sacco cybersecurity report 2019...sacco cybersecurity report 2019 digital transformation and cyber...

SACCO CYBERSECURITY REPORT 2019

2

Sacco Cybersecurity Report 2019


Digital Transformation and Cyber Risk Within Saccos

Table of Contents1 Introduction .................................................................................................... 5

2 Highlights of the Report ............................................................................ 10

3 Digitalization ................................................................................................... 133.1 Digitalization: People .................................................................................................. 16

3.2 Digitalization in Sacco Processes ........................................................................ 17

3.3 Digitalization - Technology ...................................................................................... 19

4 Current State Analysis ................................................................................ 214.1 Governance ........................................................................................................................22

4.2 IT Security ............................................................................................................................26

4.3 Outsourcing Management .....................................................................................30

4.4 Business Continuity Management ....................................................................32

5 Impact of Digital Transformation .......................................................... 365.1 Changing Landscape Alters Sacco Behavior ..............................................37

5.2 Optimizing Operations Drives Productivity and Innovation ............37

6 Cyber Risk - Impact of Digital Transformation ............................... 386.1 Five Missteps Saccos Make In Digital Transformation Journey .....40

7 Priorities for 2020..........................................................................................417.1 Transaction Monitoring..............................................................................................42

7.2 Operational Monitoring Controls For Your Organisations To Consider .........................................................................................................................43

7.3 IT Controls (IT Team, Application Administrators, Transaction Initiators And Approvers) ..........................................................................................43

8 Developing A Viable Digitalization Business Case........................45

9 Cyber Security Extension Officer Program .......................................48

10 CVEQ Assessment Tool for Saccos ........................................................ 52

11 References ....................................................................................................... 60

45

3


Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos

This report was prepared by the Serianu CyberThreat Intelligence Team in partnership with the Africa Cyber Immersion Center. We would like to acknowledge the following individuals who, among others made a major contribution to deliver this report:Contributors

©2019 Serianu Limited

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise without the express permission of the copyright owner. Permission will generally be granted for use of the material from this document on condition that the source is clearly credited as being Serianu Limited.

Brencil KaimbaMartin MwangiBarbara MunyendoDaniel NdegwaNabihah RishadSamuel KeigeAyub Mwangi

Brilliant KaimbaDaniel KabuchoShiela NyamburaAnne GikaaraBrian NyaliGeorge Kiio

Research CoordinatorsCedric Miheso, Sales LeadMorris Kamethu, Sales ExecutiveEdwin Shitakule, Sales ExecutiveJoy Chivile, Sales Executive

We also thank the Serianu Executive Team for the support and guidance they provided:Chief Executive Officer, William MakatianiChief Operations Officer, Joseph Mathenge

Design, Layout And ProductionErick Ochola - Tonn Kriation

Introduction

Welcome to the 2nd edition of Serianu’s Sacco Cybersecurity Report dubbed Digital Transformation

and Cyber Risk within Saccos. Digital transformation, is occurring at every level in the financial sector. From

new technology to new transaction channels to heightened customer expectations.


Introduction

6

Digital Transformation also known as digitalization, is widely defined as the integration of digital technology into all areas of a business, fundamentally changing how you operate and deliver services and products to customers.

Through the years of the growth of the cooperative movement in Kenya, savings and credit societies (Saccos) have grown in their influence as a medium of financial inclusion, giving many more Kenyans a method of saving and investing.

In their intermediation role, closeness to the members and apparent ease of membership and use of their services, Kenyans are today said have more accounts with saccos than with the formal commercial banks.

This points to the great role that saccos continue to play in financial intermediation and reducing the gap of digital inclusion.

It is encouraging to note that a number of saccos have in the two years embraced modern technology and effectively implemented digitalization in ways that have set precedent for the sub-sector.

This has led other saccos to emulate them as each tries to fit into the digitalization band wagon, but in the process raising their respective risk profiles and getting exposed to system unavailability, third party compromise and malicious insider breaches.

Following the initial highly successful survey that we carried out on Kenya’s state of cyber sacco cyber security in 2018, Serianu set out to build on its findings to establish the extent to which the sub sector had implemented our recommendations and picked learnings from the report.

Brencil Kaimba Editor-in-chief and

Sr. Consultant, Product Strategy & Development, Serianu Ltd

This year, Serianu conducted an extensive survey that polled over 150 Saccos across Kenya. The goal was simple: identify the milestones made by Saccos in their digital transformation journey, establish pain points they encounter and design steps that help them walk this journey successfully.

We set out to listen to the saccos and empathized with the fact that each of them was at a different point in the digitalization journey.

They all admitted that they viewed technology as a great enabler for them in the quest to deliver better services to their members and in the process ensure that their organisations were managed in a better, more efficient manner.

7


Introduction

Over the last 12 months, Serianu has interacted with over 1000 Sacco staff members, boards and senior managers. Below is a highlight of our activities.

FIGURE 1

MarchNyanza

MombasaApril

May

July

August

September

October

November

June

Kisumu Saccos Training

ISACA Event

Nairobi Nairobi Saccos Training

Mombasa

Mombasa

Cotesa Training

Western Kakamega Board Training

Cooperatives Training

Central Kerugoya Saccos Training

Nyanza Sacco Board Members Training

Nairobi Sacco Board Members Training

Western Kakamega General User Awareness

Eastern

Rift Valley

Meru Saccos Training

Thara Nithi Saccos Training

Naivasha General User Awareness

Bomet General User Awareness

Nyanza Kisii Sacco Board Training

Mombasa Kilifi Sacco Day

Mombasa Sacco Day

Nairobi Sacco Board Members Training

Nairobi Friday Sacco Session at Serianu

Eastern Embu Saccos Training

8


1. The digital transformation of Saccos focusing on;

PeoplePeople change means upskilling, reskilling. Critical question to ask is do you have the right people with the right skill sets?

Process Process changes including customer experience and interactions that have transformed the sacco sub sector.

Technology Key technological changes that have occurred within Saccos, their impact and risks they are exposed to.

2. Current State Analysis (Survey Analysis)

This section summarizes key findings from the survey conducted. Primary themes discussed here cover:

Governance

In this section we look at the board’s role in ensuring the success of IT security programs and overall digital strategy, key challenges faced by board members and best practice to follow.

We have split this year’s report into various sections as follows:

IT SecurityThis section looks at management of cybersecurity, competency levels for IT management and challenges in implementing IT security.

Outsourcing ManagementHow Saccos are managing vendors from a legal and performance perspective.

Business Continuity ManagementThis section looks at how prepared Saccos are in case of a disaster, key challenges faced in this process and best practice.

3. Cyber Risk – Impact of Digital Transformation

It’s easy to rush into the digital transformation journey omitting a deep analysis of the risks and designing the right roadmap for the sacco. This section looks at the top mistakes organisations make in this journey

4. Priorities for 2020

As 2019 draws to a close, we’ve take the key learnings and summarized these under this section. We also list must have investments for 2020.

5. County Cyber Security Extension Officers

In order to address the resourcing challenge and taking into consideration the unique challenges that saccos face, we developed the first ever concept of independent consultants available to walk with sacco executives during their digital transformation journey.

Introduction

Highlights of the Report

By surveying just over 150 saccos, the process of putting together this report covered nearly half of the sacco

population in Kenya. We took time to speak to them because today, more than ever, the sacco sub sector

plays an ever increasing role in Kenya’s economy and is closely intertwined into the social fabric.

11


96% 69%

41%

55%

84%

72%

60%

76%

35%

FIGURE 2

74% do not monitor vendor activities

on their networks

do not perform regular auditsSaccos lack

a BCP policy

lack IT steering committee at the

Executive and Board level

lack formal standards for IT

governance

spend less than Ksh. 1,000,000

annually

do not perform general user awareness

training

have drafted anIT Policy

lack a cybersecurity

strategy

manage their cybersecurity

in-house

It is therefore in our collective interest that we help each other walk the technology journey in a more effective way that also delivers better experiences for sacco members, builds more inclusive institutions that are able to take on more members safely and ultimately delivers on their respective mandates to enhance the members’ financial security.

This need for robust digitalization that is backed by necessary skill sets is paramount today as some of the saccos have grown to offer semi-banking facilities, popularly known as FOSAs. While this evolution is highly commendable, there must be a deliberate effort to empower the sacco managers so that they are able to execute their mandates effectively.

In doing this survey, we identified some of the gaps that exist in the saccos as outlined below:

Highlights Of The Report

Digitalization3.1 Digitalization: People

3.2 Digitalization in Sacco Processes

3.3 Digitalization - Technology

Change is blowing across Kenyan saccos.

14


Digitalization

How has digital transformation affected industries in Kenya?

Case 1: Transportation

Since it was founded, Uber has transformed the ride-hailing industry and grown to become the most valuable companies in the world.

FIGURE 3

UberCab was founded

Mobile App officially launched

2009

October 2010

2011

July 2012

August 2013

August 2014

April 2015

2017

2016

October 2019

Uber announced airport helicopter taxi service

available to all users from JFK airport

UberCab rebrands as Uber. The change is made to avoid the company from marketing itself too much like a taxi business. Tensions within the taxi industry would become a recurring theme for Uber.

Uber unveils its secret, low-cost "UberX" project to the world and becomes a cross between lifestyle and logistics.

Uber launches its UberPool service, which lets you split the ride and cost with another person who is riding a similar route. It’s the Uber version of carpooling.

Uber launches UberEats, an on-demand food-delivery service

that brings meals to your location in minutes. The service starts in four

pilot cities — LA, Barcelona, Chica-go, and New York City — and

expands nationally.

Little Cab Launched in Kenya

Uber moves into India and Africa.

Operating in 35 cities

Taxify launched in Kenya

Uber launches Uber Works to connect workers who want temporary jobs with businesses. The app is available in Chicago only as a start

15


Digitalization

Case 2: Saccos Journey

FIGURE 4

1990s

1990s

2000s

2009

2010 - 2015

2016-2018

2019

2018

Saccos mainly based in one region

Data Processing and member onboarding done through Excel documents and forms

Front Office Service Activity (FOSA) introduced to improve efficiency of

service delivery. Over the counter transactions being the main mode of

withdrawals and depositing funds

CEO’s role is mainly focused on financial success of the Sacco

Sacco Societies Regulatory Authority (SASRA) formed

Saccos branch out to serve members in different regions within Kenya

Massive adoption of Enterprise Resource

Planning systems (ERPs)

Massive adoption of mobile money for transaction processing

SASRA Released guidelines on Cybersecurity Risk Management

CEOs role mainly focuses on regulatory compliance issues

Saccos CEO role mainly focused on 1. Increasing efficiency and effectiveness, 2. Reducing risk, 3. Gaining a competitive advantage

Massive adoption of Automated Teller Machines by Saccos

Saccos adopt Core banking systems for transaction and

data processing

16


3.1 Digitalization: People3.1.1 Human Resource Management

Successful digital transformation is really all about people.

People have to transform for effective digital transformation to occur. This change is extremely hard. People often need to know how the changes will affect them. As organisations undergo the digital transformation, people worry whether or not they will be able to perform -- and some wonder if they should start looking for a different employer.

Saccos need to get clear on the role, or roles, people will play in the process. Who should be involved?

Who’s in charge? Who owns the transformation?

z Who needs to work better together to make digital a new way of life?

z Do you have the right people with the right skill sets?

z Will you need to outsource?

z Can you build a transformation engine fast enough, or would bringing in outside experts speed things up?

z Dynamics of a multigenerational workforce: The workspace now brings together a dynamic workforce ranging from Gen X, millennials and Gen Z. Meshing the divide that comes with these generations falls under the human resource docket.

Address these aspects first and then clearly define roles. Without the right people and the right alignment, digital transformation will remain just one more siloed initiative.

3.1.2 Governance: Sacco Organisation Structures

Sacco boards are increasingly being called upon to include more IT and Cybersecurity skills in order to effectively steer the organisation in this digital age.

3.1.3 Vendor Profiles

Today, Saccos are outsourcing a range of IT services so they can concentrate

on their core disciplines and ensure best-in-class IT for their business.

z Mobile banking Integrators

z Technology Vendors (Firewall/Routers/Switches)

z System vendors (CRM, Email)

z Managed Security Services vendors

3.14 Skills

Previously, skills were focused on basic computer software , including Microsoft Word and Excel.

Today, saccos possess more sophisticated skills such as CRM management, internal audit and IT systems deployment.

Can Your Organization Meet The Demand for

Digital Talent?2019 Africa Cybersecurity Report

indicates that 90% of companies will face skills shortage in 2019/2020.

Limited skills also pose a hindrance to digital transformation. As the complexity of our business ecosystem increases, the

focus will shift further to capabilities like Auditing, Technology

Implementation and Support, Remediation and advanced

analytics.

Digitalization

17


3.2 Digitalization in Sacco Processes3.2.1 Business Continuity Process (BCP)

A quick comparison shows that tape backups are redundant. External hard disks are easier to handle, but can be easily tampered with and need special care.

Cloud computing has the potential to ease the financial burden and improve time taken to recover from disasters due to economies of scale that the facilities enjoy by serving multiple organisations.

Medium

Despite the reality of growing reliance on technology for information processing and storage, a significant number of saccos are still heavily reliant on documents, spreadsheets and files for information storage. This is partly attributed to lack of knowledge of better options and conservatism. The challenge with the use of such files is securing them effectively, yet some organisations are constrained by lack of sufficient financial resources to adopt more modern and reliable options.

The transition:

FIGURE 5

Before After

Medium Papers/Spreadsheets Local Tape Hard Disk Software Backup

Location of Recovery Site

Onsite Disaster Recovery

Offsite Disaster Recovery

Online Disaster Recovery

Adequacy Of Site Cold Site Warm Site Hot Site

With the rise in dependency on technology for running sacco services, it is crucial that a separate, remote facility be set up with copies of the information used to run the sacco such that in case a disaster struck and the sacco suffered loss, customers will still receive the services as if operations are normal.

Known as a business continuity plan, the facility’s use is guided by a structured process of activation and retrieving information that is then used to normalize operations as fast as possible. This is particularly evident with Cloud disaster recovery initiatives such as Cloud backup, cloud storage with AWS, Azure and Google Cloud.

Digitalization

18


Cloud

AWS, Azure, Google cloud have revolutionised how Saccos conduct businesses. Cloud computing has been the enabler of digital transformation in following ways:

z Flexibility

Cloud computing saves a Sacco from the hassle of investing in varying IT resources by providing required computing resources, infrastructure, and platforms on the go. This enables a company to be agile and flexible.

z Cost-effective

Since the sacco is not investing in physical servers, applications and maintenance.

z Security and availability

If your core systems such as databases and applications are stored in-house then you constantly face the risk of losing critical information due to data breaches, unexpected system shutdown, disasters, brute force attacks etc. In case of cloud hosting, you can easily create multiple backups of your data

3.2.2 Customer Experience and Interaction

Members want a more personalized relationship with their saccos and tailored offers reflecting their association. Customer experience is now considered “King”, shifting the focus of marketing and distribution teams to continually improve the customer experience journey.

Skills and experience in technology have enabled Serianu come up with the following three-pronged strategy to deliver exceptional services to our clients:

Mobility: Members want mobility and easy access to their money.

Analytics: Technologies such as ERP, CRM and SIEM perform complex analytics proving saccos with insights.

Interactive: More interaction points with members allows for more focused service delivery.

Digitalization

19


3.3 Digitization - Technology3.3.1 FOSA/BOSA

Allows for faster, efficient and transparent withdrawal and depositing of members cash.

Account OpeningLoan ApplicationWithdrawal

Customer

Real time transactionprocessing

Sacco Teller

FIGURE 6

3.3.2 CRM to Core Banking

Digital transformation has seen saccos move from using Excel Spreadsheets to CRM and later to Core banking systems.

3.3.3 Customer Interaction Channels

The growing number of touchpoints — social media, mobile apps, email, web self-service — has enabled Saccos to uniquely respond to customer needs faster than ever before. Key channels are:

3.3.4 Mobile Money

The evolution of the mobile phone markets has opened avenues for mobile money services to thrive. Here are a number of reasons why mobile banking is growing:

z Cost saving

z Ease of Use: Mobile money helps people pay for goods and services; transfer money from almost anywhere even if they are not near the Sacco office.

z Accessibility: Mobile money transfers provide better reach.

z Convenient Savings: Among the benefits of mobile money services is the ability to use the mobile phone to save and be able to cash-out the money whenever needed in the Sacco account.

Digitalization

20


Key Pillars of Digital Transformation

Visibility Control Compliance Automation

Do you have all of the

information you need?

Are you able to manage

your program

appropriate-ly?

Is your program

up-to-date with laws and regulations?

What else can

technology be doing for

you?

FIGURE 7

Digitalization

4.1 Governance

4.2 IT Security

4.3 Outsourcing Management

4.4 Business Continuity

Current State Analysis

This survey was prepared based on data collected from a survey of over 150 Sacco representatives.

The respondents included chief executive officers, IT managers, risk and audit teams, and

human resource executives.

22


Our survey review was based on 4 topics:

Governance

4.1 GovernanceSacco Boards and management are responsible for setting and overseeing their business strategy and risk appetite and should ensure that IT risk is considered in this context. In addition, management is responsible for the effective implementation of the Sacco’s business and IT strategies.

For the vast majority of Saccos, IT is a core enabler of the business with most, if not all, of the critical business functions supported by IT. As such, it is important that the IT strategy is comprehensive and aligned with the overall business strategy so that it can deliver on objectives to support the current and future strategic direction of the Sacco.

Our survey revealed the following.

4.1.1 Cybersecurity Strategy

No

Yes

In Progress

Not Sure

38%

1%

1%

60%

FIGURE 8

Do you have a Cybersecurity strategy?

This strategy provides saccos with a framework to execute cybersecurity responsibilities during the coming years to keep pace with the evolving cyber risk landscape by reducing vulnerabilities and building resilience.

IT Security Outsourcing Management

Business Continuity


23


No Formal Standards 84%

ISO

COBIT - Control Objectives for Information and Related Technology

ISO - International Organization for Standadization

ITIL - Information Technology Infractructure Library

10%Others (COBIT

/ISO/ITIL)6%

FIGURE 9

Which standards are used for IT governance at your institution?

No processes and procedures in place for IT strategy and governance

A formal ICT commitee at the executive and

board levels

IT governance is an adhoc/reactive/informal

We have an IT committee at the

Exco but nothing at the board level

35%

23%

22%

20%

FIGURE 10

To what extent does your institution have an IT steering committee at the Executive and Board level?

IT steering committees allows for focused IT discussions


24


4.1.2 Digital Strategy

No 69%

Yes 31%

FIGURE 11

Do you have an IT and Digital Strategy in place?

Failing to plan for digital transformation is planing to fail.

4.1.3 Cybersecurity Budget

KES1 - 100,000

2018

2019

54%

44%

KES100,001 - 500,000

2018

2019

KES500,001 - 1,000,000

2018

2019

KES1,000,000+

2018

2019

10%

6%

6%

3%

36%

14%

FIGURE 12

How much was your Cybersecurity Budget?

Our review found that the overall understanding of IT

governance and approach varies and ranged from good

knowledge and practice, to being highly dependent on

external support from IT service suppliers and

third party consultants who provide both IT services

and assurance.


25


4.1.4 IT Governance Best Practice

z Design a robust IT governance structure to facilitate effective oversight of the management of IT risks, reflective of the scale and complexity of the business dependency on IT;

z Document policies, standards and procedures which address the identification, monitoring, mitigation and reporting of the Sacco’s IT related risks in place;

z Regular review of IT policies, standards and procedures to reflect changes in the internal IT operating environment and the external security environment;

z Independent assurance on the effectiveness of the IT risk management, internal controls and governance processes within the Sacco.

4.1.5 SASRA’s Guidelines for IT GovernanceBoard of Directors have the ultimate responsibility over Cybersecurity.

Oversight from the top means;

z Cybersecurity awareness for the board.

z Defining clear metrics for measuring and monitoring the performance and effectiveness of Cybersecurity program.

z Providing adequate budget for implementation of IT security controls

Senior Managers are responsible for the implementation and monitoring of Cybersecurity policies, controls and procedures.

z Determine and Reduce the Cyber Risk Exposure Value: Senior managers should focus on determining their Cyber Risk Exposure and implement controls to minimize this exposure. Focus should be on understanding the business environment in terms of:

z People Skills: Empower the people with the required technical and analytical skills to Detect, Respond and Contain Cyber threats.

z Process: Defining operation procedures for all business critical processes as per best practice.

z Technology: Put in place the right technology to support Cybersecurity.


26


4.2 IT Security IT risk profiles are increasing due to increased mobile banking adoption, growing complexity of IT risk factors, including those driven by the types and numbers of systems used, expanding branch networks, and increased connectivity to external IT networks.

Our survey revealed the following:

4.2.1 Management of Cybersecurity

Inhouse

None

Outsources 26%

33%

41%

FIGURE 13

How do you manage Cybersecurity?

Majority of saccos manage their IT security in-house. However, this role is not dedicated to security. IT doubles up as helpdesk and cyber security support.

4.2.2 Frequency of Audits

Not Frequent 39%

Quartely 17%

Annually 29%

Adhoc 16%

FIGURE 14

How often are internal information security and privacy audits performed?

Regular health-check up of your environment is key to faster threat identification.


27


4.2.3 Biggest Challenge In Remediation Of Audit Gaps

Limited Technical Skills

Inadequate budget to remediate gaps

Too many gaps to be remediated

We dont have an IT system

60%

31%

8%

1%

FIGURE 15

What’s Your Biggest Challenge In Remediation Of Audit Gaps?

Greatest challenge for saccos when remediating audit gaps is limited technical skills and inadequate budgets to remediate gaps.

4.2.4 Training and Awareness

Never

Yes, Adhoc

Yes, Annually

Yes, Quartely

51%

21%

13%

9%

Yes, Semi Annually 6%

FIGURE 16

Do You Conduct Cyber Security Training For Your Employees?

72% of Sacco don’t train their employees or perform ad-hoc trainings.


28


4.2.5 IT Security Best Practice z Document and implement an IT Security Policy in the Saccos. Areas of to be

implemented within the policy include assessing and validating whether:

Î The policy is appropriate and fit for purpose;

Î Perimeter security is in place, e.g., fire-walls, DMZ, web application firewalls, IDS/IPS, logging and monitoring;

Î Regular penetration testing is taking place, e.g. by independent competent specialist;

Î All employees, including IT staff, receive IT security awareness training; and

Î Vulnerabilities are identified, analyzed, classified and patched accordingly and within an acceptable timeframe.

z Maintain a thorough inventory of IT assets, including all physical components of the IT network, both hardware and software and classified by business criticality.

z Risk register: Develop and maintain an up-to-date list of IT risks, whereby the risks are prioritized and described in sufficient detail so as to be clearly understood by the Sacco enabling their proactive management.

z Saccos should develop and implement security awareness training programs to train their employees and members on securing their critical information assets while interacting on digital platforms.

z Security Assessments: Conduct periodic independent review and, where warranted, penetration testing. Such reviews should be conducted by individuals with appropriate IT audit expertise and details of the key findings and associated implications are provided to the Board. Weaknesses identified in the control environment should be remediated in a timely manner.

z Activity Monitoring: Adequate processes are in place to monitor transactions, access and changes within the Sacco network.


29


4.2.6 SASRA’s Guidelines for IT Security z Risk Assessment: Identify and analyze cyber risks facing the organisation.

z Asset Management: Implement processes and tools used to track, control, prevent and correct secure access to the Sacco’s assets.

z Access Controls: Implement processes and tools used to track and control secure access to information according to the formal determination of which persons, devices, computers, and applications have a need and right to access information based on an approved classification.

z Configuration Management: Implement processes and tools used to detect, prevent and correct installation as well as execution of changes on configurations.

z Vulnerability & Patch Management: Implement processes and tools used to detect, prevent and correct security vulnerabilities in the configurations of devices that are listed and approved in the Sacco’s asset inventory database.

z Monitoring: Implement processes and tools used to provide visibility on the network environment.

z Security Awareness: Implement processes to train employees on various cyber defense approaches and good cyber defense habits.


30


4.3 Outsourcing ManagementSaccos are required to have adequate governance and risk management processes in place to effectively address the risks associated with outsourcing of IT services, including cloud services.

(Vendor Management: Exit, termination and transition stages of services from an outsource partner to another third party or back in-house not included in any outsourcing policies leaving gaps).

4.3.1 Vendor Activity Auditing

No

On a need basis

Yes

I dont know

60%

23%

10%

7%

FIGURE 17

Do you audit vendor activities?

4.3.2 Vendor Activity Monitoring and Alerting

No

Only if there is a problem

Yes

All vendor activitie are on

request

44%

30%

25%

1%

FIGURE 18

Have you implemented monitoring and alerting for vendor activities in your network?


31


4.3.3 Outsourcing Best Practise z Thorough due diligence conducted on prospective IT Service Providers.

Due diligence includes consideration of, the IT Service Providers’ technical capabilities, performance track record and financial strength and viability. The due diligence also considers whether the IT Service Provider can meet its requirements in relation to service quality and reliability, security and business continuity in normal and stressed circumstances.

z Service Level Agreement: The signed contract between the Sacco and its selected IT Service Provider includes a documented SLA or equivalent. The SLA clearly sets out the nature, quality and scope of the service to be delivered as well as the roles and responsibilities of the contracting parties.

z The SLA includes requirements for:

Î Service levels

Î Availability and

Î Reliability, including measurable performance metrics and remedies for performance shortfalls.

z Vendor access to the network needs to be:

Î On a need basis

Î Restricted to test environments or otherwise

Î Monitored and audited

4.3.4 SASRA’s Guidelines for Outsourcing z Vendor Access: Implement processes and tools used to track and control

secure access to information according to the formal determination of which persons, devices, computers, and applications have a need and right to access information based on an approved classification.


32


4.4 Business Continuity Management Without an incident response plan, Business Continuity Plan, skills and budget to implement, an organisation may not discover a cyber-attack. If the attack is detected, the organisation may not follow good procedures to contain damage, eradicate the attacker’s presence and recover in a secure fashion.

Thus, the attacker may have a far greater impact, causing more damage, infecting more systems, and possibly infiltrate more sensitive data than would otherwise be possible if an effective incident response plan were in place.

4.4.1 Existence of BCP

No

Yes

I dont know

76%

19%

5%

FIGURE 19

Do you have a Business Continuity Plan in Place?

Without a Business Continuity Plan, a sacco is not guaranteed of recovery after an incident.

4.4.2 Budget for BCM

No

Yes

I dont know

53%

38%

9%

FIGURE 20

Do you have a budget set aside for BCM?


33


4.4.3 Challenges when implementing BCP

Lack of senior management

support

Identification of the right

stakeholders

Lack of proper training

Identification of the critical

services

Lack of human

resources

17%33%

50%

27%30%

43%

18%24%

58%

25%

43%28%

37%21%

42%

Lack of financial

resources

1 - To a moderate extent 2 - To a great extent 3 - To a very great extent

20%27%

53%

FIGURE 21

Which of the following would you rate as the challenges most experienced when implementing the BCP process?


34


4.4.4 Business Continuity Management Best Practice z Have sufficient resources to

support effective DR and BC planning, testing and execution, and Sacco management should fully understand their DR plans.

z Documented BIA with complete end-to-end reviews of business critical processes showing the impacted resources, business processes and their interdependencies are in place.

z Saccos should consider a range of plausible events and disaster scenarios, these should cover the loss of people, place of work, Outsource Service Providers and IT systems events in their DR and BC planning.

z A documented DR plan is in place that enables the Saccos to recover and resume services in the event of a disaster or emergency situation. The plan includes details of recovery time objectives and recovery point objectives for all IT assets based on business criticality.

z Have a documented backup strategy for critical data in place and conduct regular backup restore tests to verify the restore capabilities for critical systems.

z Ensure DR and BC plans are tested annually.

z DR and BC plans are regularly reviewed (at least annually) and

updated to reflect changes in the Sacco’s operating environment and to incorporate lessons learned from testing.

z The Board receives updates on the scenarios considered and the development and testing of DR and BC plans and understand what the objectives of these are, in terms of maintaining availability of critical IT systems and business operations.

z Business Continuity Management: should include the business continuity arrangements in relation to outsourced activities where a defect or failure in its performance would materially impair:

Î The continuing compliance with the conditions and obligations of the Sacco’s registration or its other obligations under the financial services legislation;

Î The Sacco’s financial performance;

Î The soundness or continuity of the Sacco’s financial performance;

Î The soundness or continuity of the Sacco’s business; and

Î Business continuity procedures in place in the event that changes to information systems cause interruption to the business of the Sacco, including roll-back plans, where appropriate.


35


4.4.5 SASRA’s Guidelines on Business Continuity Management

Implement processes and tools used to manage, recover, and contain their environment after an attack has occurred.


As we embrace digital transformation within Saccos, there is a definite impact on processes and

previously used business models.

Impact of Digital Transformation

5.1 Changing Landscape Alters Sacco Behavior

5.2 Optimizing Operations Drives Productivity and Innovation

37


5.1 Changing Landscape Alters Sacco Behavior

The impact of digital transformation include:

Impact of Digital Transformation

Fraud: Digitalization now exposes Saccos to new Fraud attack vectors such as through Mobile money platforms, increase in risk of money laundering, Ransomwares etc.

Skills: With new technologies in place, Sacco employees are expected to upskill with more technical skills such as Systems administration, network architecture, monitoring and remediation.

5.2 Optimizing Operations Drives Productivity and InnovationOptimizing operations means saving costs and boosting revenues. Critical technologies being leveraged for this are:

z Cloud: the most common new technology that saccos are investing.

z Customer relation management software’s and ERPs.

z Modern computer hardware and analytics.

Service Delivery: Customers expect more innovative and personalized digital experience.

Regulation: Increased Regulatory compliance requirements to ensure member’s investment is protected amid the increase in targeted attacks.

Cyber Risk - Impact of Digital Transformation

Digital transformation is a new, uncharted territory for most Saccos. Many businesses dive in without

understanding potential stumbling blocks. As a result, they make key mistakes that can slow down

or even derail the whole project.

39



If you ask any IT manger how their role has shifted over the years, most likely the’ll say looking back 20 years, they had a comparatively enviable task when it came to securing their network. 20 years ago, there was a certain simplicity in operations due to the relatively small number of devices they needed to protect.

Today, with the sharp increase in in use of mobile, email and other technologies in the workplace, there has been a surge in the number of weak access points that an attacker can leverage to attack the Sacco networks. As a result, the entire cyber battlefield has evolved and become far more complex.

Key Risk factors include:

Execution risks

Service interruptions, poor quality servicing, non-compliance with Sasra;

Performance risks

Adverse staff performance, software design flaws, poorly defined processes;

Capacity/Capability risks

Lack of technical skills, knowledge and experience;

Fraud

Losses stemming from internal and external persons fraudulent actions.

40



6.1 Five Missteps Saccos Make In Digital Transformation JourneyDigital transformation is a new, uncharted territory for most Saccos. Many businesses dive in without understanding potential stumbling blocks. As a result, they make key mistakes that can slow down or even derail the whole project.

What are these mistakes? Here are five mistakes to avoid in your digital transformation journey.

Starting out without a clearly defined digital transformation vision and strategy.

#1

Implementing technologies over poorly designed and architecture networks.

Poor governance and accountability structure to ensure program success and buy-in.

Inadequate metrics for proper measurement of visibility and Return on Investment.

Thinking that digital transformation is just a technology change.

#2

#3

#4

#5

Over the past 12 months, we have noted an increase in mobile banking fraud targeting saccos.

Priorities for 2020

42


Priorities For 2020

We have identified 4 techniques being used by criminals as follows:

STEP 1STEP 2

STEP 3STEP 4

Cyber criminals install malicious

software on sacco computers to

steal passwords.

Cyber criminals make

unauthorized changes to customer accounts.

Cyber criminals send money from the compromised

customer accounts to fraudulent accounts.

Cyber criminals withdraw cash via Mobile and ATM

within a span of 24 hrs.

Impact: Loss of money and critical data, loss of confidence in the Sacco by members.

7.1 Transaction Monitoring z All Saccos running mobile banking transactions need to put real time

fraud and transaction monitoring focusing on:

z Review the Core Banking System (CBS) and Mobile Application/Bridge: Review and validate mobile banking account details from CBS and mobile application/bridge are accurate on a regular basis.

z Mobile Applications portals by external providers

Î Have a dedicated/Secured VPN connection for vendors

Î Access to vendor hosted platforms should not be open to the public, but rather limited to private network only.

Î Ensure you have audit logs for all user activities

Way Forward For Saccos

Based on our experience, we have compiled a list of IT and Operational recommendations that you should implement to fully Anticipate, Detect and Respond to such attacks in future.

43


Priorities For 2020

7.2 Operational Monitoring Controls For Your Organisations To Consider

z Review and validate all existing customer account details especially mobile banking data.

z Newly added mobile banking accounts need a waiting period of 48 hours or physical validation of the account holder before transactions are allowed.

z All databases changes to customer data must be reviewed and validated.

z Transfers to multiple accounts from one source must be reviewed and tracked.

7.3 IT Controls (IT Team, Application Administrators, Transaction Initiators And Approvers)

z Perform malware checks for the entire enterprise

z Review privileged users and their activities on the network on a regular

z Limit remote access to the organisation, all access should be firewall controlled.

z Vendor access should be limited to test environments

It is critical you perform and analysis of your environment, validate that these controls have been implement and that you have visibility on all transactions, vendor activities and changes being made to critical systems by your internal team. This will require the collective cooperation of IT, Risk and Audit.

We encourage Saccos that are unsure of their security posture, unsure of their technical capabilities to implement the above recommendations and/or identify malicious activity or use of tools or techniques that seem malicious to contact on the following:

Sacco Helpdesk: +254 (0) 716 137 017 Cybercrime hotline: +254 (0) 800 221 377 Email: [email protected]

44


Priorities For 2020

7.4 Things Saccos Should Budget for in 2020Technologies

z Perimeter: Firewall- For intrusion detection and prevention

z Perimeter: Intrusion Detection system

z Network: DHCP Server: To track IIP Address allocation and machines within the Sacco

z Network: Network Access Control (NAC): To detect any rogue devices within the Sacco

z Network: Active Directory: To manage access to the Sacco network

z Endpoint: Antivirus: For malware detection within Computers and Servers

z Application: Database Activity Monitoring

Monitoring & Response Process z Monitoring (SIEM): For continuous monitoring, analysis,

alerting of policy violations and attacks.

z Penetration testing

z Audit and Risk Assessment

z BCP/DR Testing and Review

People and Awareness z General Awareness training

z Technical Training

z Board Training

z Business Managers Training (HR, Finance, Procurement, Administrators

Developing a Viable Digitalization Business Case

The right approach to create a winning business case.Sacco digitalization is not a standalone project,

particularly when end-to-end transformation is the final goal. Therefore, traditional ways of defining a business

case and computing RoI won’t apply.

46


Developing a Viable Digital Business Case

The Sacco Business Model Canvas

The Sacco Business Model Canvas (BMC) provides Saccos with a structure to design a business that can be unique and compete better in the market. It provides a way to understand how all the different elements come together to deliver your products or services, the underlying cost structure, and profits.

KEY PARTNERS

3rd party IT service providers

• Core IT systems• Other IT systems

Third party payment service providersShared services

KEY ACTIVITIES

• Savings• Lending• Payments• Investments• Risk management• Compliance• Marketing

PROPOSITIONS

Loans • Unsecured • Secured

Savings • Shares • Deposits

Payments • OTC • Electronic • Payment

accounts

Other • Insurances

MEMBER RELATIONS

Saver / Borrower product search,

servicing

COMMON BONDCUSTOMER SEGMENTS

• Segments • Savers • Borrowers

KEY RESOURCES

Board / Management / Staff

ProcessesOperational systems software

CHANNELS

Branch face to faceBranch self-serviceTelephoneOnlineATM (some)InternetSocial mediaMobile

COST STRUCTURE

• Operational costs • Free to member services and insurances

REVENUE STREAMS

• Loan interest income • Investment income • Non-interest income

The following elements provide an overview of the main business drivers:

z Customer Segments: Who are the customers? What do they think? See? Feel? Do?

z Value Propositions: What’s compelling about the proposition? Why do customers buy, use?

z Channels: How are these propositions promoted, sold and delivered? Why? Is it working?

z Customer Relationships: How do you interact with the customer through their journey?

z Revenue Streams: How does the business earn revenue from the value propositions?

z Key Activities: What uniquely strategic things does the business do to deliver its proposition?

z Key Resources: What unique strategic assets must the business have to compete?

z Key Partnerships: What can the company not do so it can focus on its Key Activities?

z Cost Structure: What are the business major cost drivers? How are they linked to revenue?

The County Cybersecurity Extension Officer Program is a unique offering (modelled around the agriculture

extension officer program) where cyber security professionals provide ongoing consulting services to

organisations that lack sufficient budget to sustain in-house cybersecurity consultants.

County Cyber Security Extension Officer Program

49


Cyber Security Extension Officer Program

This program allows organisations to utilize the skills and expertise of Serianu’s Cybersecurity extension officers and systems without necessarily hiring in-house teams.

According to the 2018 Africa Cybersecurity Research report, Cybersecurity skills gap in Kenya is at an all-time high.

Kenya has approximately 1800 Skilled Cybersecurity professionals serving over 40 million Kenyans. Organisations are struggling to find the right experts to assist in Anticipating, Detecting, Responding and Containing Cybersecurity issues within their organisations.

In a bid to assist organisations, county governments, Saccos, MFIs and SMEs curb the skills gap shortage and reduce instances of Cybercrime and Cybersecurity related incidents, Serianu has launched the County Cybersecurity Extension Officer Program.

50



How it works

Serianu’s Cybersecurity extension officers are deployed to various counties within Kenya. These officers offer organisations (and their branches) top-notch Cybersecurity services and consultancy on a bi-weekly basis.

As opposed to the conventional one- off consulting service, this program allows an organisation to interact with our experts on a continuous basis to ensure that the overall cybersecurity posture of an organisation improves.

Target z Organisations with branches outside

Nairobi

z County Governments

z Saccos

z Microfinance Institutions

z Co-operatives

z Other SMEs

Key Activities z IT / Cybersecurity Strategy Review

z Disaster Recovery Review

z Business Continuity Review

z Remediation of Audit findings

z Security Awareness Training

51



Benefits

Regular check-up on cybersecurity posture

z Review your organisation’s Cybersecurity posture with industry experts

z Review your compliance and regulatory compliance posture

z Suggest measures to improve IT related procedures, operations and processes.

Technical expertise

z Improve the technical skills and capabilities of your organisation/branch by utilizing Serianu’s Cyber Security extension officers.

z Revise and analyze IT operations and systems, hardware configurations, physical security and operating procedures across organisation.

z Consult and comply with set controls, standards, policies and procedures while carrying out IT activities.

z Suggest and execute IT technologies, strategies and policies to guard information assets.

z Recommend solutions for explaining risks and reducing exposure areas.

To sign-up contact Serianu at [email protected]

CVEQ™ Assessment Tool for Saccos

53


CVEQ Assessment Tool for Saccos

Five Step Cyber-Risk Benchmarking Tool

Powered by

CVEQ™ - Africa’s Cyber Visibility Tool Customized for SACCOS

Technical Partner

IRM East Africa Regional Group

This five step cyber-risk benchmarking tool was purposely built to assist Saccos and Microfinance Institutions to make quick and accurate assessment of their cybersecurity readiness.

This tool enables Saccos to clearly communicate to senior management and directors on their capabilities and readiness to anticipate, detect, respond and contain emerging cyber threats. It also enables Saccos to identify areas of weaknesses within their environment to facilitate budgeting, remediation and risk quantification.

Follow the five steps to assess your Sacco:

1. Cyber Risk Profile2. Cyber Risk Governance 3. Cyber Risk Visibility4. Cyber Risk Metrics5. Cyber Risk Exposure

Each step contains a set of questions as well as guidelines on how to carry out the assessment.

For each question award yourself:

1 point – You are confident that the element is fully met

Half a point – A degree of coverage can be demonstrated

No score – Coverage cannot be demonstrated

54



Step One: Cyber Risk Profile

Step one enables Saccos to determine their sources and levels of inherent risks prior to implementing mitigating controls. A cyber-risk profile provides a holistic view of the Sacco environment and the major risk factors.

Use the checklist below to assess your Risk Profile:

# Control Area Fully Compliant(Score -1)

Partially Compliant(Score -0.5)

Not Compliant(Score – 0)

1 Connections: Has the Sacco assessed, documented and communicated risks posed to the organisation by internet/wireless connections?

2 Internal Applications: Has the Sacco assessed, documented and communicated risks posed to the organisation by internal applications supporting critical activities?

3 External Applications: Has the Sacco assessed, documented and communicated risks posed to the organisation by external applications?

4 Customers: Has the Sacco assessed, documented and communicated risks posed to the organisation by its customers using online applications (mobile, web)?

5 Delivery Channels: Has the Sacco assessed, documented and communicated risks posed to the organisation by delivery channels?

6 Employees/Consultants: Has the Sacco assessed, documented and communicated risks posed to the organisation by employees (Including IT consultants)?

7 External/Emerging Threats: Has the Sacco assessed, documented and communicated risks posed to the organisation by emerging or attempted threats?

8 Vendors and Partners: Has the Sacco assessed, documented and communicated risks posed to the organisation by vendors and partners?

9 Regulation and Compliance: Has the Sacco incorporated regulator (SASRA) and industry best practice requirements into the cyber risk management practices?

10 Board and Management: Is the Sacco’s board and senior management actively involved in implementing and managing the cybersecurity program?

TOTAL

55



Step Two: Cybersecurity Risk Governance

Step two enables Saccos to evaluate the effectiveness of cyber-risk oversight mechanism. An effective program includes: clear governance roles, instituted risk management processes, adequate resources and standardized processes.

Use the checklist below to assess the Sacco’s Cyber Risk Governance Profile:




GOVERNANCE

1 Governance: Are cybersecurity issues discussed and approved by the board of directors on a quarterly basis?

2 Strategy: Is there an information security strategy and roadmap that integrates technology, policies, procedures, and training to mitigate risk?

3 Policies and Procedures: Have written information security policies and procedures that are reviewed annually and communicated to all employees including information security awareness training?

RESOURCES

4 Resources: Has the process of determining cyber security resources been integrated into business units’ budget processes (this includes staffing (internal/outsourced and tools)?

RISK MANAGEMENT

5 Risk Assessment: Is there a cyber security risk register that is maintained and regularly updated?

6 Risk Metrics: Have cybersecurity metrics been established for showing the security posture over time?

7 Independent Audits: Is independent testing (including penetration testing, system audit, process reviews and vulnerability scanning) conducted according to the risk assessment for external-facing systems and the internal network?

8 Legal Contracts: Are there formal contracts that address relevant security and privacy requirements in place for all third parties that process, store, or transmit confidential data or provide critical services?

STANDARDIZED PROCESSES

9 Information Sharing: Is information shared proactively with the industry, law enforcement, regulators, and information-sharing forums?

10 Incident Response: Have roles and responsibilities for incident response team members been defined?

TOTAL

56


Step Three: Cyber Risk Visibility

Step three evaluates the visibility (effectiveness and efficiency) of key cyber security controls by gathering data from ongoing security operations and through direct connections to systems and configuration interfaces.

Use the checklist below to assess the Sacco’s Cyber Risk Visibility Profile:




1 Vulnerability Management: Are hardware and software vulnerabilities proactively identified and documented?

2 User Access Management: Are privileged rights understood, documented and reviewed in terms of assignment to system and user accounts?

3 Fraudulent Transactions: Are there monitoring capabilities for detection of fraudulent transactions across all channels?

4 Perimeter Controls: Are there network security perimeter defense tools (e.g., border router, IDS, IPS and firewall) deployed to control incoming and outgoing internet traffic?

5 Patching: Are there capabilities to update (e.g., patch, upgrade) commercial software for known security vulnerabilities as per the manufacturer recommendations?

6 Security Awareness: Are there annual information security training carried out which includes incident response, current cyber threats (e.g., phishing, spear phishing, social engineering, and mobile security), and emerging issues?

7 Asset Inventory: Is there a detailed and updated inventory of organisational assets (e.g., hardware, software, data, and systems hosted externally) that is regularly maintained?

8 Malware: Is there an installed and regularly updated anti-malware solution on all systems commonly affected by malicious software (particularly personal computers and servers)?

9 Backup and Recovery: Is there regular performance of and offline backups and periodic monitoring of the quality of the backups by testing recovery of the backed up data?

10 Sensitive Data (structured and unstructured): Are there appropriate tools and processes implemented to detect and prevent unauthorized access and transfer of sensitive data from the corporate network?

TOTAL


57


Step Four: Cyber Risk Metrics

Step four confirms the availability of key indicators and measurements retrieved from different cybersecurity tools. These metrics facilitate decision making and improve performance and accountability within the Sacco.

Use the checklist below to assess the Sacco’s Cyber-Risk Metrics:




1 Rogue Devices: Is there a periodical report that shows the number of unauthorized and unmanaged hardware and software assets on your network?

2 Malware: Is there a periodical report that shows the number of instances of malware that have been detected by anti-malware systems?

3 Vulnerabilities: Is there a periodical report that shows the number systems on the network that have not recently been scanned for vulnerabilities?

4 Unauthorized Access: Is there a periodical report that shows the number of incidents of unauthorized access that have been detected?

5 Fraudulent Transactions: Is there a periodical report that shows unusual transactional patterns that have been detected?

6 Failed Backups: Is there a periodical report that shows how many systems have not been backed up?

7 Privileged Abuse: Is there a periodical report that shows the number of unauthorized administrative accounts that have been detected?

8 Unauthorized Access: Is there a periodical report that shows incidents of login behaviour deviation that have been detected?

9 Database Activities: Is there a periodical report that shows any changes done on the core databases?

10 Remote Access: Is there a periodical report that shows remote logins past business hours?

TOTAL


58


Step Five: Cyber Risk Exposure

Step five assesses the Saccos preparedness in detecting, responding and containing potential cyber breaches. This enables a Sacco to determine their susceptibility to cyber-attacks (sabotage, Intellectual Property (IP) Theft or Fraud).

Use the checklist below to assess the Sacco’s Cyber-risk Exposure:




1 Mobile Channel Fraud: Has the Sacco documented, tested and validated your capability to detect and respond to attempted or successful cases of mobile fraud?

2 Ransomware: Has the Sacco documented, tested and validated your capability to detect and respond to attempted or successful cases of ransomware?

3 Data Tampering (Structured or Unstructured): Has the Sacco documented, tested and validated your capability to detect and respond to attempted or successful cases of data tampering?

4 System Unavailability: Has the Sacco documented, tested and validated your capability to detect and respond to attempted or successful cases of system unavailability?

5 Payment Fraud: Has the Sacco documented, tested and validated your capability to detect and respond to attempted or successful cases of payment fraud?

6 Email Phishing: Has the Sacco documented, tested and validated your capability to detect and respond to attempted or successful cases of email phishing?

7 Vulnerability Exploitation: Has the Sacco documented, tested and validated your capability to detect and respond to attempted or successful cases of vulnerability exploitation?

8 Privilege Abuse: Has the Sacco documented, tested and validated your capability to detect and respond to attempted or successful cases of privilege abuse?

9 Rogue Device: Has the Sacco documented, tested and validated your capability to detect and respond to attempted or successful cases of rogue device?

10 Third Party Breach: Has the Sacco documented, tested and validated your capability to detect and respond to attempted or successful cases of third party breach?

TOTAL


59


How did you score?

0 - 17Low Visibility Levels

The Sacco is falling well short of baseline cybersecurity practices and is not adequately protecting its IT assets. Briefing stakeholders accurately on the cybersecurity posture of the organisation may be difficult.

17 - 33Moderate Visibility Levels

The Sacco has generally implemented some cybersecurity best practices and thus making progress in providing sufficient protection for its IT assets. Consideration should be given into areas that require improvement.

34 - 50High Visibility Levels

The Sacco has a well-developed cybersecurity program and is well positioned to further improve its effectiveness. Fine-tuning of existing processes will help improve the cybersecurity posture.


References

61


References

SASRA guidelines on cyber security and risk management

Central Bank of Kenya Guidelines on Cybersecurity

FFIEC

NIST Framework

https://www.avanade.com/~/media/asset/other/digital-banking-full-report.pdf

For nearly ten years, Serianu has worked tirelessly traversing the African continent to scale up the relevance of cyber security alertness, partnering with stakeholders across the full spectrum, from academicians to analysts, government officials and private sector executives.

An award winning pan-African research driven Cybersecurity and risk Consulting firm, Serianu enables organisations to anticipate, detect, respond and contain cyber threats and specializes in providing cutting edge research-based consulting and managed services around new and emerging cyber risk areas.

Serianu bouquet of services include threat detection and alerting; cyber security awareness and training; technical and non-technical assessments; forensics and investigations and remediation support.

About Serianu Limited

For more information, contact;

Serianu Limited14 Chalbi Drive, Lavington

P. O. Box 56966 - 00200, Nairobi, Kenya

General Information: +254 (0) 20 200 6600

Cyber Crime Hotline: +254 (0) 800 22 1377

Email: [email protected]

https://www.serianu.com

sacco cybersecurity report 2019...sacco cybersecurity report 2019 digital transformation and cyber...

Documents