Information Security in Financial Services Industry (FSIs): Where are we headed?

In the years 2022-2023, Financial Institutions (FIs) across Africa encountered nearly one in five (18%) successful directed cyberattacks. Nigeria, with its burgeoning financial landscape boasting approximately 217 Fintech companies and 21 Commercial Banks, stands as one of the continent's largest banking sectors. However, amidst the rise of digital banking and fintech innovations, the need to secure financial data has never been more pressing. While the ambition to "bank the unbanked" drives the industry forward, it also exposes vulnerabilities to malicious actors and cyber threats. Indeed, these institutions have become prime targets for cybercriminals. This article explores the current state and future direction of information security in Financial Services Institutions (FSIs) in Nigeria.

?

Cyber Security Research in Financial Services

Recent reports by Checkpoint Security and Interpol Africa Cyberthreat Assessment indicate a concerning rise in Business Email Compromise (BEC) attacks, Ransomware-as-a-Service, and ransomware incidents targeting organizations, particularly within the financial sector. This trend can be attributed to factors such as inadequate cybersecurity awareness and training for the end-users amongst others. Furthermore, threat actors based in Southeast Asia have increasingly targeted African and Caribbean regions, posing significant risks to organizations in these areas with limited resources to combat such threats. Even more than that, the growing use of Artificial Intelligence (AI) tools by threat actors worldwide raises concerns about the potential impact on the Nigerian cybersecurity landscape, which may lack the necessary defenses against AI-powered attacks (Babajide, T.F. 2024)

With these advances in threat actor capabilities and heightened cyber attacks, limited access to advanced technology and skilled researchers poses significant challenges to cybersecurity research in Nigeria. However, there is a notable deficiency in existing literature regarding research on cybersecurity within the nation's banking sector. This can be attributed to both the secretive and competitive nature typical of the banking industry at large and the specific characteristics of Nigerian society. These factors encompass political instability, elevated levels of conventional crime, and widespread poverty. (Victoria Wang et al., 2020). Nigerian financial institutions are facing a challenge with sophisticated phishing attacks aimed at deceiving individuals into divulging confidential information. These attacks leverage social engineering tactics, exploiting human vulnerabilities, thus underscoring the critical importance of cybersecurity awareness (Hassan et al., 2024)

·???????? Case Study:? OPERA1ER Group Attacks (2018-2022): This financially motivated group targeted payment gateways and the SWIFT system in multiple African countries, including Nigeria. They executed over 35 successful attacks, stealing at least USD 11 million from banks and telecom providers. This strongly highlights the importance of AI-driven threat detection and the challenges faced in the African banking sector.

?

Managing Cyber Risk, Audit, and Compliance

Financial Services Institutions (FSIs) should implement regular risk assessments and develop comprehensive risk management strategies to mitigate cyber threats effectively. For instance, insider threats present a significant danger, involving employees within banks who misuse their authorized access to commit fraud or disclose sensitive data. These risks underscore the critical need for stringent access controls and continuous monitoring of internal activities (Oyewole et al., 2024).

Another perspective noted that the enforcement of robust cybersecurity risk regulations across financial institutions faces obstacles due to various factors, including selective legislation, ambiguous directives, and insufficient collaboration between public and private entities. However, the establishment of effective implementation and enforcement mechanisms could be facilitated through initiatives aimed at networked governance and institutional frameworks that promote a unified approach to understanding cyber threats and decision-making processes (Atere T.O, 2022). Nigerian FSIs must adhere to relevant regulations, such as the Nigeria Data Protection Regulation (NDPR) and Central Bank of Nigeria (CBN) guidelines, as well as international standards like the General Data Protection Regulation (GDPR).

Consequently, conducting regular audits is essential to ensure compliance with these regulatory frameworks and identify vulnerabilities within the organization's security posture. Furthermore, establishing robust incident response and business continuity plans is crucial for minimizing the impact of cyber incidents and ensuring the resilience of critical operations. Fostering a culture of cybersecurity awareness through comprehensive training programs for employees and stakeholders is also vital in reducing the risk of human-centric cyber threats, such as phishing attacks and social engineering.

?

?

Network Security in Financial Services Institutions (FSIs)

Phishing and ransomware attacks have emerged as among the most prevalent network threats targeting Nigerian Financial Services Institutions (FSIs). In Nigeria, there was a 12 per cent increase in phishing attack detections in Q3 2023 compared to Q2 in 2023. Also, as outlined in a 2023 report from cybersecurity company Check Point Research, there were over 1.3 million identified phishing attempts solely within the first six months of the year in Nigeria. To limit these risks, implementing robust network security measures, such as firewalls, intrusion detection and prevention systems (IDPS), and network segmentation, is critical.

However, network security in FSIs extends beyond these traditional measures. As the threat landscape evolves, organizations must also consider emerging risks, such as cyber-espionage campaigns targeting financial institutions. Adopting a multi-layered approach, incorporating cutting-edge technologies like Security Information and Event Management (SIEM) systems and Artificial Intelligence (AI)-powered threat detection, can enhance the overall network security posture.

Furthermore, collaboration and information sharing among FSIs, regulatory bodies, and cybersecurity agencies are crucial for staying ahead of sophisticated threat actors and coordinating effective response strategies.

·???????? Case Study: Ransomware Attack on RSAWEB (2023): In February 2023, RSAWEB, an Internet service provider, was hit by a ransomware attack that encrypted company data and disrupted services for several days. This case illustrates the critical need for robust network security and vulnerability management to protect against similar threats in financial institutions.

?

?

?

Human Factors in Information Security

Continuous employee training and awareness programs are crucial for reducing human error and enhancing security awareness within Financial Services Institutions (FSIs) (Williams et al., 2019). As the human element remains a significant weak link in cybersecurity, strict access controls, such as role-based access management, and constantly monitoring user activities can help mitigate insider threats. Furthermore, analyzing user behavior patterns through techniques like User and Entity Behavior Analytics (UEBA) can aid in detecting anomalies and potential security breaches (Salitin & Zolait, 2018)

I strongly agree that adopting a holistic approach that combines technical controls with an understanding of human factors can significantly enhance the effectiveness of security measure (Pollini et al., 2021).

Additionally, encouraging a culture of accountability and ethical conduct through robust policies and governance frameworks is important for creating a security-conscious mindset among employees and all stakeholders. Regular assessments and audits can help identify the gaps in human-centric security measures and ease continuous improvement.

?

?

Cyber Incident Management

The importance of having a comprehensive cyber incident response plan cannot be overemphasized. A dynamic incident response plan is essential for quickly addressing and mitigating cyber incidents and it should outline clear procedures and responsibilities for various stakeholders, enabling prompt and coordinated actions in the event of a breach. (Cichonski et al., 2012). ?Real-time monitoring and automated response tools can help manage cyber incidents effectively. Conducting thorough post-incident analysis is also crucial for identifying the root causes of breaches and implementing necessary corrective measures (Patterson et al., 2023). This analysis should involve a comprehensive review of the incident timeline, attack vectors, and the effectiveness of existing security controls, enabling organizations to learn from past incidents and continuously improve their cyber resilience (Staves et al., 2022).

?

Insights from the Financial Sector

The financial sector, including institutions like Standard Bank and Absa, has faced significant cyber threats, prompting the adoption of comprehensive incident management strategies. These include real-time threat detection systems, collaboration with cybersecurity firms for incident response, and regular cybersecurity drills to prepare for potential breaches. These measures ensure that financial institutions can quickly recover from incidents and protect sensitive financial data. (Banks Across Africa Turn to IBM Hybrid Cloud and AI Solutions to Accelerate Digital Innovation, 2021)

?

?

Cloud and Virtualisation Security

The adoption of cloud computing and virtualization technologies by Financial Services Institutions (FSIs) offers scalability and cost advantages, but it also introduces new security challenges that must be addressed proactively. According to a TechCabal report in 2023 by Oladunmade Muktar, Nigerian fintech startup OPay attributed its growth and reliability during the recent cash crisis to its fully cloud-based infrastructure, highlighting the benefits of cloud adoption.

However, the report also reveals concerns among traditional Nigerian banks regarding the security implications of migrating to the cloud. The Central Bank of Nigeria (CBN) guidelines on cloud computing (the Information Technology Standards Blueprint) suggests a gradual implementation approach, citing risks associated with hosting highly confidential banking data on public cloud platforms if not properly controlled.

To reduce these risks, robust security measures such as encryption, strict access controls, and continuous monitoring of cloud environments is crucial (Ali et al., 2015).

One of the key challenges highlighted in the report is the concern over network latency issues that may arise from cloud-based services, particularly when data centers are located outside Nigeria. The establishment of local data centers, such as the recent launch of Amazon's Local Zones in Lagos, could potentially address these latency concerns and facilitate faster adoption of cloud services by Nigerian FSIs.

?

?

?

Conclusion

In conclusion, enhancing information security within Nigerian Financial Services Institutions (FSIs) requires a multifaceted approach that addresses research challenges, implements comprehensive risk management strategies, leverages advanced technologies, and adopts a culture of security awareness across all levels of the organization. These FSIs must also prioritize cybersecurity as a critical business imperative and continuously seek to adapt their defenses to emerging threats, thereby protecting their customers, safeguarding sensitive data, and maintaining public trust. In simpler terms, cybersecurity needs more representation in the boardrooms and classrooms.

To achieve this, FSIs should invest in fostering collaborative partnerships with academic institutions, research organizations, and industry experts to drive innovation and address the unique cybersecurity challenges faced by the Nigerian financial sector. More people need to be made aware of their cyber environment and how such attacks affect them directly or indirectly. Furthermore, the development and implementation of stellar governance frameworks, aligned with relevant regulatory requirements and industry best practices, are important for effective risk management and compliance.

However, as FSIs are advised and eager to implement certain cutting-edge solutions, this technological transformation should and must be accompanied by comprehensive employee training programs and awareness campaigns to address the human factor in cybersecurity.

Ultimately, staying ahead of evolving cyber threats is paramount maintaining success, resilience, and the security of Nigeria's financial services sector. which plays a vital role in supporting the nation's economic growth and stability.

?

?

?

?

?

REFERENCES

?

Ali, M., Khan, S. U., & Vasilakos, A. V. (2015). Security in cloud computing: Opportunities and challenges. Information sciences, 305, 357-383. https://doi.org/10.1016/j.ins.2015.01.025

Atere, T. O. (2022). Cybersecurity regulation in the financial sector: Reflexive risk management in the UK, USA, and Nigeria [Doctoral dissertation, Newcastle University]. Newcastle University Research Explorer. https://research.ncl.ac.uk/cybersecurityregulation/

Banks across Africa turn to IBM hybrid cloud and AI solutions to accelerate digital innovation. (2021, September 22). IBM Newsroom. https://newsroom.ibm.com/2021-09-22-Banks-Across-Africa-Turn-to-IBM-Hybrid-Cloud-and-AI-Solutions-to-Accelerate-Digital-Innovation

Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer security incident handling guide (NIST Special Publication 800-61 rev. 2). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-61r2

Hassan, N. A. O., Ewuga, N. S. K., Abdul, N. A. A., Abrahams, N. T. O., Oladeinde, N. M., & Dawodu, N. S. O. (2024). Cybersecurity in banking: A global perspective with a focus on Nigerian practices. Computer Science & IT Research Journal, 5(1), 41–59. https://doi.org/10.51594/csitrj.v5i1.701

Familoni, B. T. (2024). Cybersecurity challenges in the age of AI: Theoretical approaches and practical solutions. Computer Science & IT Research Journal, 5(3), 703-724. https://doi.org/10.51594/csitrj.v5i3.930

Muktar, O. (2024, March 24). Why cloud-based infrastructure will not solve reliability issues in Nigerian banks. TechCabal. https://techcabal.com/2023/04/21/cloud-infrastructure-nigerian-banks/

Oyewole, N. A. T., Okoye, N. C. C., Ofodile, N. O. C., & Ugochukwu, N. C. E. (2024). Cybersecurity risks in online banking: A detailed review and preventive strategies application. World Journal of Advanced Research and Reviews, 21(3), 625–643. https://doi.org/10.30574/wjarr.2024.21.3.0707

Patterson, C. M., Nurse, J. R., & Franqueira, V. N. (2023). Learning from cyber security incidents: A systematic review and future research agenda. Computers & Security, 103309. https://doi.org/10.1016/j.cose.2023.103309

Pollini, A., Callari, T. C., Tedeschi, A., & Montecchi, L. (2021). Leveraging human factors in cybersecurity: An integrated methodological approach. Cognition, Technology & Work, 24, 371–390. https://doi.org/10.1007/s10111-021-00683-y

Salitin, M. A., & Zolait, A. H. (2018). The role of user entity behavior analytics to detect network attacks in real time. Proceedings of the 3rd International Conference on Innovation and Intelligence for Informatics, Computing, and Technologies (3ICT). https://doi.org/10.1109/3ict.2018.8855782

Staves, A., Anderson, T., Balderstone, H., Green, B., Gouglidis, A., & Hutchison, D. (2022). A cyber incident response and recovery framework to support operators of industrial control systems. International Journal of Critical Infrastructure Protection, 37, 100505. https://doi.org/10.1016/j.ijcip.2022.100505

Wang, V., Nnaji, H., & Jung, J. (2020). Internet banking in Nigeria: Cyber security breaches, practices, and capability. International Journal of Law, Crime and Justice, 62, 100415. https://doi.org/10.1016/j.ijlcj.2020.100415

Williams, A. S., Maharaj, M. S., & Ojo, A. I. (2019). Employee behavioural factors and information security standard compliance in Nigeria banks. International Journal of Computing and Digital Systems, 8(04), 387-396. https://doi.org/10.12785/ijcds/080407