Recent media reports that Kenya’s second largest financial institution by asset base, Equity Bank, has suffered a Sh1.5 billion heist in a suspected insider job have pointed to the need for organisations to shift the deployment of their system protection gears to guard against internal breaches.
The money which was meant for employees’ salaries, is said to have been transferred to multiple accounts in other banks.
Pundits who spoke to the Business Daily highlight the need to train focus on what the neglected yet crucial safety aspect.
The danger posed by internal breach could result into far-reaching impacts, not only in financial losses, but also critical data leakages.
“Organisations have always focused on external sources of risk to their business to a point they almost seem to downplay threats that could emanate internally,” states Bernard Kinyanjui, lead developer at cyber services firm Bentech solutions.
“System risks are not always detached from employees and ethical staff conduct is key in ensuring that organisations maintain systems that withstand and detect threats in a timely fashion,” he emphasises.
But what exactly could have gone wrong in the Equity Bank case?
According to Clifford Ogeto, the head of cybersecurity at Nairobi-based information services company Eclectics International, insiders from different units could have collaborated to create new accounts, update the payroll information with the new accounts and approve the transfers, adding that there’s little likelihood of external infiltration.
“Payroll processing is typically initiated by the human resource (HR) department sending payroll data to the finance department which in turn forwards the request to payments so it’s a process that involves multiple steps of approval,” says Clifford.
“It is possible that someone from any of the departments either received a payroll with altered recipient accounts or modified them along the way. Changing payroll account detail also requires some paperwork which means the process was likely bypassed,” he adds.
The techies, however poke holes into the presented narrative noting that, for instance, the transfers could have been easily flagged since payroll is usually processed during working hours.
Further, they are doubtful about reports that only one person’s credentials were used to move the funds, asserting that critical business processes like payroll processing require maker-checker which means there could be other people involved.
Safeguard measures
To ensure an additional layer of protection, IT industry specialists recommend a raft of measures that organisations across all economic sectors can deploy.
For a start, the experts say, organisations need to step up the streamlining of their IT governance structures to ensure different units within the IT department work independently, such that there are no overlapping roles.
“One user could, for example, be designated to upload changes to staff or customer details while a different user is made responsible for approving after doing the necessary due diligence,” advices Clifford.
Bernard calls for the development of more robust IT systems that are equipped to sufficiently detect and preempt targeted threats before actual risks occur.
“It’s more about looking at systems internally while also trying to cultivate an organisational culture that ensures that those entrusted with running the systems remain true to their call of professionalism,” he says.
Other recommendations include enforcement of internal policies such as temporarily disabling user accounts when they are on leave, conducting staff background checks during employment and periodically thereafter, enforcing the maker-checker approval for critical processes as well as implementing fraud-detection systems that can check for unusual transaction patterns.
In recent months, Kenyan banks have stepped up their spending in updating and acquisition of new software, retaining staff and hiring new talent as part of measures aimed at scaling the anti-fraud war amid rising threats on the sector that holds nearly Sh6 trillion in customer deposits.
Last year, for instance, NCBA Bank spent $31 million in modernising systems to ‘fortify its cybersecurity infrastructure’ while Absa, which lost Sh49 million to fraudsters and thwarted Sh498 million fraud during the period, has admitted that it was forced to purchase new anti-fraud systems as well as upgrade existing ones.
Other lenders have stepped up training of staff on the ever-evolving trends in fraud as well as dismissed employees aiding theft.
KCB handled 48 disciplinary cases related to fraud in which it dismissed 22 employees as 26 resigned during the investigation, noting that its disciplinary process is “an effective means of deterrence of fraudulent activities.”
The increased investment in the anti-fraud war has also come on the back of regulators imposing stricter guidelines and enforcement mechanisms that expose banks to huge financial fines when fraud or customer data leakages occur.