The Central Bank of Kenya (CBK) recently issued a guideline to all commercials banks across Kenya to fortify their cybersecurity and establish effective cybersecurity governance and risk management. The CBK acknowledged the growing risk of cyber threats and highlighted the debilitating impact of cyber-attacks on financial institutions.
A report published in 2016 highlighted the estimated cost of cyber-crime in Africa being close to $895Mn with Nigeria being the topmost at $550Mn and Kenya holding the second position at $175Mn followed by Tanzania, Ghana, and Uganda.
The primary purpose of the issued guideline was to create a safer cyberspace to ensure the stability of Kenyan banking sector and instilling confidence of the public in their financial system. The CBK emphasizes the need to focus on evolving cybercrimes, the need for protection of critical IT infrastructure, promoting and adhering to excellent cybersecurity standards and building of both, capability and capacity to tackle cyber threats. For the same, it has mandated all banks to draft and submit their cybersecurity policies by November 30, 2017. It is expected from the banks that they must adhere to, at least, the minimum standards that have been provided in the CBK guideline for cyber governance and cyber risk management.
CBK Guidelines: All you need to know
The guidelines issued by CBK mentions that “the board of directors and senior management of an institution are expected to formulate and implement cybersecurity strategies, policy, procedures, guidelines and set minimum standards for an institution.” Refer
Here are a few aspects highlighted in the CBK guidelines given to Kenyan banks.
- Governance: A top-down approach with Board of members understanding the business impact of cyber threats and working towards a cybersecurity awareness culture to mitigate risk is a major step towards cybersecurity of a company. Further, the senior management should implement the strategy with relevant policies and supporting framework. It also involves hiring the right talent and also creating security specific roles like the Chief Information Security Officer (CISO).
- Regular independent assessment and test: Auditing is an important aspect of ensuring that the cybersecurity strategy is put into action and is up to date as per plans. This requires internal auditing, risk management, and external auditing. Cybersecurity experts should be hired/ involved to conduct these assessments regularly.
- Outsourcing: While it is a norm these days to work with outsourced agencies, vendors and cloud operators to reduce costs, these external connections are a huge threat to the cyber safety of banks. It is thus important to ensure stringent security policies regarding these external agencies/partners. CBK has mandated that banks ensure the security compliance of these third parties as per legal and regulatory framework.
- Training/Awareness: Top-most levels of security cannot be achieved without every employee being a part of this phenomenon. It is thus important to have security training and awareness programs to cover the lowermost level of the organizational The same, if need be, should be extended to partners, suppliers, vendors and even customers.
What measures should be taken now?
The Central Bank of Kenya (CBK) guidelines requires organisations of all sizes to adopt a new set of processes and policies to fortify their cybersecurity. Much of this will involve updating systems to accommodate these new guidelines, and training staff. Other steps involve practical measures, such as employing robust cybersecurity solutions to mitigate the risk of cyber-attacks on financial institutions. With over 8 million licenses across 80 countries, Seqrite has been helping organisations bolster their cybersecurity with its comprehensive security solutions. Seqrite offers security solutions to enterprises covering them from all cyber threats that loom large over a company’s horizon. With an extensive experience, Seqrite has a plethora of solutions that fit the need of any organization irrespective of its size, location or business nature. Seqrite is equipped to handle your organisation’s transition as per the new guidelines in a simple and effective manner.
|Governance||Seqrite EPS offers governance through its Group Policy Management feature. It helps administrators to define user groups based on the hierarchy within the organization, departments, user types etc. Single window dashboard is provided to monitor all the systems in the network. Through group policy, admin can manage external devices (storage drives, network drives) connected to the system. Reports & Notifications regarding any malicious activity detected are provided to defined set of authority through mail & SMS. Reports regarding asset status, malicious activities in the network helps leadership to analyse vulnerability trends & formulate their future cyber strategy.|
|Identification||Seqrite EPS provides comprehensive endpoint security through its multi layered protection technologies like Advanced DNA Scan, Behaviour Detection System, AntiMalware, AntiRansomware, AntiVirus, Data Loss protection, Advance Device Control etc. Notifications & reports are sent to admin as soon as a threat is detected.|
|Protection||Seqrite EPS has the following features which helps organizations to comply with security protocols:
1. Antivirus – Protection against viruses, malwares, worms, trojans, spam which is certified by industry leading certifications
2. AntiRansomware – Protection against the ransomware through signature based detection mechanism as well as advanced behaviour detection system. It automatically takes backup of files.
1. Firewall – Monitors inbound & outbound traffic
2. Intrusion Detection & Protection System (IDS/IPS) – Detects malicious network activities to exploit application vulnerabilities and block intruder attempts
3. Port Scan & DDoS Attack Protection – Port Scan & DDoS attack alerts are sent to Admin to ensure system prevention
1. Browsing & Phishing protection – EPS blocks the malicious & phishing websites to ensure safe browsing.
2. Web Filtering – This feature helps to block websites as per categories. E.g. Organization may want to block all gaming websites for all users. This can be achieved through this feature.
3. Schedules Internet Access – Time based internet access can be enabled though this functionality.
Vulnerability Scan & Patch Management:
1. Vulnerability Scan – Provides summary of all vulnerabilities in the network as per severity level.
2. Patch Management – Centralized patch management solution to patch vulnerabilities of Microsoft and Non-Microsoft applications.
Device Control & DLP:
1. Advanced Device Control – Apply policies regarding usage of storage devices, mobile and portable devices, wireless devices, network interfaces connected to endpoints.
2. Data Loss Prevention – Prevents data loss by monitoring confidential and user defined data, shared removable drives, network or various applications.
3. File Activity Monitor – Monitoring of file activities on local drives, removable drives and network.
Application & Asset Management:
1. Application Control – Ensures control over unauthorized applications within the network.
2. Asset Management – Provides complete visibility of hardware and software running on endpoints. It also keeps track of any changes that are happening on endpoint’s software/hardware.
Management & Control:
1. Centralized Administration – Single Window, web-based console with graphical dashboard, group and policy management, email and sms notification, easy deployment
2. Roaming Platform – Manage clients even if they are out of corporate network area.
|Detection||1. EPS notifies about threats, virus detection to authority so as to ensure immediate action
2. Patch management feature keeps system up to date with all the latest security updates installed
3. Mail & SMS notifications are sent for almost all of the features including AntiRansomware, Intrusion detection, Vulnerability, Device control, Application Control etc.
|Testing||Seqrite EPS provides the highest possible security against cyber threats. Leadership may schedule testing of systems to check periodically & ensure proper implementation of cyber protection strategy.|
If you are looking for a security partner who can ensure complete protection of your assets and establish seamless operations as you amp up your company’s cybersecurity, Seqrite is the right choice to make.
Phone (Sales): +254-733-120-620 | Mobile (Sales): +91-98230-16980
Email (Sales): firstname.lastname@example.org; email@example.com