sacco cybersecurity report 2019...sacco cybersecurity report 2019 digital transformation and cyber...
TRANSCRIPT
SACCO CYBERSECURITY REPORT 2019
2
Sacco Cybersecurity Report 2019
Sacco Cybersecurity Report 2019
Digital Transformation and Cyber Risk Within Saccos
Table of Contents1 Introduction .................................................................................................... 5
2 Highlights of the Report ............................................................................ 10
3 Digitalization ................................................................................................... 133.1 Digitalization: People .................................................................................................. 16
3.2 Digitalization in Sacco Processes ........................................................................ 17
3.3 Digitalization - Technology ...................................................................................... 19
4 Current State Analysis ................................................................................ 214.1 Governance ........................................................................................................................22
4.2 IT Security ............................................................................................................................26
4.3 Outsourcing Management .....................................................................................30
4.4 Business Continuity Management ....................................................................32
5 Impact of Digital Transformation .......................................................... 365.1 Changing Landscape Alters Sacco Behavior ..............................................37
5.2 Optimizing Operations Drives Productivity and Innovation ............37
6 Cyber Risk - Impact of Digital Transformation ............................... 386.1 Five Missteps Saccos Make In Digital Transformation Journey .....40
7 Priorities for 2020..........................................................................................417.1 Transaction Monitoring..............................................................................................42
7.2 Operational Monitoring Controls For Your Organisations To Consider .........................................................................................................................43
7.3 IT Controls (IT Team, Application Administrators, Transaction Initiators And Approvers) ..........................................................................................43
8 Developing A Viable Digitalization Business Case........................45
9 Cyber Security Extension Officer Program .......................................48
10 CVEQ Assessment Tool for Saccos ........................................................ 52
11 References ....................................................................................................... 60
45
3
Sacco Cybersecurity Report 2019
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
This report was prepared by the Serianu CyberThreat Intelligence Team in partnership with the Africa Cyber Immersion Center. We would like to acknowledge the following individuals who, among others made a major contribution to deliver this report:Contributors
©2019 Serianu Limited
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise without the express permission of the copyright owner. Permission will generally be granted for use of the material from this document on condition that the source is clearly credited as being Serianu Limited.
Brencil KaimbaMartin MwangiBarbara MunyendoDaniel NdegwaNabihah RishadSamuel KeigeAyub Mwangi
Brilliant KaimbaDaniel KabuchoShiela NyamburaAnne GikaaraBrian NyaliGeorge Kiio
Research CoordinatorsCedric Miheso, Sales LeadMorris Kamethu, Sales ExecutiveEdwin Shitakule, Sales ExecutiveJoy Chivile, Sales Executive
We also thank the Serianu Executive Team for the support and guidance they provided:Chief Executive Officer, William MakatianiChief Operations Officer, Joseph Mathenge
Design, Layout And ProductionErick Ochola - Tonn Kriation
Introduction
Welcome to the 2nd edition of Serianu’s Sacco Cybersecurity Report dubbed Digital Transformation
and Cyber Risk within Saccos. Digital transformation, is occurring at every level in the financial sector. From
new technology to new transaction channels to heightened customer expectations.
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
Introduction
6
Digital Transformation also known as digitalization, is widely defined as the integration of digital technology into all areas of a business, fundamentally changing how you operate and deliver services and products to customers.
Through the years of the growth of the cooperative movement in Kenya, savings and credit societies (Saccos) have grown in their influence as a medium of financial inclusion, giving many more Kenyans a method of saving and investing.
In their intermediation role, closeness to the members and apparent ease of membership and use of their services, Kenyans are today said have more accounts with saccos than with the formal commercial banks.
This points to the great role that saccos continue to play in financial intermediation and reducing the gap of digital inclusion.
It is encouraging to note that a number of saccos have in the two years embraced modern technology and effectively implemented digitalization in ways that have set precedent for the sub-sector.
This has led other saccos to emulate them as each tries to fit into the digitalization band wagon, but in the process raising their respective risk profiles and getting exposed to system unavailability, third party compromise and malicious insider breaches.
Following the initial highly successful survey that we carried out on Kenya’s state of cyber sacco cyber security in 2018, Serianu set out to build on its findings to establish the extent to which the sub sector had implemented our recommendations and picked learnings from the report.
Brencil Kaimba Editor-in-chief and
Sr. Consultant, Product Strategy & Development, Serianu Ltd
This year, Serianu conducted an extensive survey that polled over 150 Saccos across Kenya. The goal was simple: identify the milestones made by Saccos in their digital transformation journey, establish pain points they encounter and design steps that help them walk this journey successfully.
We set out to listen to the saccos and empathized with the fact that each of them was at a different point in the digitalization journey.
They all admitted that they viewed technology as a great enabler for them in the quest to deliver better services to their members and in the process ensure that their organisations were managed in a better, more efficient manner.
7
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
Introduction
Over the last 12 months, Serianu has interacted with over 1000 Sacco staff members, boards and senior managers. Below is a highlight of our activities.
FIGURE 1
MarchNyanza
MombasaApril
May
July
August
September
October
November
June
Kisumu Saccos Training
ISACA Event
Nairobi Nairobi Saccos Training
Mombasa
Mombasa
Cotesa Training
Western Kakamega Board Training
Cooperatives Training
Central Kerugoya Saccos Training
Nyanza Sacco Board Members Training
Nairobi Sacco Board Members Training
Western Kakamega General User Awareness
Eastern
Rift Valley
Meru Saccos Training
Thara Nithi Saccos Training
Naivasha General User Awareness
Bomet General User Awareness
Nyanza Kisii Sacco Board Training
Mombasa Kilifi Sacco Day
Mombasa Sacco Day
Nairobi Sacco Board Members Training
Nairobi Friday Sacco Session at Serianu
Eastern Embu Saccos Training
8
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
1. The digital transformation of Saccos focusing on;
PeoplePeople change means upskilling, reskilling. Critical question to ask is do you have the right people with the right skill sets?
Process Process changes including customer experience and interactions that have transformed the sacco sub sector.
Technology Key technological changes that have occurred within Saccos, their impact and risks they are exposed to.
2. Current State Analysis (Survey Analysis)
This section summarizes key findings from the survey conducted. Primary themes discussed here cover:
Governance
In this section we look at the board’s role in ensuring the success of IT security programs and overall digital strategy, key challenges faced by board members and best practice to follow.
We have split this year’s report into various sections as follows:
IT SecurityThis section looks at management of cybersecurity, competency levels for IT management and challenges in implementing IT security.
Outsourcing ManagementHow Saccos are managing vendors from a legal and performance perspective.
Business Continuity ManagementThis section looks at how prepared Saccos are in case of a disaster, key challenges faced in this process and best practice.
3. Cyber Risk – Impact of Digital Transformation
It’s easy to rush into the digital transformation journey omitting a deep analysis of the risks and designing the right roadmap for the sacco. This section looks at the top mistakes organisations make in this journey
4. Priorities for 2020
As 2019 draws to a close, we’ve take the key learnings and summarized these under this section. We also list must have investments for 2020.
5. County Cyber Security Extension Officers
In order to address the resourcing challenge and taking into consideration the unique challenges that saccos face, we developed the first ever concept of independent consultants available to walk with sacco executives during their digital transformation journey.
Introduction
Highlights of the Report
By surveying just over 150 saccos, the process of putting together this report covered nearly half of the sacco
population in Kenya. We took time to speak to them because today, more than ever, the sacco sub sector
plays an ever increasing role in Kenya’s economy and is closely intertwined into the social fabric.
11
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
96% 69%
41%
55%
84%
72%
60%
76%
35%
FIGURE 2
74% do not monitor vendor activities
on their networks
do not perform regular auditsSaccos lack
a BCP policy
lack IT steering committee at the
Executive and Board level
lack formal standards for IT
governance
spend less than Ksh. 1,000,000
annually
do not perform general user awareness
training
have drafted anIT Policy
lack a cybersecurity
strategy
manage their cybersecurity
in-house
It is therefore in our collective interest that we help each other walk the technology journey in a more effective way that also delivers better experiences for sacco members, builds more inclusive institutions that are able to take on more members safely and ultimately delivers on their respective mandates to enhance the members’ financial security.
This need for robust digitalization that is backed by necessary skill sets is paramount today as some of the saccos have grown to offer semi-banking facilities, popularly known as FOSAs. While this evolution is highly commendable, there must be a deliberate effort to empower the sacco managers so that they are able to execute their mandates effectively.
In doing this survey, we identified some of the gaps that exist in the saccos as outlined below:
Highlights Of The Report
Digitalization3.1 Digitalization: People
3.2 Digitalization in Sacco Processes
3.3 Digitalization - Technology
Change is blowing across Kenyan saccos.
14
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
Digitalization
How has digital transformation affected industries in Kenya?
Case 1: Transportation
Since it was founded, Uber has transformed the ride-hailing industry and grown to become the most valuable companies in the world.
FIGURE 3
UberCab was founded
Mobile App officially launched
2009
October 2010
2011
July 2012
August 2013
August 2014
April 2015
2017
2016
October 2019
Uber announced airport helicopter taxi service
available to all users from JFK airport
UberCab rebrands as Uber. The change is made to avoid the company from marketing itself too much like a taxi business. Tensions within the taxi industry would become a recurring theme for Uber.
Uber unveils its secret, low-cost "UberX" project to the world and becomes a cross between lifestyle and logistics.
Uber launches its UberPool service, which lets you split the ride and cost with another person who is riding a similar route. It’s the Uber version of carpooling.
Uber launches UberEats, an on-demand food-delivery service
that brings meals to your location in minutes. The service starts in four
pilot cities — LA, Barcelona, Chica-go, and New York City — and
expands nationally.
Little Cab Launched in Kenya
Uber moves into India and Africa.
Operating in 35 cities
Taxify launched in Kenya
Uber launches Uber Works to connect workers who want temporary jobs with businesses. The app is available in Chicago only as a start
15
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
Digitalization
Case 2: Saccos Journey
FIGURE 4
1990s
1990s
2000s
2009
2010 - 2015
2016-2018
2019
2018
Saccos mainly based in one region
Data Processing and member onboarding done through Excel documents and forms
Front Office Service Activity (FOSA) introduced to improve efficiency of
service delivery. Over the counter transactions being the main mode of
withdrawals and depositing funds
CEO’s role is mainly focused on financial success of the Sacco
Sacco Societies Regulatory Authority (SASRA) formed
Saccos branch out to serve members in different regions within Kenya
Massive adoption of Enterprise Resource
Planning systems (ERPs)
Massive adoption of mobile money for transaction processing
SASRA Released guidelines on Cybersecurity Risk Management
CEOs role mainly focuses on regulatory compliance issues
Saccos CEO role mainly focused on 1. Increasing efficiency and effectiveness, 2. Reducing risk, 3. Gaining a competitive advantage
Massive adoption of Automated Teller Machines by Saccos
Saccos adopt Core banking systems for transaction and
data processing
16
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
3.1 Digitalization: People3.1.1 Human Resource Management
Successful digital transformation is really all about people.
People have to transform for effective digital transformation to occur. This change is extremely hard. People often need to know how the changes will affect them. As organisations undergo the digital transformation, people worry whether or not they will be able to perform -- and some wonder if they should start looking for a different employer.
Saccos need to get clear on the role, or roles, people will play in the process. Who should be involved?
Who’s in charge? Who owns the transformation?
z Who needs to work better together to make digital a new way of life?
z Do you have the right people with the right skill sets?
z Will you need to outsource?
z Can you build a transformation engine fast enough, or would bringing in outside experts speed things up?
z Dynamics of a multigenerational workforce: The workspace now brings together a dynamic workforce ranging from Gen X, millennials and Gen Z. Meshing the divide that comes with these generations falls under the human resource docket.
Address these aspects first and then clearly define roles. Without the right people and the right alignment, digital transformation will remain just one more siloed initiative.
3.1.2 Governance: Sacco Organisation Structures
Sacco boards are increasingly being called upon to include more IT and Cybersecurity skills in order to effectively steer the organisation in this digital age.
3.1.3 Vendor Profiles
Today, Saccos are outsourcing a range of IT services so they can concentrate
on their core disciplines and ensure best-in-class IT for their business.
z Mobile banking Integrators
z Technology Vendors (Firewall/Routers/Switches)
z System vendors (CRM, Email)
z Managed Security Services vendors
3.14 Skills
Previously, skills were focused on basic computer software , including Microsoft Word and Excel.
Today, saccos possess more sophisticated skills such as CRM management, internal audit and IT systems deployment.
Can Your Organization Meet The Demand for
Digital Talent?2019 Africa Cybersecurity Report
indicates that 90% of companies will face skills shortage in 2019/2020.
Limited skills also pose a hindrance to digital transformation. As the complexity of our business ecosystem increases, the
focus will shift further to capabilities like Auditing, Technology
Implementation and Support, Remediation and advanced
analytics.
Digitalization
17
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
3.2 Digitalization in Sacco Processes3.2.1 Business Continuity Process (BCP)
A quick comparison shows that tape backups are redundant. External hard disks are easier to handle, but can be easily tampered with and need special care.
Cloud computing has the potential to ease the financial burden and improve time taken to recover from disasters due to economies of scale that the facilities enjoy by serving multiple organisations.
Medium
Despite the reality of growing reliance on technology for information processing and storage, a significant number of saccos are still heavily reliant on documents, spreadsheets and files for information storage. This is partly attributed to lack of knowledge of better options and conservatism. The challenge with the use of such files is securing them effectively, yet some organisations are constrained by lack of sufficient financial resources to adopt more modern and reliable options.
The transition:
FIGURE 5
Before After
Medium Papers/Spreadsheets Local Tape Hard Disk Software Backup
Location of Recovery Site
Onsite Disaster Recovery
Offsite Disaster Recovery
Online Disaster Recovery
Adequacy Of Site Cold Site Warm Site Hot Site
With the rise in dependency on technology for running sacco services, it is crucial that a separate, remote facility be set up with copies of the information used to run the sacco such that in case a disaster struck and the sacco suffered loss, customers will still receive the services as if operations are normal.
Known as a business continuity plan, the facility’s use is guided by a structured process of activation and retrieving information that is then used to normalize operations as fast as possible. This is particularly evident with Cloud disaster recovery initiatives such as Cloud backup, cloud storage with AWS, Azure and Google Cloud.
Digitalization
18
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
Cloud
AWS, Azure, Google cloud have revolutionised how Saccos conduct businesses. Cloud computing has been the enabler of digital transformation in following ways:
z Flexibility
Cloud computing saves a Sacco from the hassle of investing in varying IT resources by providing required computing resources, infrastructure, and platforms on the go. This enables a company to be agile and flexible.
z Cost-effective
Since the sacco is not investing in physical servers, applications and maintenance.
z Security and availability
If your core systems such as databases and applications are stored in-house then you constantly face the risk of losing critical information due to data breaches, unexpected system shutdown, disasters, brute force attacks etc. In case of cloud hosting, you can easily create multiple backups of your data
3.2.2 Customer Experience and Interaction
Members want a more personalized relationship with their saccos and tailored offers reflecting their association. Customer experience is now considered “King”, shifting the focus of marketing and distribution teams to continually improve the customer experience journey.
Skills and experience in technology have enabled Serianu come up with the following three-pronged strategy to deliver exceptional services to our clients:
Mobility: Members want mobility and easy access to their money.
Analytics: Technologies such as ERP, CRM and SIEM perform complex analytics proving saccos with insights.
Interactive: More interaction points with members allows for more focused service delivery.
Digitalization
19
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
3.3 Digitization - Technology3.3.1 FOSA/BOSA
Allows for faster, efficient and transparent withdrawal and depositing of members cash.
Account OpeningLoan ApplicationWithdrawal
Customer
Real time transactionprocessing
Sacco Teller
FIGURE 6
3.3.2 CRM to Core Banking
Digital transformation has seen saccos move from using Excel Spreadsheets to CRM and later to Core banking systems.
3.3.3 Customer Interaction Channels
The growing number of touchpoints — social media, mobile apps, email, web self-service — has enabled Saccos to uniquely respond to customer needs faster than ever before. Key channels are:
3.3.4 Mobile Money
The evolution of the mobile phone markets has opened avenues for mobile money services to thrive. Here are a number of reasons why mobile banking is growing:
z Cost saving
z Ease of Use: Mobile money helps people pay for goods and services; transfer money from almost anywhere even if they are not near the Sacco office.
z Accessibility: Mobile money transfers provide better reach.
z Convenient Savings: Among the benefits of mobile money services is the ability to use the mobile phone to save and be able to cash-out the money whenever needed in the Sacco account.
Digitalization
20
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
Key Pillars of Digital Transformation
Visibility Control Compliance Automation
Do you have all of the
information you need?
Are you able to manage
your program
appropriate-ly?
Is your program
up-to-date with laws and regulations?
What else can
technology be doing for
you?
FIGURE 7
Digitalization
4.1 Governance
4.2 IT Security
4.3 Outsourcing Management
4.4 Business Continuity
Current State Analysis
This survey was prepared based on data collected from a survey of over 150 Sacco representatives.
The respondents included chief executive officers, IT managers, risk and audit teams, and
human resource executives.
22
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
Our survey review was based on 4 topics:
Governance
4.1 GovernanceSacco Boards and management are responsible for setting and overseeing their business strategy and risk appetite and should ensure that IT risk is considered in this context. In addition, management is responsible for the effective implementation of the Sacco’s business and IT strategies.
For the vast majority of Saccos, IT is a core enabler of the business with most, if not all, of the critical business functions supported by IT. As such, it is important that the IT strategy is comprehensive and aligned with the overall business strategy so that it can deliver on objectives to support the current and future strategic direction of the Sacco.
Our survey revealed the following.
4.1.1 Cybersecurity Strategy
No
Yes
In Progress
Not Sure
38%
1%
1%
60%
FIGURE 8
Do you have a Cybersecurity strategy?
This strategy provides saccos with a framework to execute cybersecurity responsibilities during the coming years to keep pace with the evolving cyber risk landscape by reducing vulnerabilities and building resilience.
IT Security Outsourcing Management
Business Continuity
Current State Analysis
23
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
No Formal Standards 84%
ISO
COBIT - Control Objectives for Information and Related Technology
ISO - International Organization for Standadization
ITIL - Information Technology Infractructure Library
10%Others (COBIT
/ISO/ITIL)6%
FIGURE 9
Which standards are used for IT governance at your institution?
No processes and procedures in place for IT strategy and governance
A formal ICT commitee at the executive and
board levels
IT governance is an adhoc/reactive/informal
We have an IT committee at the
Exco but nothing at the board level
35%
23%
22%
20%
FIGURE 10
To what extent does your institution have an IT steering committee at the Executive and Board level?
IT steering committees allows for focused IT discussions
Current State Analysis
24
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
4.1.2 Digital Strategy
No 69%
Yes 31%
FIGURE 11
Do you have an IT and Digital Strategy in place?
Failing to plan for digital transformation is planing to fail.
4.1.3 Cybersecurity Budget
KES1 - 100,000
2018
2019
54%
44%
KES100,001 - 500,000
2018
2019
KES500,001 - 1,000,000
2018
2019
KES1,000,000+
2018
2019
10%
6%
6%
3%
36%
14%
FIGURE 12
How much was your Cybersecurity Budget?
Our review found that the overall understanding of IT
governance and approach varies and ranged from good
knowledge and practice, to being highly dependent on
external support from IT service suppliers and
third party consultants who provide both IT services
and assurance.
Current State Analysis
25
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
4.1.4 IT Governance Best Practice
z Design a robust IT governance structure to facilitate effective oversight of the management of IT risks, reflective of the scale and complexity of the business dependency on IT;
z Document policies, standards and procedures which address the identification, monitoring, mitigation and reporting of the Sacco’s IT related risks in place;
z Regular review of IT policies, standards and procedures to reflect changes in the internal IT operating environment and the external security environment;
z Independent assurance on the effectiveness of the IT risk management, internal controls and governance processes within the Sacco.
4.1.5 SASRA’s Guidelines for IT GovernanceBoard of Directors have the ultimate responsibility over Cybersecurity.
Oversight from the top means;
z Cybersecurity awareness for the board.
z Defining clear metrics for measuring and monitoring the performance and effectiveness of Cybersecurity program.
z Providing adequate budget for implementation of IT security controls
Senior Managers are responsible for the implementation and monitoring of Cybersecurity policies, controls and procedures.
z Determine and Reduce the Cyber Risk Exposure Value: Senior managers should focus on determining their Cyber Risk Exposure and implement controls to minimize this exposure. Focus should be on understanding the business environment in terms of:
z People Skills: Empower the people with the required technical and analytical skills to Detect, Respond and Contain Cyber threats.
z Process: Defining operation procedures for all business critical processes as per best practice.
z Technology: Put in place the right technology to support Cybersecurity.
Current State Analysis
26
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
4.2 IT Security IT risk profiles are increasing due to increased mobile banking adoption, growing complexity of IT risk factors, including those driven by the types and numbers of systems used, expanding branch networks, and increased connectivity to external IT networks.
Our survey revealed the following:
4.2.1 Management of Cybersecurity
Inhouse
None
Outsources 26%
33%
41%
FIGURE 13
How do you manage Cybersecurity?
Majority of saccos manage their IT security in-house. However, this role is not dedicated to security. IT doubles up as helpdesk and cyber security support.
4.2.2 Frequency of Audits
Not Frequent 39%
Quartely 17%
Annually 29%
Adhoc 16%
FIGURE 14
How often are internal information security and privacy audits performed?
Regular health-check up of your environment is key to faster threat identification.
Current State Analysis
27
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
4.2.3 Biggest Challenge In Remediation Of Audit Gaps
Limited Technical Skills
Inadequate budget to remediate gaps
Too many gaps to be remediated
We dont have an IT system
60%
31%
8%
1%
FIGURE 15
What’s Your Biggest Challenge In Remediation Of Audit Gaps?
Greatest challenge for saccos when remediating audit gaps is limited technical skills and inadequate budgets to remediate gaps.
4.2.4 Training and Awareness
Never
Yes, Adhoc
Yes, Annually
Yes, Quartely
51%
21%
13%
9%
Yes, Semi Annually 6%
FIGURE 16
Do You Conduct Cyber Security Training For Your Employees?
72% of Sacco don’t train their employees or perform ad-hoc trainings.
Current State Analysis
28
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
4.2.5 IT Security Best Practice z Document and implement an IT Security Policy in the Saccos. Areas of to be
implemented within the policy include assessing and validating whether:
Î The policy is appropriate and fit for purpose;
Î Perimeter security is in place, e.g., fire-walls, DMZ, web application firewalls, IDS/IPS, logging and monitoring;
Î Regular penetration testing is taking place, e.g. by independent competent specialist;
Î All employees, including IT staff, receive IT security awareness training; and
Î Vulnerabilities are identified, analyzed, classified and patched accordingly and within an acceptable timeframe.
z Maintain a thorough inventory of IT assets, including all physical components of the IT network, both hardware and software and classified by business criticality.
z Risk register: Develop and maintain an up-to-date list of IT risks, whereby the risks are prioritized and described in sufficient detail so as to be clearly understood by the Sacco enabling their proactive management.
z Saccos should develop and implement security awareness training programs to train their employees and members on securing their critical information assets while interacting on digital platforms.
z Security Assessments: Conduct periodic independent review and, where warranted, penetration testing. Such reviews should be conducted by individuals with appropriate IT audit expertise and details of the key findings and associated implications are provided to the Board. Weaknesses identified in the control environment should be remediated in a timely manner.
z Activity Monitoring: Adequate processes are in place to monitor transactions, access and changes within the Sacco network.
Current State Analysis
29
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
4.2.6 SASRA’s Guidelines for IT Security z Risk Assessment: Identify and analyze cyber risks facing the organisation.
z Asset Management: Implement processes and tools used to track, control, prevent and correct secure access to the Sacco’s assets.
z Access Controls: Implement processes and tools used to track and control secure access to information according to the formal determination of which persons, devices, computers, and applications have a need and right to access information based on an approved classification.
z Configuration Management: Implement processes and tools used to detect, prevent and correct installation as well as execution of changes on configurations.
z Vulnerability & Patch Management: Implement processes and tools used to detect, prevent and correct security vulnerabilities in the configurations of devices that are listed and approved in the Sacco’s asset inventory database.
z Monitoring: Implement processes and tools used to provide visibility on the network environment.
z Security Awareness: Implement processes to train employees on various cyber defense approaches and good cyber defense habits.
Current State Analysis
30
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
4.3 Outsourcing ManagementSaccos are required to have adequate governance and risk management processes in place to effectively address the risks associated with outsourcing of IT services, including cloud services.
(Vendor Management: Exit, termination and transition stages of services from an outsource partner to another third party or back in-house not included in any outsourcing policies leaving gaps).
4.3.1 Vendor Activity Auditing
No
On a need basis
Yes
I dont know
60%
23%
10%
7%
FIGURE 17
Do you audit vendor activities?
4.3.2 Vendor Activity Monitoring and Alerting
No
Only if there is a problem
Yes
All vendor activitie are on
request
44%
30%
25%
1%
FIGURE 18
Have you implemented monitoring and alerting for vendor activities in your network?
Current State Analysis
31
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
4.3.3 Outsourcing Best Practise z Thorough due diligence conducted on prospective IT Service Providers.
Due diligence includes consideration of, the IT Service Providers’ technical capabilities, performance track record and financial strength and viability. The due diligence also considers whether the IT Service Provider can meet its requirements in relation to service quality and reliability, security and business continuity in normal and stressed circumstances.
z Service Level Agreement: The signed contract between the Sacco and its selected IT Service Provider includes a documented SLA or equivalent. The SLA clearly sets out the nature, quality and scope of the service to be delivered as well as the roles and responsibilities of the contracting parties.
z The SLA includes requirements for:
Î Service levels
Î Availability and
Î Reliability, including measurable performance metrics and remedies for performance shortfalls.
z Vendor access to the network needs to be:
Î On a need basis
Î Restricted to test environments or otherwise
Î Monitored and audited
4.3.4 SASRA’s Guidelines for Outsourcing z Vendor Access: Implement processes and tools used to track and control
secure access to information according to the formal determination of which persons, devices, computers, and applications have a need and right to access information based on an approved classification.
Current State Analysis
32
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
4.4 Business Continuity Management Without an incident response plan, Business Continuity Plan, skills and budget to implement, an organisation may not discover a cyber-attack. If the attack is detected, the organisation may not follow good procedures to contain damage, eradicate the attacker’s presence and recover in a secure fashion.
Thus, the attacker may have a far greater impact, causing more damage, infecting more systems, and possibly infiltrate more sensitive data than would otherwise be possible if an effective incident response plan were in place.
4.4.1 Existence of BCP
No
Yes
I dont know
76%
19%
5%
FIGURE 19
Do you have a Business Continuity Plan in Place?
Without a Business Continuity Plan, a sacco is not guaranteed of recovery after an incident.
4.4.2 Budget for BCM
No
Yes
I dont know
53%
38%
9%
FIGURE 20
Do you have a budget set aside for BCM?
Current State Analysis
33
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
4.4.3 Challenges when implementing BCP
Lack of senior management
support
Identification of the right
stakeholders
Lack of proper training
Identification of the critical
services
Lack of human
resources
17%33%
50%
27%30%
43%
18%24%
58%
25%
43%28%
37%21%
42%
Lack of financial
resources
1 - To a moderate extent 2 - To a great extent 3 - To a very great extent
20%27%
53%
FIGURE 21
Which of the following would you rate as the challenges most experienced when implementing the BCP process?
Current State Analysis
34
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
4.4.4 Business Continuity Management Best Practice z Have sufficient resources to
support effective DR and BC planning, testing and execution, and Sacco management should fully understand their DR plans.
z Documented BIA with complete end-to-end reviews of business critical processes showing the impacted resources, business processes and their interdependencies are in place.
z Saccos should consider a range of plausible events and disaster scenarios, these should cover the loss of people, place of work, Outsource Service Providers and IT systems events in their DR and BC planning.
z A documented DR plan is in place that enables the Saccos to recover and resume services in the event of a disaster or emergency situation. The plan includes details of recovery time objectives and recovery point objectives for all IT assets based on business criticality.
z Have a documented backup strategy for critical data in place and conduct regular backup restore tests to verify the restore capabilities for critical systems.
z Ensure DR and BC plans are tested annually.
z DR and BC plans are regularly reviewed (at least annually) and
updated to reflect changes in the Sacco’s operating environment and to incorporate lessons learned from testing.
z The Board receives updates on the scenarios considered and the development and testing of DR and BC plans and understand what the objectives of these are, in terms of maintaining availability of critical IT systems and business operations.
z Business Continuity Management: should include the business continuity arrangements in relation to outsourced activities where a defect or failure in its performance would materially impair:
Î The continuing compliance with the conditions and obligations of the Sacco’s registration or its other obligations under the financial services legislation;
Î The Sacco’s financial performance;
Î The soundness or continuity of the Sacco’s financial performance;
Î The soundness or continuity of the Sacco’s business; and
Î Business continuity procedures in place in the event that changes to information systems cause interruption to the business of the Sacco, including roll-back plans, where appropriate.
Current State Analysis
35
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
4.4.5 SASRA’s Guidelines on Business Continuity Management
Implement processes and tools used to manage, recover, and contain their environment after an attack has occurred.
Current State Analysis
As we embrace digital transformation within Saccos, there is a definite impact on processes and
previously used business models.
Impact of Digital Transformation
5.1 Changing Landscape Alters Sacco Behavior
5.2 Optimizing Operations Drives Productivity and Innovation
37
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
5.1 Changing Landscape Alters Sacco Behavior
The impact of digital transformation include:
Impact of Digital Transformation
Fraud: Digitalization now exposes Saccos to new Fraud attack vectors such as through Mobile money platforms, increase in risk of money laundering, Ransomwares etc.
Skills: With new technologies in place, Sacco employees are expected to upskill with more technical skills such as Systems administration, network architecture, monitoring and remediation.
5.2 Optimizing Operations Drives Productivity and InnovationOptimizing operations means saving costs and boosting revenues. Critical technologies being leveraged for this are:
z Cloud: the most common new technology that saccos are investing.
z Customer relation management software’s and ERPs.
z Modern computer hardware and analytics.
Service Delivery: Customers expect more innovative and personalized digital experience.
Regulation: Increased Regulatory compliance requirements to ensure member’s investment is protected amid the increase in targeted attacks.
Cyber Risk - Impact of Digital Transformation
Digital transformation is a new, uncharted territory for most Saccos. Many businesses dive in without
understanding potential stumbling blocks. As a result, they make key mistakes that can slow down
or even derail the whole project.
39
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
Cyber Risk - Impact of Digital Transformation
If you ask any IT manger how their role has shifted over the years, most likely the’ll say looking back 20 years, they had a comparatively enviable task when it came to securing their network. 20 years ago, there was a certain simplicity in operations due to the relatively small number of devices they needed to protect.
Today, with the sharp increase in in use of mobile, email and other technologies in the workplace, there has been a surge in the number of weak access points that an attacker can leverage to attack the Sacco networks. As a result, the entire cyber battlefield has evolved and become far more complex.
Key Risk factors include:
Execution risks
Service interruptions, poor quality servicing, non-compliance with Sasra;
Performance risks
Adverse staff performance, software design flaws, poorly defined processes;
Capacity/Capability risks
Lack of technical skills, knowledge and experience;
Fraud
Losses stemming from internal and external persons fraudulent actions.
40
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
Cyber Risk - Impact of Digital Transformation
6.1 Five Missteps Saccos Make In Digital Transformation JourneyDigital transformation is a new, uncharted territory for most Saccos. Many businesses dive in without understanding potential stumbling blocks. As a result, they make key mistakes that can slow down or even derail the whole project.
What are these mistakes? Here are five mistakes to avoid in your digital transformation journey.
Starting out without a clearly defined digital transformation vision and strategy.
#1
Implementing technologies over poorly designed and architecture networks.
Poor governance and accountability structure to ensure program success and buy-in.
Inadequate metrics for proper measurement of visibility and Return on Investment.
Thinking that digital transformation is just a technology change.
#2
#3
#4
#5
Over the past 12 months, we have noted an increase in mobile banking fraud targeting saccos.
Priorities for 2020
42
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
Priorities For 2020
We have identified 4 techniques being used by criminals as follows:
STEP 1STEP 2
STEP 3STEP 4
Cyber criminals install malicious
software on sacco computers to
steal passwords.
Cyber criminals make
unauthorized changes to customer accounts.
Cyber criminals send money from the compromised
customer accounts to fraudulent accounts.
Cyber criminals withdraw cash via Mobile and ATM
within a span of 24 hrs.
Impact: Loss of money and critical data, loss of confidence in the Sacco by members.
7.1 Transaction Monitoring z All Saccos running mobile banking transactions need to put real time
fraud and transaction monitoring focusing on:
z Review the Core Banking System (CBS) and Mobile Application/Bridge: Review and validate mobile banking account details from CBS and mobile application/bridge are accurate on a regular basis.
z Mobile Applications portals by external providers
Î Have a dedicated/Secured VPN connection for vendors
Î Access to vendor hosted platforms should not be open to the public, but rather limited to private network only.
Î Ensure you have audit logs for all user activities
Way Forward For Saccos
Based on our experience, we have compiled a list of IT and Operational recommendations that you should implement to fully Anticipate, Detect and Respond to such attacks in future.
43
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
Priorities For 2020
7.2 Operational Monitoring Controls For Your Organisations To Consider
z Review and validate all existing customer account details especially mobile banking data.
z Newly added mobile banking accounts need a waiting period of 48 hours or physical validation of the account holder before transactions are allowed.
z All databases changes to customer data must be reviewed and validated.
z Transfers to multiple accounts from one source must be reviewed and tracked.
7.3 IT Controls (IT Team, Application Administrators, Transaction Initiators And Approvers)
z Perform malware checks for the entire enterprise
z Review privileged users and their activities on the network on a regular
z Limit remote access to the organisation, all access should be firewall controlled.
z Vendor access should be limited to test environments
It is critical you perform and analysis of your environment, validate that these controls have been implement and that you have visibility on all transactions, vendor activities and changes being made to critical systems by your internal team. This will require the collective cooperation of IT, Risk and Audit.
We encourage Saccos that are unsure of their security posture, unsure of their technical capabilities to implement the above recommendations and/or identify malicious activity or use of tools or techniques that seem malicious to contact on the following:
Sacco Helpdesk: +254 (0) 716 137 017 Cybercrime hotline: +254 (0) 800 221 377 Email: [email protected]
44
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
Priorities For 2020
7.4 Things Saccos Should Budget for in 2020Technologies
z Perimeter: Firewall- For intrusion detection and prevention
z Perimeter: Intrusion Detection system
z Network: DHCP Server: To track IIP Address allocation and machines within the Sacco
z Network: Network Access Control (NAC): To detect any rogue devices within the Sacco
z Network: Active Directory: To manage access to the Sacco network
z Endpoint: Antivirus: For malware detection within Computers and Servers
z Application: Database Activity Monitoring
Monitoring & Response Process z Monitoring (SIEM): For continuous monitoring, analysis,
alerting of policy violations and attacks.
z Penetration testing
z Audit and Risk Assessment
z BCP/DR Testing and Review
People and Awareness z General Awareness training
z Technical Training
z Board Training
z Business Managers Training (HR, Finance, Procurement, Administrators
Developing a Viable Digitalization Business Case
The right approach to create a winning business case.Sacco digitalization is not a standalone project,
particularly when end-to-end transformation is the final goal. Therefore, traditional ways of defining a business
case and computing RoI won’t apply.
46
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
Developing a Viable Digital Business Case
The Sacco Business Model Canvas
The Sacco Business Model Canvas (BMC) provides Saccos with a structure to design a business that can be unique and compete better in the market. It provides a way to understand how all the different elements come together to deliver your products or services, the underlying cost structure, and profits.
KEY PARTNERS
3rd party IT service providers
• Core IT systems• Other IT systems
Third party payment service providersShared services
KEY ACTIVITIES
• Savings• Lending• Payments• Investments• Risk management• Compliance• Marketing
PROPOSITIONS
Loans • Unsecured • Secured
Savings • Shares • Deposits
Payments • OTC • Electronic • Payment
accounts
Other • Insurances
MEMBER RELATIONS
Saver / Borrower product search,
servicing
COMMON BONDCUSTOMER SEGMENTS
• Segments • Savers • Borrowers
KEY RESOURCES
Board / Management / Staff
ProcessesOperational systems software
CHANNELS
Branch face to faceBranch self-serviceTelephoneOnlineATM (some)InternetSocial mediaMobile
COST STRUCTURE
• Operational costs • Free to member services and insurances
REVENUE STREAMS
• Loan interest income • Investment income • Non-interest income
The following elements provide an overview of the main business drivers:
z Customer Segments: Who are the customers? What do they think? See? Feel? Do?
z Value Propositions: What’s compelling about the proposition? Why do customers buy, use?
z Channels: How are these propositions promoted, sold and delivered? Why? Is it working?
z Customer Relationships: How do you interact with the customer through their journey?
z Revenue Streams: How does the business earn revenue from the value propositions?
z Key Activities: What uniquely strategic things does the business do to deliver its proposition?
z Key Resources: What unique strategic assets must the business have to compete?
z Key Partnerships: What can the company not do so it can focus on its Key Activities?
z Cost Structure: What are the business major cost drivers? How are they linked to revenue?
The County Cybersecurity Extension Officer Program is a unique offering (modelled around the agriculture
extension officer program) where cyber security professionals provide ongoing consulting services to
organisations that lack sufficient budget to sustain in-house cybersecurity consultants.
County Cyber Security Extension Officer Program
49
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
Cyber Security Extension Officer Program
This program allows organisations to utilize the skills and expertise of Serianu’s Cybersecurity extension officers and systems without necessarily hiring in-house teams.
According to the 2018 Africa Cybersecurity Research report, Cybersecurity skills gap in Kenya is at an all-time high.
Kenya has approximately 1800 Skilled Cybersecurity professionals serving over 40 million Kenyans. Organisations are struggling to find the right experts to assist in Anticipating, Detecting, Responding and Containing Cybersecurity issues within their organisations.
In a bid to assist organisations, county governments, Saccos, MFIs and SMEs curb the skills gap shortage and reduce instances of Cybercrime and Cybersecurity related incidents, Serianu has launched the County Cybersecurity Extension Officer Program.
50
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
Cyber Security Extension Officer Program
How it works
Serianu’s Cybersecurity extension officers are deployed to various counties within Kenya. These officers offer organisations (and their branches) top-notch Cybersecurity services and consultancy on a bi-weekly basis.
As opposed to the conventional one- off consulting service, this program allows an organisation to interact with our experts on a continuous basis to ensure that the overall cybersecurity posture of an organisation improves.
Target z Organisations with branches outside
Nairobi
z County Governments
z Saccos
z Microfinance Institutions
z Co-operatives
z Other SMEs
Key Activities z IT / Cybersecurity Strategy Review
z Disaster Recovery Review
z Business Continuity Review
z Remediation of Audit findings
z Security Awareness Training
51
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
Cyber Security Extension Officer Program
Benefits
Regular check-up on cybersecurity posture
z Review your organisation’s Cybersecurity posture with industry experts
z Review your compliance and regulatory compliance posture
z Suggest measures to improve IT related procedures, operations and processes.
Technical expertise
z Improve the technical skills and capabilities of your organisation/branch by utilizing Serianu’s Cyber Security extension officers.
z Revise and analyze IT operations and systems, hardware configurations, physical security and operating procedures across organisation.
z Consult and comply with set controls, standards, policies and procedures while carrying out IT activities.
z Suggest and execute IT technologies, strategies and policies to guard information assets.
z Recommend solutions for explaining risks and reducing exposure areas.
To sign-up contact Serianu at [email protected]
CVEQ™ Assessment Tool for Saccos
53
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
CVEQ Assessment Tool for Saccos
Five Step Cyber-Risk Benchmarking Tool
Powered by
CVEQ™ - Africa’s Cyber Visibility Tool Customized for SACCOS
Technical Partner
IRM East Africa Regional Group
This five step cyber-risk benchmarking tool was purposely built to assist Saccos and Microfinance Institutions to make quick and accurate assessment of their cybersecurity readiness.
This tool enables Saccos to clearly communicate to senior management and directors on their capabilities and readiness to anticipate, detect, respond and contain emerging cyber threats. It also enables Saccos to identify areas of weaknesses within their environment to facilitate budgeting, remediation and risk quantification.
Follow the five steps to assess your Sacco:
1. Cyber Risk Profile2. Cyber Risk Governance 3. Cyber Risk Visibility4. Cyber Risk Metrics5. Cyber Risk Exposure
Each step contains a set of questions as well as guidelines on how to carry out the assessment.
For each question award yourself:
1 point – You are confident that the element is fully met
Half a point – A degree of coverage can be demonstrated
No score – Coverage cannot be demonstrated
54
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
CVEQ Assessment Tool for Saccos
Step One: Cyber Risk Profile
Step one enables Saccos to determine their sources and levels of inherent risks prior to implementing mitigating controls. A cyber-risk profile provides a holistic view of the Sacco environment and the major risk factors.
Use the checklist below to assess your Risk Profile:
# Control Area Fully Compliant(Score -1)
Partially Compliant(Score -0.5)
Not Compliant(Score – 0)
1 Connections: Has the Sacco assessed, documented and communicated risks posed to the organisation by internet/wireless connections?
2 Internal Applications: Has the Sacco assessed, documented and communicated risks posed to the organisation by internal applications supporting critical activities?
3 External Applications: Has the Sacco assessed, documented and communicated risks posed to the organisation by external applications?
4 Customers: Has the Sacco assessed, documented and communicated risks posed to the organisation by its customers using online applications (mobile, web)?
5 Delivery Channels: Has the Sacco assessed, documented and communicated risks posed to the organisation by delivery channels?
6 Employees/Consultants: Has the Sacco assessed, documented and communicated risks posed to the organisation by employees (Including IT consultants)?
7 External/Emerging Threats: Has the Sacco assessed, documented and communicated risks posed to the organisation by emerging or attempted threats?
8 Vendors and Partners: Has the Sacco assessed, documented and communicated risks posed to the organisation by vendors and partners?
9 Regulation and Compliance: Has the Sacco incorporated regulator (SASRA) and industry best practice requirements into the cyber risk management practices?
10 Board and Management: Is the Sacco’s board and senior management actively involved in implementing and managing the cybersecurity program?
TOTAL
55
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
CVEQ Assessment Tool for Saccos
Step Two: Cybersecurity Risk Governance
Step two enables Saccos to evaluate the effectiveness of cyber-risk oversight mechanism. An effective program includes: clear governance roles, instituted risk management processes, adequate resources and standardized processes.
Use the checklist below to assess the Sacco’s Cyber Risk Governance Profile:
# Control Area Fully Compliant(Score -1)
Partially Compliant(Score -0.5)
Not Compliant(Score – 0)
GOVERNANCE
1 Governance: Are cybersecurity issues discussed and approved by the board of directors on a quarterly basis?
2 Strategy: Is there an information security strategy and roadmap that integrates technology, policies, procedures, and training to mitigate risk?
3 Policies and Procedures: Have written information security policies and procedures that are reviewed annually and communicated to all employees including information security awareness training?
RESOURCES
4 Resources: Has the process of determining cyber security resources been integrated into business units’ budget processes (this includes staffing (internal/outsourced and tools)?
RISK MANAGEMENT
5 Risk Assessment: Is there a cyber security risk register that is maintained and regularly updated?
6 Risk Metrics: Have cybersecurity metrics been established for showing the security posture over time?
7 Independent Audits: Is independent testing (including penetration testing, system audit, process reviews and vulnerability scanning) conducted according to the risk assessment for external-facing systems and the internal network?
8 Legal Contracts: Are there formal contracts that address relevant security and privacy requirements in place for all third parties that process, store, or transmit confidential data or provide critical services?
STANDARDIZED PROCESSES
9 Information Sharing: Is information shared proactively with the industry, law enforcement, regulators, and information-sharing forums?
10 Incident Response: Have roles and responsibilities for incident response team members been defined?
TOTAL
56
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
Step Three: Cyber Risk Visibility
Step three evaluates the visibility (effectiveness and efficiency) of key cyber security controls by gathering data from ongoing security operations and through direct connections to systems and configuration interfaces.
Use the checklist below to assess the Sacco’s Cyber Risk Visibility Profile:
# Control Area Fully Compliant(Score -1)
Partially Compliant(Score -0.5)
Not Compliant(Score – 0)
1 Vulnerability Management: Are hardware and software vulnerabilities proactively identified and documented?
2 User Access Management: Are privileged rights understood, documented and reviewed in terms of assignment to system and user accounts?
3 Fraudulent Transactions: Are there monitoring capabilities for detection of fraudulent transactions across all channels?
4 Perimeter Controls: Are there network security perimeter defense tools (e.g., border router, IDS, IPS and firewall) deployed to control incoming and outgoing internet traffic?
5 Patching: Are there capabilities to update (e.g., patch, upgrade) commercial software for known security vulnerabilities as per the manufacturer recommendations?
6 Security Awareness: Are there annual information security training carried out which includes incident response, current cyber threats (e.g., phishing, spear phishing, social engineering, and mobile security), and emerging issues?
7 Asset Inventory: Is there a detailed and updated inventory of organisational assets (e.g., hardware, software, data, and systems hosted externally) that is regularly maintained?
8 Malware: Is there an installed and regularly updated anti-malware solution on all systems commonly affected by malicious software (particularly personal computers and servers)?
9 Backup and Recovery: Is there regular performance of and offline backups and periodic monitoring of the quality of the backups by testing recovery of the backed up data?
10 Sensitive Data (structured and unstructured): Are there appropriate tools and processes implemented to detect and prevent unauthorized access and transfer of sensitive data from the corporate network?
TOTAL
CVEQ Assessment Tool for Saccos
57
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
Step Four: Cyber Risk Metrics
Step four confirms the availability of key indicators and measurements retrieved from different cybersecurity tools. These metrics facilitate decision making and improve performance and accountability within the Sacco.
Use the checklist below to assess the Sacco’s Cyber-Risk Metrics:
# Control Area Fully Compliant(Score -1)
Partially Compliant(Score -0.5)
Not Compliant(Score – 0)
1 Rogue Devices: Is there a periodical report that shows the number of unauthorized and unmanaged hardware and software assets on your network?
2 Malware: Is there a periodical report that shows the number of instances of malware that have been detected by anti-malware systems?
3 Vulnerabilities: Is there a periodical report that shows the number systems on the network that have not recently been scanned for vulnerabilities?
4 Unauthorized Access: Is there a periodical report that shows the number of incidents of unauthorized access that have been detected?
5 Fraudulent Transactions: Is there a periodical report that shows unusual transactional patterns that have been detected?
6 Failed Backups: Is there a periodical report that shows how many systems have not been backed up?
7 Privileged Abuse: Is there a periodical report that shows the number of unauthorized administrative accounts that have been detected?
8 Unauthorized Access: Is there a periodical report that shows incidents of login behaviour deviation that have been detected?
9 Database Activities: Is there a periodical report that shows any changes done on the core databases?
10 Remote Access: Is there a periodical report that shows remote logins past business hours?
TOTAL
CVEQ Assessment Tool for Saccos
58
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
Step Five: Cyber Risk Exposure
Step five assesses the Saccos preparedness in detecting, responding and containing potential cyber breaches. This enables a Sacco to determine their susceptibility to cyber-attacks (sabotage, Intellectual Property (IP) Theft or Fraud).
Use the checklist below to assess the Sacco’s Cyber-risk Exposure:
# Control Area Fully Compliant(Score -1)
Partially Compliant(Score -0.5)
Not Compliant(Score – 0)
1 Mobile Channel Fraud: Has the Sacco documented, tested and validated your capability to detect and respond to attempted or successful cases of mobile fraud?
2 Ransomware: Has the Sacco documented, tested and validated your capability to detect and respond to attempted or successful cases of ransomware?
3 Data Tampering (Structured or Unstructured): Has the Sacco documented, tested and validated your capability to detect and respond to attempted or successful cases of data tampering?
4 System Unavailability: Has the Sacco documented, tested and validated your capability to detect and respond to attempted or successful cases of system unavailability?
5 Payment Fraud: Has the Sacco documented, tested and validated your capability to detect and respond to attempted or successful cases of payment fraud?
6 Email Phishing: Has the Sacco documented, tested and validated your capability to detect and respond to attempted or successful cases of email phishing?
7 Vulnerability Exploitation: Has the Sacco documented, tested and validated your capability to detect and respond to attempted or successful cases of vulnerability exploitation?
8 Privilege Abuse: Has the Sacco documented, tested and validated your capability to detect and respond to attempted or successful cases of privilege abuse?
9 Rogue Device: Has the Sacco documented, tested and validated your capability to detect and respond to attempted or successful cases of rogue device?
10 Third Party Breach: Has the Sacco documented, tested and validated your capability to detect and respond to attempted or successful cases of third party breach?
TOTAL
CVEQ Assessment Tool for Saccos
59
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
How did you score?
0 - 17Low Visibility Levels
The Sacco is falling well short of baseline cybersecurity practices and is not adequately protecting its IT assets. Briefing stakeholders accurately on the cybersecurity posture of the organisation may be difficult.
17 - 33Moderate Visibility Levels
The Sacco has generally implemented some cybersecurity best practices and thus making progress in providing sufficient protection for its IT assets. Consideration should be given into areas that require improvement.
34 - 50High Visibility Levels
The Sacco has a well-developed cybersecurity program and is well positioned to further improve its effectiveness. Fine-tuning of existing processes will help improve the cybersecurity posture.
CVEQ Assessment Tool for Saccos
References
61
Sacco Cybersecurity Report 2019 Digital Transformation and Cyber Risk Within Saccos
References
SASRA guidelines on cyber security and risk management
Central Bank of Kenya Guidelines on Cybersecurity
FFIEC
NIST Framework
https://www.avanade.com/~/media/asset/other/digital-banking-full-report.pdf
For nearly ten years, Serianu has worked tirelessly traversing the African continent to scale up the relevance of cyber security alertness, partnering with stakeholders across the full spectrum, from academicians to analysts, government officials and private sector executives.
An award winning pan-African research driven Cybersecurity and risk Consulting firm, Serianu enables organisations to anticipate, detect, respond and contain cyber threats and specializes in providing cutting edge research-based consulting and managed services around new and emerging cyber risk areas.
Serianu bouquet of services include threat detection and alerting; cyber security awareness and training; technical and non-technical assessments; forensics and investigations and remediation support.
About Serianu Limited
For more information, contact;
Serianu Limited14 Chalbi Drive, Lavington
P. O. Box 56966 - 00200, Nairobi, Kenya
General Information: +254 (0) 20 200 6600
Cyber Crime Hotline: +254 (0) 800 22 1377
Email: [email protected]
https://www.serianu.com