Ebongabasi Ekpe-Juda, a security expert, has warned bank customers to stop filling the deposit registers in the banks as criminals could get such information and use it to carry out illicit activities
| By Anayo Ezugwu | Dec. 15, 2014 @ 01:00 GMT |
AMIDST the increasing cases of cybercrimes and financial frauds in the country, a security expert has warned bank customers to stop filling in their personal data such as name, account number, phone number, amount lodged, date and sometimes e-mail address in the register provided by their banks. Ebongabasi Ekpe-Juda, a security expert and managing director, Acts Resources Limited, Lagos, told Realnews that such information could be used by criminals in the cyber domain, particularly hackers’ to exploit unsuspecting customers.
Also, kidnappers and other criminals could threaten the unsuspecting customers with phone calls, having obtained information from such registers about the amount they lodged into their account or third party account. “My advice to bank customers is that they should henceforth refuse to fill the register so that they do not expose themselves to cyber criminals. If the banks desire to institute a process of internal controls, they should designate a staff to record those transactions. It is the staff that should record the transaction, number the teller before the lodgment is made. Their cashiers or teller can then note the serial number given by the registration/control officer for their reconciliation. This is a fulltime job for a staff. The register people are asked to fill is banks internal document that customers should not have access to in view of the sensitive information contained therein,” Ekpe-Juda said.
Realnews investigations showed that banks like Access Bank, Ecobank, Guaranty Trust Bank, GTB, and First Bank of Nigeria, FBN, are still making use of the registers despite the digitalisation of the banking sector. The biggest vulnerability lies not with the bank but with its customers some of who visit banking hall for whatever reason ranging from doing business to monitoring the open register with the intention of getting information they could use to commit cybercrime.
Ekpe-Juda said this warning is against the background of what is happening globally. For instance, a recent research conducted by a security firm called Kaspersky Lab, discovered that cyber thieves were able to drain more than 500000 from more than 190 customers at an European bank in one week. According to him, banks must understand that the global economy is still not sufficiently protected against cybercrimes despite years of effort and annual spending of tens of billions of dollars. The banks should understand that risk alone undermines trust and confidence in the digital economy, reducing its potential value. This is important because cyber security threats have been pointed out as one of the most critical risks for the industry, since a single cyber breach can significantly drive down banks’ earnings per share, EPS, and multiple hits could cause their EPS to collapse. Sooner or later, every corporation will be hit with a cybercrime.
“We should recognise the fact that while security fundamentals are important, it is impossible to keep up with the pace of change in the threat landscape. In the past, security has been about risk avoidance, but leading firms have realised that cyber security now has to be about risk management. Organisations including banks must protect their customers against threats such as viruses, phishing attacks and hackings by implementing appropriate security controls in addition to intrusion detection systems, access management and a variety of other technology solutions.
“Organisational vulnerabilities do not mostly originate from technology; and in security awareness, technology accounts for only ten percent of the security chain, while human, that is the wetware accounts for the rest, and is always the weakest link in the chain. Leading private sector companies are focusing on the most important five percent of their data assets and rationalising security controls to reduce the burden on business. Management must consistently be promoting a security-aware culture by ensuring that clear, enforceable policies and effective awareness and training are established.
“The importance of cyber security is no secret to any informed person any more. Senior executives of bank may ask, what’s the hype? The answer is simple: understanding the issue is quite different from effectively addressing it. A number of structural and organisational issues complicate the process of implementing business-driven, risk-management-oriented cyber security operating models, and only sustained support from senior management can ensure progress and ultimately mitigate the risk of cyber attacks,” he said.
According to Ekpe-Juda, awareness and training is one of the most effective elements to any information security programme because most of the risks that organisations face are caused by user error, misconfiguration of systems or mismanagement. In fact, according to IBM’s 2014 Cyber Security Intelligence Index, 95 percent of all attacks in 2013 involved some type of human error. He said the goal of an information security awareness and training programme is to stop these errors from taking place by educating users on their responsibilities to ensure confidentiality, integrity and availability of information as it applies to their roles within the organisation.
“Today’s business leaders and the entire corporate staff chain need to understand both business risks and cyber risks. They must have security awareness in order to own the company’s cyber risks. It is no longer enough for the IT team to be asked to go and fix cyber threats or to employ one ethical hacker and think you are protected. Otherwise, they are simply not up to the job of running the business day-to-day. In fact, developing a good cyber security awareness training programme makes a lot of sense and will be more cost-effective than risk waiting for your company to be hit by attackers who will take advantage of the lack of security awareness of the company’s managers and employees. Security awareness training should the first line of defense,” he said.
Ekpe-Juda’s warning is coming on the heels of the 2013 Annual Report and Statement of Accounts of the Nigeria Deposit Insurance Corporation, NDIC, released on Tuesday, December 2, in Katsina State, which stated that Nigerian banking sector recorded an 11.12 percent rise in cases of financial fraud in 2013. The report stated that banks lost N5.76 billion in the year under review of which N2.5 billion was recorded in the first quarter of the year alone. The total fraud cases reported stood at 3,756 compared to 3,380 cases in 2012.
The amount involved in the fraud incidences also grew to N21.79 billion in the period under review compared to N18.05 billion the previous year. The NDIC said the increasing number of fraud cases in the banking industry was through automated teller machine, ATM, internet banking, fraudulent transfers and withdrawals and suppression of customers’ deposits.