Cyber security – are we automating faster than we are protecting?

What you need to know:

  • Many ICT projects are designed and implemented without information security controls in mind - often these are plugged in after several breaches have occurred.
  • Banks, insurers, SACCOs, State agencies, NGOs and anyone who has automated their processes has not been spared the rising scourge of being electronically raided and funds compromised.
  • Even in well-designed, secure systems, it only takes the collaboration of insiders, particularly those from the ICT departments to instigate fraudulent transactions.
  • Organisations can only protect themselves from such personnel by instituting both internal and external information system audit (IS-Audit) roles in order to provide continuous oversight over their digital assets.

Recently, the Director of Criminal Investigations (DCI) posted a list of one hundred and thirty most wanted cyber criminals in Kenya. Their key target being the financial sector, where insider sources confirm that fraudulent activity compromising digital platforms are at an all-time high.

Banks, insurers, SACCOs, State agencies, NGOs and anyone who has automated their processes has not been spared the rising scourge of being electronically raided and funds compromised.

It is no wonder the previously-common broad daylight robbery incidents against banks are long gone - having been adequately replaced by the white collar, highly-educated and skilled ''key-board'' robbers. Could this be a reflection of automating processes faster than we are developing capacity to protect them?

Many ICT projects are designed and implemented without information security controls in mind - often these are plugged in after several breaches have occurred. This creates an ill-fitting solution that introduces more vectors to attack the systems than there would have been if there was a security design from the word go.

INSIDE JOB

However, even in well-designed, secure systems, it only takes the collaboration of insiders, particularly those from the ICT departments to instigate fraudulent transactions.

There has been some argument that financial institutions are losing money to cybercriminals because they are not adequately compensating their highly-skilled ICT staff. This argument is faulty on two levels.

Firstly, because it implies that well-paid employees can never steal from their employers – a point that has been repeatedly proven faulty. We have many examples but the quickest one that comes to mind is the fact that we have more than tripled the salaries for Members of Parliament and ministers over the last decade yet this has never reduced theft in our public sector.

Secondly, it assumes that theft is a function of poverty or, put more bluntly, that poor people are automatic thieves while the rich ones are angels. This, again, is not true if you critically reviewed the Kenya's crime statistics.

In general, the richest counties recorded the highest crime rates, with the poorer counties reporting relatively lower figures. Indeed theft is not driven by poverty but is basically a human vice that is present across the socio-economic classes.

This means that paying ICT staff a higher salary or paying them less has no bearing on their inclination to steal from you. Cybercrime, like any other crime, is a factor of motive, opportunity and skills rather than pay.

One driving motive, particularly within the millennials, is their desire to be instant millionaire and retire early, preferably before they get to the other side of thirty-five.

Striking one big tender or deal, irrespective of whether it is clean or not, is considered a more efficient and shorter way to retirement, compared to slaving for twenty or thirty years on a regular eight to five job. For most of them, the end has tended to justify the means, particularly in a society that worships wealth without asking too many questions about the source of the wealth.

GOING DIGITAL

The opportunity to steal presents itself where organisations have implemented ICT systems without giving due attention to restoring the controls that were previously inherent in their manual systems.

Automation tends to shorten processes by cutting through what is often considered unnecessary red tape. However, this red tape often has inbuilt controls that would reduce the risks or exposures the enterprise faced.

Enterprises that cut the red tape without compensating for the lost manual controls by introducing adequate digital controls are extremely exposed to fraudulent digital transactions.

Finally, one needs above-average ICT skills to pull off and cover a digital heist.

This is not to say we should avoid hiring top-notch or sharp ICT talent; it simply means that each hire must be supported by proper background checks. Being technically competent and ethically bankrupt often proves to be a very lethal combination.

Organisations can only protect themselves from such personnel by instituting both internal and external information system audit (IS-Audit) roles in order to provide continuous oversight over their digital assets.

Automating without providing IS Audit oversight is a fertile ground for cybercriminals. Organisations must begin to match their levels of automation with commensurate information security oversight roles in order to arrest the rise in cybercrime.

Mr Walubengo is a lecturer at Multimedia University of Kenya, Faculty of Computing and IT.

Email: [email protected], Twitter: @Jwalu