CYBER SCAPE AFRICA | Q2
1. Commitment from top management
Resisting an evolving threat landscape requires
board level approval in ensuring that there is a
high level of commitment to support cyber risk
management.
Therefore, it is pertinent for investors, customers
and other business stakeholders to ensure that
Board and Executive leaderships are involved in
the strategic and comprehensive approach to
cybersecurity that will protect valuable data and
advance the dexterity and growth of the
organisation.
2019
These regulations though useful, should also
encourage organisations in enacting their
bespoke industry-aligned cyber risk management
framework. Also, there should be a clause in any
framework that requires a report to be submitted
to the appointed authority within or outside the
organisation showing proof of implementation of
cyber risk management and obtain a Certificate
of Compliance. African countries should also
accede to the African Union Convention on
Cybersecurity and Protection of Personal Data.
4. Cyber Risk Insurance
2. Crisis Response and Incident management :
Organisations in Africa can take a holistic
business strategy by focusing on business
continuity planning and crisis response in the
event of a cyber attack. How?
a. Gather security experts who influence
cybersecurity, information security,
product security, and data privacy.
b. Create risk scenarios based on emerging
threats to have informed decisions to
address the vulnerabilities recognised.
c. Present the board and management with
‘cybermetrics’ that measure risk and
performance.
d. Organise and implement trainings on cyber
risk management for employees.
e. Create a communication plan to provide
transparency in the event of a
cyber attack.
f. Enact a framework for assessing and
analysing cyber risk.
3. Regulatory Frameworks
The government in the African continent have
taken steps to enact laws and regulations
bordering on cybersecurity risk management
such as the Risk-Based Cybersecurity
Framework and Guidelines for Deposit Money
Banks and Payment Service Providers by the
Central Bank of Nigeria , the Computer Misuse
and Cybercrimes Act and the Information and
Communications Act of Kenya to name a few.
To mitigate risk, organisations can engage
insurance companies that offer products
modelled to shield businesses from risks
affecting the confidentiality, integrity and
availability of information assets .
Cyber insurance products can include; first party
business income loss, cyber risk assessment, data
loss and restoration, crisis communications and
reputational mitigation expenses, and business
interruption loss due to a network security failure
or attack, human error or programming and so
on.
5. Managing Insider threat
It is only natural to infer that cyber-attacks are
usually external in nature. However, organisations
also have to bear in mind that attacks could also
be caused by an insider (employee, business
pattern and a 3rd party vendor) be it negligently
or maliciously and have/had authorised and
approved access to the organisation’s network
systems and data thereby obtaining trade
secrets, conducting fraud and unauthorised
trading . According to the Ponemon Institute
Research Report 2018, about 64% of insider
threats are caused by employees or contractor
negligence . This is evident that insider threat is
steadily increasing and must be properly
managed. Accordingly, in managing insider
threat, organisations can implement the
following tools; Data Loss Prevention (DLP),
Privileged Access Management (PAM), User
Activity Monitoring (UAM), Secure Information
and Event Management Systems (SIEMS), User
Behaviour Analytics (UBA) software , and Digital
Forensic Tools