the Financial
Services Sector
Wycliffe Momanyi | Chief Information Security Officer, KCB Bank Group
F
inancial transactions are
Conversely, Mobile banking has taken
increasingly administered in
center stage with most financial
real time with minimal human
institutions adopting mobile related
involvement. This is being driven by
services and mobile devices getting
customer demand for faster, more
more powerful every year. Smart phones
Insider fraud is one of the major
efficient, easier and more secure means
available today are capable of carrying out
contributors to cybercrime and a headache
of carrying out their transactions. As
all the functionalities generally done on a
to all Information Risk & Security
a result of the ever increasing roll out
PC. While there are efforts made to ensure
practitioners. The employees are assigned
of technologically driven products, the
that a PC is kept secure, a smart phone
privileged access to systems and thus
financial sector is facing ever-escalating
that does the same functionality does not
it is easier for an insider to carry out a
threats from cyber criminals.
receive similar attention. Mobile devices
cyber-attack as he is already aware of
and mobile service offering have become
all the security devices and procedures
an attractive and easy target for cyber
in place. An attack by an insider is often
criminals owing to the lack of knowledge
more difficult to identify and recover
of users on the potential hazards as a
from, vendors pose the same risk with a
result of for instance the download of a
possibility of more devastating attacks.
While vulnerabilities in software and
network continue to be the target of cyber
attackers and defending these resources
remain the focus of every organisation,
the weakest link continues to be the user/
people. Data breach arising from phishing
malicious software.
From experience it is evident that even the
attacks and social engineering continues
In 2014, J.P. Morgan Chase & Co, the
best preventive solution is bound to have
to be on the rise. Banks have made efforts
largest U.S. bank by assets conceded that
vulnerabilities that attackers can exploit,
towards educating their clients including
unknown attackers stole about 76 million
therefore becomes now whether but
providing information on their Internet
customers’ contact information - including
when an attack will take place and what
banking portal though in the face of a
names, email addresses, phone numbers
measures have we set in place to respond
targeted attack, these efforts are proving
and addresses. These breaches happened
to these attacks.
to be inadequate. Social media provides
to JP Morgan Chase which spends billions
the platform required for an attacker to
of dollars to fund IT budgets and employ
mine information on an individual. This
large teams of security analysts pointing
information is then used to make the user
to the sophistication of these cyber
believe that he is communicating with a
attacks. It is also reported that it took over
legitimate source. With easier access to
a month for JP Morgan to detect that they
social media and the tendency to share
had been hacked, for Kenyan banks it’s a
personal information, the number of
major challenge and one can only guess
users that are exposed to such attacks will
the extent of the problem.
continue to increase.
To address the unintended failures, an
institution is expected to take several steps
such as adoption of Board-approved IT
governance policies, establishing data
centres, third party contracts, robust
service level agreements, IS audit etc.
As far as the risk of unintended failure
is concerned, the IT management policy
framework that has evolved over a period
24