Zim banks vulnerable to cyber threats: Experts
THE cybersecurity situation in Zimbabwe is now dire, particularly within the banking sector, as corporate leaders continue to overlook the critical need for robust digital defences, experts have warned.
The lack of support from management is not only delaying effective responses, but also leaving organisations unprotected against a rising wave of cyber threats.
The consequences of this negligence are particularly pronounced in the banking industry, where ransomware attacks, phishing emails, digital fraud and hacking have been on the rise.
According to Financial Stability Report 2023, compiled by the Reserve Bank of Zimbabwe (RBZ) and other financial regulators, the cybersecurity landscape painted a concerning picture of the heightened risk brought by technological advancements.
According to the report, the ‘door is wide open’ for cybercriminals as digital services expand without proper safeguards in place. The RBZ issued a stark warning: banks must be vigilant about their reliance on technology vendors and mitigate risks of obsolescence with robust management frameworks.
For Zimbabwe, the call to bolster defences is especially true, with American-Israeli software firm, Check Point Software Technologies, revealing in July that the country was the third most cyber attacked country globally.
Speaking at the Institute of Bankers Zimbabwe (IoBZ) Summer Conference in Victoria Falls last week, NMB Bank cybersecurity specialist Don Mlambo said cybersecurity strategies needed to be supported from the top to bear fruits.
“So, you realise that cybersecurity has been seen in the past as just a cost centre. It is not something that is appreciated as a support function of the business. A company has to be hacked first for any budget to be allocated to the department,” Mlambo said.
“So, what we need is for the management to support us as a cybersecurity function within the business by funding our tools and our projects, as well as emphasising throughout the organisation, how important cyber security is. If we do that, it means that any strategy that we have is going to be successful.”
The RBZ report revealed that as more financial services move into the digital realm, the more vulnerable they become.
This is because risks of cyber attacks increases as dependency on digital platforms increases.
Mlambo urged companies to employ tech personnel who had the right skills, experience and education to be able to efficiently fight cyber security threats.
“Secondly, I would like to talk about the security operations centre. This is now down to the department that I am in, which is a more technical one,” he said.
“What we need is a department that is well-equipped with the skills in terms of the people that reside in this department because these are the frontline soldiers that are fighting against cyber threats and are monitoring day-to-day operations.”
Mlambo said the people needed to be experienced in that regard.
“We need people to have the latest skills that apply in the ever-evolving digital cybersecurity threat world. So, we need these people to have the highest level of training that we can get,” he said.
Mlambo said all departments in any organisation needed to work together to successfully protect the systems and called for cybersecurity literacy for all departments.
The International Telecommunication Union’s (ITU) Global Cybersecurity Index 2024 released last month showed that Zimbabwe’s cybersecurity ranks poorly in terms of technical, organisational, capacity development and cooperation measures.
Technical measures represent a country’s ability to support cybersecurity efforts at the national level, while for organisational, this highlights that greater co-ordination and alignment are necessary for shaping more data-driven and inclusive national cybersecurity efforts.
Regarding capacity development, it checks how cybersecurity training and awareness efforts vary across regions against the backdrop of efforts to develop a strong industry.
Under cooperation measures, this criterion revealed that the operationalisation and impact of agreements and frameworks remains a challenge.
Zimbabwe scored poorly under all this ITU criteria.
Thus, Zimbabwe has a long way to go in implementing a robust cybersecurity system, especially considering that on average, about US$215 million was being transacted daily in the week ending September 13, according to the RBZ.
“And then we move on to the end users, the people that use the systems and the data that we use to anchor our businesses. These are people in your finance department, people in HR [human resources] and people all over the organisation,” Mlambo said.
“We need these people to be trained and educated in regards to what cyber security threats are out there and what threats target them specifically as the human element in the organisation.”
He said that before companies decide to buy tools to safeguard their systems from cyber threats, they must first understand the kind of data that they had and the way they shared it.
“Number two is you need to find a tool that can adapt to the ever-evolving threat landscape. Stop buying tools that you have to babysit every single day. Today there is a threat that you have bought the tool for, tomorrow everything changes and your tool is now useless,” Mlambo added.
“So, you need to find tools that are AI-powered, that can learn, apply and adapt to the evolving threat landscape. And these are AI-powered systems and machine learning-based systems. So, I think that is what I would say about tools that we do not have.”
The RBZ has been enforcing a Risk-Based Cybersecurity Guideline since 2020 to bolster defences within the payment’s infrastructure. However, it appears not all institutions are stepping up to the challenge.
And, without decisive action from top management, Zimbabwean banks are at risk of becoming easy prey for sophisticated cybercriminals — a threat that no institution can afford to ignore.
Bankers Association of Zimbabwe ICT chairperson Jonathan Muwanga acknowledged that cyber attacks had been increasing in the banking sector this year.
“Cyber threats are real. I think it is only a matter of time before technology grows. Judging by the number of developments in Zimbabwe, within the financial space, in 2024 alone, there may not have been open disclosures, but most of us are aware that there have been a few attacks,” he said.
“I think when you come across in digital media or the Press statements like, we are currently experiencing intermittent services and can go for three or four days, those are some of the typical signs of a compromise. Having said that, what we recommend is that organisations empower themselves to be proactive rather than reactive when it comes to cyber management.”
Muwanga said cyber attacks cause business disruptions, financial losses and reputational damage which could be avoided by organisations in protecting themselves.
“From technology, we also have adopted data-driven solutions such as standard detection and response, endpoint detection and response solutions that use data to study behaviours on the company’s infrastructure, pick out unusual behaviours and intercept them before there are any breaches or compromises,” Muwanga said.
“The risks associated with breaches include business disruption, which can lead to poor customer experience. And then we look at financial loss and reputational damage, as well as regulatory consequences where maybe an organisation may face penalties.”
In the second quarter of the year, there were 57 criminal acts against computer systems recorded, a decrease from 61 in the first quarter, according to national statistics.-ebsinessweekl