CHAPTER ONE
OVERVIEW OF THE RESEARCH
Introduction
Chapter one presents the overview of the study. The initial section of this chapter presents the background of this study which is cybersecurity. This is followed by the problem statement which seeks to situate the problem this study is investigating. This is followed by the research objective and questions the study asks. The significance of the study is presented in the next section followed by the scope and limitations of the study. The last section discusses how the rest of report has been organized.
Background to the study
In the wake of information and communication technology advancement and knowledge-based economy and society, most sectors in the economy have taken advantage to improve their services and reach more target customers (Driga, I., 2014). The banking sector is no exception and has undergone profound changes during the past decades. Recently, the financial sector relies on cyber-related systems and networks to conduct many of its operations.
The role of cyber-related systems in the financial industry is ever expanding and the frontier being moved day in day out in order to meet client needs and refine operations. The use of cyber- systems has led to improvement of the quality of services, reduce operational cost in some cases of process transactions, speed up communications and transactions as well as transfer of funds and reach more customers. This phenomenon has been embraced by banks all over the world
including banks operating in Ghana. The adoption and use of cyber systems in the banking sector has made it attractive for criminals to launch cyber-attacks on these systems.
Cybercrime is a form of crime often traditional crime (e.g. fraud, identify theft, child pornography) which is executed through the unauthorized access, damage and interference to a computer system. (Broadhurst, 2006). Cybercrime is the act of committing crime or an illegal act through the use of computer systems (Chambers, 2010). This is usually by fraud, impersonating, illegally accessing and interference with a computer system. In simple terms cybercrime can loosely be referred to as any criminal activity that involves the use and manipulation of a computer, networked device or a network. While most cybercrimes are carried out to generate profit for the cybercriminals, some cybercrimes are carried out against computers or devices directly to damage or disable them. The issue of cybercrime has become a topical issue for most banks now as some fraudsters use dubious means to get access to the banks E-banking system to commit crime.
According to a survey of 522 financial institutions in the United States of America by the Computer Security Institute (CSI), there was an average of $500,000 annual loss to cyber fraud or cybercrime per annum (Richardson, 2008). This suggests that cybercrime has become a big threat to the financial industry requiring huge expenditure to prevent or control it. These technological advanced threats have transformed the way and manner in which financial institutions operates or transact business with their cyber systems. A very common example is the electronic banking (e-banking) system adopted by almost all banking, and most financial institutions. However, these advancements are said to have exacerbated the rate of cybercrime on financial institutions (Chambers, 2010). Due to the increased or virtually the total use of computer systems in financial institutions one mode of attacking these institutions are through
cyber-attacks. Financial institutions are no exception to this phenomenon due to their adoption of ICT in their operations.
In order to combat such crimes, institutions need to put in place cyber security measures to prevent or control them. Von Solms & Van Niekerk (2013) provided a comprehensive definition of cyber security which they said was providing security for information, information sources, assets and human beings through computer systems. This definition goes beyond the definition that cyber security only targets to protect information. The authors posit that cyber security protects the human being and assets which can also be targeted but not just information per the traditional definition.
Problem Statement
Financial institutions, especially banks are considered to be high-profile targets for cyber criminals hence the need for them to dedicate resources into securing their cyber systems. Since they possess and transact huge amount of money, they become targets to cyber-attacks. There is a thin line between ensuring utmost security as well as balancing it with efficient and reliable operations devoid of cumbersome procedures for their customers.
In Ghana, cybercrime industry has involved the unauthorized access to the financial system of firms and individuals by unauthorized parties both internal and external of the institutions, email fraud and other forms of crime carried out mainly through internet banking and other localized payment and mobile banking platforms. A 2018 report by the Bank of Ghana on banking fraud indicated that cybercrime had the highest percentage of attempted fraud which was about 58%.
This phenomenon is however not exclusive to only the banking institutions but also the non-bank financial institutions.
Cybercrime pose a great threat to the financial sector considering the monetary losses, loss of data as well as loss in customer confidence in the ability of financial institutions to protect their information. To prevent or control cybercrimes financial institutions adopt various mechanisms and strategies. It is however important for financial institutions to safeguard themselves against cybercrimes during their operations. This warrants the need to investigate the cyber security practices of banks in Ghana.
The central bank of Ghana in October 2018 released a document which provides a framework for establishing Cyber and Information Security protocols and procedures for; routine and emergency scenarios, delegation of responsibilities, inter and intra company communication and cooperation, coordination with government authorities, establishment of reporting mechanisms, physical security measures for IT Datacentres and Control Rooms, and assurance of data and network security. The guide or protocol is aimed at standardizing and providing a base for cyber security practices. This is meant to be adopted by banks to control cyber-attacks.
Banks are expected to hold training for their staff in order for them to be aware of the directive and practice it where applicable. In order to determine the compliance level of the various banks, it would be prudent to first of all find out the awareness of various staff to the Bank of Ghana’s new directive. It is however important to determine the various practices among banks in Ghana, this would compare their practices as benchmarked against the industry standards set by the central bank. This would also inform their level of compliance to the new directive which seeks to prevent and save guard against cyber-attacks.
Hence this study would seek to delve into the practices of financial institutions in Ghana to prevent cybercrime. This study would however be situated to foreign banks operating in the Ghanaian financial industry.
Aim of Study
The main aim of this study is to delve into the practices, awareness and compliance level to the new cyber-security directive among the foreign banks operating in Ghana. This would assess the prevailing cybersecurity practices and compliance. To achieve this aim, the following specific objectives have been outlined.
Specific Objectives
- To assess the level of awareness of Cyber Security among Foreign banks?
- To assess the practices of cyber security risk management among Foreign banks?
- To assess the level of compliance to the Cyber Security directive among Foreign banks?
Research Questions
In order to achieve these objectives, the following questions have been asked:
- What is the level of awareness of Cyber Security among Foreign banks?
- What are the practices of Cyber Security risk management among Foreign banks?
- What is the level of compliance to the Cyber Security directive among Foreign banks?
