Technology Banker May / June 2015 by Technology Banker

The Voice of Technology and Finance in Africa

www.technologybanker.com

May / June 2015 ÂŁ3.99

TECHNOLOGY QUESTION TIME Cyber Defence 101

Safeguarding sensitive data:

Technology evolution:

How to defend your digital assets from cyber attacks

The vital role that PCI DSS plays in reducing card fraud

The increasing challenge for cybercrime investigators

…the ideal solutions for SME growth

• SMERP Platform built for Micro, Small and Medium Enterprises (MSMEs) • Manages accounting, inventory, sales and a lot more • Supports MSMEs in manufacturing, retail, distribution, service providers etc. • Cloud solution developed to manage the operations of MSMEs • Offered as a service thereby removing the barrier to technology adoption by this segment • Tailored solution for the different business segments within the MSMEs space www.smerp.com.ng

Computer Warehouse Group Plc Headquarters Block 54A, Plot 10, Off Rufus Giwa Street Off Adebayo Doherty Road Off Admiralty Way Lekki Phase 1, Lagos

CWG webshop (Openshopen) is a secure, web based, online e-commerce platform that enables a store owner generally referred to as merchant to open her own individual online store where her products can be sold online. This easy e-commerce platform allows merchants to have their online shops in just three simple steps. It is a comprehensive solution that enables merchants to sell on the internet by creating an online store that uniquely identifies the merchant and her business online. www.openshopen.ng

Tel: 234-1-2706065 01-2809800 Ext.: 1000 Fax: 234-1-2706064 Email: info.cwl@cwg-plc.com Website: www.cwg-plc.com

Cyber Secu

ility

l Stab frica’s Financia

ications for A rity and its Impl

tering the ns are rapidly al tio va no in l ca d Technologi r both banks an ber security fo cy of e ap sc nd la s. payments system

ions into any cyber intrus m so g in be e nce in IT With ther lack of confide a d an ns tio itu step ahead financial inst ve to keep one ha s er id ov Pr t cyber security, Tech solutions agains n tio ec ot pr d ti-layere delivering mul of the game in industry. a’s Bank Tech attacks on Afric pace? ening in cybers So what’s happ r security for ications of cybe pl im g in ry or w vestigators, e look at the r cybercrime in fo e ng In this issue, w le al ch ng banks, ty, the increasi tions for African lu so r be financial stabili cy w ne re they are fully iders are finding can take to ensu how Tech Prov ns tio itu st in al at financi curity threats. and the steps th sophisticated se ly ng si ea cr in t protected agains doing g a new way of in id ov pr is n tio for , Mobile Innova of opportunity On the flip side g a new world tin ea cr g in in as th l el g xt bi ica, as w ing to be the ne go business in Afr is t ha w So r customers. banks and thei logy for Africa? Mobile Techno ease write r readers, so pl ou u, yo om fr hear would love to As always, we email. by your views to us and send , Warm Regards

Remi Akinjomo tor Managing Edi

www.technologybanker.com

Contacts: Publisher - Stefan Grossetti Editor - Ian Powell Deputy Editor - John Bennett Sales & Marketing - Jenny Howard Managing Editor - Remi Akinjomo Head of Operations - Monika Derfinakova Head Office UK 10th Floor, 88 Wood Street, London EC2V 7RS Tel: +44 (0) 1442 459 1536 info@technologybanker.com www.technologybanker.com Nigeria Partners Humid Links House 5B, Close D, Oba Oyekan, Lekki, Lagos

The contents of this publication are subject to copyright protection and reproduction in whole or part, whether mechanical or electronic is expressly forbidden without prior written consent of the editor. Views expressed in the publication do not necessarily reflect those of the editor or publisher. We welcome contributions, however, publication is at the discretion of the editor. We also take no responsibility for the return of materials. Whilst every care is taken to ensure accuracy, we cannot be held liable for any inaccuracies. All rights reserved.

©Technology Banker 2014 ISSN 2051-9443

MAY / JUNE 2015

www.technologybanker.com

May / June 2015 Edition

News in Brief

Debunking the Myths about PCI DSS

Adedoyin Odunfa, CEO of Digital Jewels Ltd, explains the critical success factors that will help you to attain the PCI DSS standard and debunks some of the common misconceptions that surround it.

Cyber Defence 101

There’s much more to building an effective cyber defence than having good technology, writes James Hampshire, Senior Cyber Consultant at Control Risks. It also requires a combination of people, policy and process controls.

18 Giving banks the edge on security

Technology Question Time

Jaiz Bank’s CISO, Adefemi Onanuga, talks about the importance of prevention, using the best technology and keeping “an eagle eye on information security”.

Delivering cyber security solutions in Africa

Looking Back on the Road to Success

Thinking outside the box

Events for your Diary

Patrick Grillo answers questions about security awareness and providing innovative security models for data and systems.

In our Technology Q&A, Richard Amafonye talks about value innovation, seeing the ‘big picture’ and the influence of Bill Gates.

Martin Koffijberg, Director of Security Solutions Why Information Technology is the backbone for Marketing at Diebold EMEA, answers questions business success. about security solutions that protect financial institutions against evolving security threats and help 42 Content is key in security training them to become more efficient. Brian Reed, Director of Inspired eLearning, gives expert advice on the most effective ways to 22 Curbing the menace of cybercrime in provide employees with online security and privacy Nigeria training. Seyi Akindeinde, CTO at Digital Encode, writes about the concerted efforts that are currently 44 The Secrets of Sustaining Financial being carried out to tackle this increasing problem. Inclusion

Building control into your business

The flexibility and benefits of a COBIT 5 Business Framework.

www.technologybanker.com

MAY / JUNE 2015

NEWS IN BRIEF

Taking advantage of a new dedicated service

AXA set to enter Nigerian market after Mansard acquisition The Nigerian company, Mansard Insurance Plc, has been acquired by AXA, a French-based global insurance player in insurance and asset management and will change its name to AXA Mansard Plc. Mr Victor Osibodu, Chairman of Mansard Insurance, said the company would benefit from limitless access to global resources, capacity development and stronger brand recognition, especially in corporate space, as a result. “These will transcend to better service delivery, product innovation and increased returns for shareholders,” he told shareholders at the company’s recent AGM in Lagos. Mr Osibodu explained that the acquisition was made after AXA, which has 160,000 employees, serving 102 million clients in 56 countries, had acquired 100 per cent equity in Assur Africa Holding (AHH) in December 2014. “AHH held 77 per cent stake in Mansard Insurance Plc before its acquisition, thereby making AXA the beneficial owners of Mansard,” he said. The Chairman added that Mansard Insurance had successfully obtained regulatory approval to acquire a 60 per cent stake in Penman Pensions Ltd. This acquisition was achieved without borrowing.

MAY / JUNE 2015

Ecobank Nigeria has launched Advantage Banking, a new dedicated service that aims to make banking simpler, friendlier and more convenient for affluent and upwardly mobile customers. Deputy Managing Director, Mr. Anthony Okpanachi, said the new service was designed to ensure that customers would receive the quality of service they desired. “We have a bouquet of lifestyle enriching products available to address their day-to-day banking needs,” he said. Advantage Banking customers will receive a number of special privileges, including entitlement to a Zero COT on salary accounts, access to e-banking and remittance services, access to overdrafts on salary accounts, which act as extra cash whenever the need arises, and a dedicated relationship manager, who will provide customers with all of their banking needs.

Cardholders to benefit from expanded e-banking agreement Emerging Markets Payments Company (EMP) has announced the expansion of its e-banking agreement with First City Monument Bank Limited (FCMP). This means the EMP has now started issuing Naira debit cards for FCMB, as well as continuing to provide processing services under the agreement. EMP’s Chief Executive Officer Murat Ozuiku said, “Over the years, EMP has been able to support partner banks to achieve their business strategy by providing solutions that render cardholders a seamless, convenient and secure payment experience. “We believe that expanding FCMB’s card offerings with EMP will provide cardholders with more tools that best cater to their needs, encouraging them to take advantage of the various benefits of electronic payments.” Debit card applications can be made at FCMB branches across Nigeria.

Skye’s the limit for new partnership with IFC Skye Bank Plc has formed a consultancy partnership with the International Finance Corporation (IFC) to evolve an effective lending framework for medium, small and medium enterprises (MSMEs). The objective is to produce a new lending framework for SMEs that de-emphasises reliability on collateral by focusing primarily on evaluating business viability. The new framework means that Skye can consider non-traditional collateral options outside real estate when a business passes the viability test in order to reduce the difficulties business owners face while trying to secure credit facilities from banks. A statement from the bank says the lender has now concluded plans to stop charging commission on turnover (COT) on all retail current accounts, well ahead of the Central Bank of Nigeria’s deadline.

www.technologybanker.com

BUILDING FORMIDABLE

INSTITUTIONS. B R I C K

B Y

B R I C K

Developing Capacity & Capability by Strengthening IT Processes, People, Controls, Security & Governance across Africa. Digital Jewels Limited is an Informa�on Value Chain Consul�ng and Capacity Building Firm with a focus on IT Governance, Risk & Compliance and with deep competencies in Informa�on Security, Informa�on Assurance, Project Management, e‐business & Knowledge Capacity Development. The Firm is the First and Only Professional Services Firm in Africa to be accredited to the ISO27001 Global Standard for Informa�on Security and is also a Payment Card System Industry Data Security Standard Qualiﬁed Security Assessor (PCIDSS QSA).

C O N TA C T U S T O D AY

Secure . Assure . Enable . Empower . Manage Plot 12, Frajend Close Osborne Foreshore Estate, Ikoyi Lagos. +234(0) 815 200 0120 | www.digitaljewels.net

digitaljewels

@digitaljewels

NEWS IN BRIEF

Kenyan bank profits from strategic realignment and leadership changes

Equity Bank’s telecom service plans hit another new hurdle The Nigerian company, Mansard InsPlans to launch Equity Bank’s telecom services in Kenya face a new hurdle, following an objection by Safaricom about the technology the bank intends to use to rollout. In a letter to the Communications Authority, Safaricom’s Chief Executive Bob Collymore says Equity Bank should be prohibited from issuing thin SIM cards as they could expose subscribers to both financial fraud and intercepted communication. Users can overlay them on their primary SIM card, regardless of the network, and subsequently receive services from two mobile service providers. Safaricom – Kenya’s largest mobile company – is concerned about the security of its money transfer service, M-Pesa, which it says would be vulnerable to attacks. As a result, it wants the Communications Authority to invite the GSM Association to review the risk posed by the technology to other mobile operators and subscribers. “In the meantime, we call on the Communications Authority to prohibit its use in Kenya,” Mr Collymore says in the letter, copied to the Central Bank of Kenya and Equity Bank through its subsidiary, Finserve.

MAY / JUNE 2015

UBA Bank Kenya recorded a profit of Sh2.9 million in March 2015, which is up from a loss of Sh50.9 million in the same period last year. The bank said this represents a 105.7 percent growth. The bank also benefited from an enhanced sales strategy that led to a 37.22 per cent increase in customer deposits – from Sh2.8 billion in March last year to Sh3.9 billion in March 2015. This bank’s improved performance has come on the back of a strategic realignment made late last year, which also began with the hiring of Isaac Mwige, the bank’s first Kenyan Chief Executive Officer.

South Africa’s battle of the banks The latest full-year data from South Africa’s biggest retail banks reveal there is a clear battle between FirstRand and Standard Bank Group to be the biggest bank in the country. Looking at the market value, customer base and profits of all the banks in the country, Standard Bank and FirstRand come out as the top two contenders for the title. Standard Bank lost its crown as South Africa’s most valuable JSElisted bank last year when FirstRand Group overtook it in terms of market capitalisation, and further stumbles in 2015 have meant that the FirstRand Group remains firmly in lead position with a market cap of R320.4 billion, compared to Standard Bank’s R280 billion. Standard Bank still has the biggest customer base in South Africa, however, followed by Absa. FirstRand’s retail banking arm, FNB, was the only bank that saw a drop in customer numbers, year on year, between 2013 and 2014. In its full year report for 2014, FNB indicated a customer base of 7.1 million customers, which was down significantly from the 7.6 million reported in 2013. However, the loss of the government’s social grant tender resulted in the bank losing a large portion of its mass market customers, which accounts for the decline. In December 2014, 6 months after the reported full year results, FNB reported having 7.3 million retail customers in South Africa. The last measure for title of the “biggest” looks at revenue, and more importantly, profits. Standard Bank boosted both their revenue and profits by 15% in 2014, with revenue pushing up to R84.2 billion and profits to R18.1 billion. FirstRand prefers to report normalised results, believing this to be the most accurate reflection of its economic performance. It reported a boost in normalised earnings to R18.7 billion in 2014, making it the biggest profit spinner of all the banking groups. However, the breakdown of FNB’s financial performance provides more insight into the bank’s income at retail level. It recorded a net income of R37.6 billion, and normalised earnings of R9.46 billion for the last financial year ended June 2014.

www.technologybanker.com

NEWS IN BRIEF

STANLIB Ghana launched in Accra Africa’s leading asset manager, STANLIB Africa, and its holding company, Liberty Holdings Limited, have launched STANLIB Ghana to increase its footprint in Africa. The asset manager acquired a 100 per cent shareholding in Stanbic Investment Management Services (SIMS) Ghana, which is now called STANLIB Ghana, last August. Speaking at the launch in Accra, STANLIB Ghana’s Chief Executive Officer, Mr Emmanuel Alex Asiedu, said the acquisition meant that STANLIB Ghana is now able to tap into the vast experience of STANLIB Africa. He explained that that the changeover would enable STANLIB Africa to gain from both the local firm’s solid reputation and its strong institutional client base. Mr Asiedu said the acquisition of shares of SIMS Ghana by STANLIB Africa had granted them valuable access to a long tradition of investment excellence right across the African continent. Initially, SIMS Ghana’s traditional products included money market , fixed income, equities and multi-asset funds, but the CEO said it had also provided STANLIB Ghana with a wider range of products for its growing client base, which included offshore investment schemes that could provide some currency diversification.

Momentum Grows For Axiros in IoT, Device Management Momentum continues to grow for Axiros, the technology leader in device management, TR-069, and IoT solutions for service providers, enterprises, and OEMs. The company announced further growth and product investment as demand accelerates for its device management and Internet of Things (IoT) products. “Interest in IoT is certainly a hot topic right now and there is a lot of interest in our solution, but device management is still driving a large portion of our business,” commented Kurt Peterhans, CEO of Axiros. “As we continue to invest in our technology to stay ahead of market needs, we further our globalization with new customers and partners in areas of the world previously untouched, and are delighted with the possibilities of how device management can change the way the Internet is consumed.”

www.technologybanker.com

Tanzanian bank to raise capital for future expansion CRDB Bank plans to raise capital through a rights issue for its ambitious local and regional expansion drive. Despite controlling less than 20 per cent of the market’s share, its capital ratio is not adequate enough to fund its growth strategy and branch optimisations. CRDB’s Chief Executive Officer, Dr Charles Kimei, said another reason for raising capital was the regulator’s decision to increase core capital and the total capital adequacy ratio by 2.5 per cent. “Though we have a strong capital position at the moment, we still need to raise an extra capital to sustain our growth and profitability in the future,” said Dr Kimei, who was presenting the 2014 financials before investors, shareholders and financial analysts at the bank’s CRDB Analysts Day. The bank has decided to raise additional equity capital through the right issue, following a recommendation made by its board in March. If all goes as planned, the rights offer will be conducted in June after it has received blessings from both the DSE and CMSA. Dr Kimei said the rights issues ratio will be five to one, which means each five shares have the right of one, and at a price that is normal at discount. This will be determined after the AGM, which takes place later this month. “The right offer is anticipated to be fully subscribed by a strategic investor(s), who will buy the remaining shares if current shareholders turn down the offer,” said Dr Kimei.

MAY / JUNE 2015

NEWS IN BRIEF

Malawi takes key step to advance digital payments and drive inclusive growth Malawi took a significant step towards creating a digital payment ecosystem in order to address poverty and drive inclusive growth. An event organized by the Government of Malawi with the United Nations Capital Development Fundâ&#x20AC;&#x2122;s (UNCDF) Better Than Cash Alliance and Mobile Money for the Poor initiatives brought together digital payments players to accelerate the progress of digital finance in Malawi. Making payments in cash can be expensive and inefficient for governments, companies and international organizations. Cash is also difficult to trace, and extremely vulnerable to theft and loss. Many people living in poverty only use cash, and this is a key barrier to broader financial inclusion because cash makes it costly to provide financial services. According to UNCDF, in least developed countries such as Malawi mobile penetration is at 30 percent while access to a bank account is at 14 percent. Mobile payments can therefore be one way to accelerate this shift.

The Future of MSMEs is Bright in Nigeria Minister of Industry, Trade and Investment, Olusegun Aganga said the present administration has put in place necessary structures needed for the development of Micro, Small and Medium Enterprises in the country. Speaking when he paid an unscheduled visit to the Headquarters of Small and Medium Enterprise Development Agency of Nigeria (SMEDAN) in Abuja Monday, Aganga noted that the Micro Small and Medium Enterprises (MSMEs) remained critical to the development of the countryâ&#x20AC;&#x2122;s economy. Aganga also noted that the launching of the N220 Billion MSME fund by Mr. President last year is also a pointer to the fact that MSME is a top priority of the present government; this is the only government that has put up a structure for the development of the MSMEs. He disclosed that the administration has equally opened SMEDAN offices in every state of the federation so as to bring the benefits of the sector closer to the people.

MAY / JUNE 2015

Telecel on Licence Cancellation Telecel Zimbabwe has been notified by the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) of the cancellation of its licence to provide national cellular telecommunications services. This measure is unfair and unwarranted. Telecel has made every effort to comply with all legal and governmental requirements in Zimbabwe, and objects to this treatment in the strongest terms. Telecel and its global shareholders are taking immediate action both locally and internationally to challenge this decision. Telecel would like to assure its customers and stakeholders that it will take all possible steps to maintain the full range of its services throughout this process. We thank all our valued customers and partners for their on-going support. Your welfare is of the utmost importance and priority to us and we will continue to act in the interests of Zimbabwe and its people.

United Bank Commences Agent Banking System United Bank has officially launched an agent banking service on Friday 24th April in Ethiopia dubbed Hi-bir Agent Banking Service It would enable people to undertake any transaction at any of the bankâ&#x20AC;&#x2122;s agents such as gas stations, supermarkets or small shops - providing reliable banking services to remote areas of the country, the Ethiopian Herald reports. He said this would benefit agents as they would be commissioned for the service delivery, as well as customers, who would gain local access to banking services. So far, around three thousand customers have registered to use the service and there are 93 agents across the country. Anyone who is involved in legal business within Ethiopia can be an agent of a financial institution and the services to be rendered include receiving money, withdrawals, transfers, paying for services and checking balances. The bank will also provide mobile banking services.

www.technologybanker.com

All about technology for banking and finance in Africa

The Voice for Banking and Finance in Africa

000 111 000 111 Unfortunately, value sometimes 0 0 0 111 ends up in less than valuable locations. 000 111 000 111 000 111 000 111 000 111 000 111 000 111 000 111 000 111 000 111

0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1

â&#x20AC;&#x153;Information is powerâ&#x20AC;?. Value it.

C O N TA C T U S T O D AY Plot 12, Frajend Close Osborne Foreshore Estate, Ikoyi Lagos. +234(0) 815 200 0120 | www.digitaljewels.net

digitaljewels

Secure . Assure . Enable . Empower . Manage

@digitaljewels

SECURITY

Debunking the Myths about PCI DSS Adedoyin Odunfa, CEO of Digital Jewels Ltd, explains the critical success factors that will help you to attain the PCI DSS standard and debunks some of the common misconceptions that surround it.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of technical and operational requirements that have been designed by the PCI Security Standards Council (PCI SSC) to protect cardholder data.

www.technologybanker.com

Five major credit-card companies jointly created the PCI DSS in 2004 – Visa, MasterCard, Discover, American Express and JCB – and the standard seeks to ensure that ALL companies processing, storing or transmitting credit

card information maintain a secure environment. The Council (PCI SSC) is responsible for managing the security standards, while compliance with the PCI Security Standards is enforced by the payment card brands (Visa, MasterCard, Discover, American Express and JCB). The PCI DSS, now in version 3.1 (released April 2015), specifies six major objectives, which have been broken down into 12 requirements on a high level: The Myths There are several misconceptions around this standard. The most common of these are: 1. A piece of cake: if you approach PCI DSS casually, it can lead to indigestion and an empty wallet! An organisation that does this may find itself spending a lot of their time and budget on both technology and attempting assessments, without actually attaining the requirements of the standard. PCI DSS certification exercises in Nigeria can take anywhere between 4 months and two years, depending on the organisation’s state of readiness, it’s understanding of the process, resource sufficiency and overall approach.

MAY / JUNE 2015

NEWS IN BRIEF

with the standard. Critical success factors In essence, the PCI DSS follows the common-sense steps that mirror security best practices. Note however, that this is not a single event, but a continuous ongoing process. The critical success factors listed below can enhance your efforts to both attain and sustain compliance to the standard.

2. A quick fix: a PCI DSS certification process is anything but a quick fix. It requires a painstaking detail-oriented process that is focused on meeting the hundreds of controls contained in the standard. A good starting point is to understand and properly scope your Cardholder Environment (CDE). Assessing the CDE, remediating observed non-compliances and generating the Report of Compliance (ROC) are all part of the process. Beyond certification, the standard requires quarterly scans to be conducted by a PCI SSC Approved Scanning Vendor (ASV), as well as quarterly network vulnerability scans. The full assessment has to be repeated each year in order to maintain the certification. 3. “PCI DSS in a Box”: beware of technology vendors that attempt to sell a bundle of products with the promise that it will assure compliance to the standard. The technology is no doubt important, but the configuration of the technology – firewalls, IDS/IPS, log management, etc. – is probably more critical. Furthermore, attention is required to review the relevant processes, policies and procedures in order to attain compliance

MAY / JUNE 2015

1. Get an effective sponsor: getting a senior management member of staff, who is well respected in the organisation and has an interest in this standard, will go a long way to ensure that the journey to PCI DSS compliance progresses seamlessly and according to plan. With resource sufficiency being a common pain point, an effective sponsor can help to ensure that a strong team is put together and to secure their availability through the course of the certification project and beyond. Remediation of non-complaint items often involves the purchase of additional technology components, some of which can be quite expensive. The sponsor’s clout can help to secure the necessary approvals to make timely purchases. In contrast, the absence of an active sponsor support can easily lead to the initiative floundering and losing steam. 2. Choose the right partner: consultants can help to unravel the complexity of the PCI DSS standard by conducting an objective gap assessment and providing expert support in the remediation journey. It is important to select consultants who have the expertise, experience and a verifiable track record to reduce your risk of failure and improve your chances of getting it right first time and on time. PCI DSS compliance assessments can only be conducted by PCI DSS Qualified Security Assessors (QSAs). These are organisations that have undergone a stringent review process by the PCI SSC and have the trained and certified staff

within their employment. Digital Jewels is a PCI DSS QSA with jurisdiction in the CMEA region, significant expertise, a strong track record and excellent references. Nigeria as a case in point Nigeria may have more PCI DSS certified organisations today than any other African country, as a result of a requirement by the Central Bank of Nigeria (CBN) that mandates all players in the e-payments value chain to be certified to this standard. This mandate covers all banks, switching companies and payment companies. The CBN made the standard mandatory in February 2012 through a circular to all the banks and a newspaper article. The impetus for this was the rapid development of the Nigerian payment space, propelled by a need for financial inclusion by regulatory authorities and other stakeholders. The Nigerian market has been heavily cash denominated over the years, resulting in a vibrant informal economy with the attendant challenges, such as security and safety. The focus on financial inclusion has resulted in an upsurge of electronic delivery channels, including payment cards, (which had transited ahead of even the more developed economies from mag stripe to EMV), ATMs, internet banking platforms, and more recently, Mobile Banking platforms. The Nigerian Banking regulator, CBN, selected the PCI DSS to help to counter some of the risk that is associated with electronic delivery channels by protecting cardholder data. According to information from Digital Jewels Research Labs, there were 24 PCI DSS certified organisations in Nigeria in March 2015, with about 70% of them being banks and a handful of implementations ongoing.

www.technologybanker.com

TECHNOLOGY INNOVATION

Cyber Defence 101 There’s much more to building an effective cyber defence than having good technology, writes James Hampshire, Senior Cyber Consultant at Control Risks. It also requires a combination of people, policy and process controls. Cyber risk now ranks alongside the most serious threats facing businesses today. Although most businesses are aware of “cyber” at a high level, many do not

www.technologybanker.com

identify, assess and manage the specific cyber risks to their business. Companies also often make the mistake of thinking of cyber as a purely technical risk, when

in reality it is a business risk that requires a holistic response.

MAY / JUNE 2015

TECHNOLOGY INNOVATION

Identifying what needs protection It is impossible to defend something if you don’t know what it is that you need to defend. Despite this, many companies do not design their defences on the basis of their specific digital assets. Instead, they focus on defending their perimeter against attacks. Indeed, many companies do not even have a comprehensive understanding of what digital assets they hold that may be valuable to attackers. The digital assets that require protection broadly fall into one of three categories. These are: 1. Assets where a third party requires them to be protected. Specific defences can be mandated by third parties, in particular by legislation and regulation. For example, some countries have specific legislation that covers data security within the critical national infrastructure, with governments taking an active role in setting and maintaining standards. Regulators also set standards, often relating to personal or payment card information. Finally, third parties you have a business relationship with may set standards as a requirement for doing business with you. 2. Business critical assets: These are assets that a business knows it should protect, as a breach would have a clear and direct impact. For example, customer and transaction data are key assets for financial institutions. 3. Assets that have an indirect or less tangible business impact: These are assets where compromise, whilst less immediate or tangible, can still have a significant impact on a company. For example, corporate strategy documents that deal with market entry, documentation about planned M&A

deals, or sensitive board papers all have the potential to cause significant damage if compromised. To defend effectively against cyber attackers, it is essential that businesses identify their digital assets and then prioritise them according to both their business impact (i.e. the cost to the business if the assets were compromised) and the likelihood of attack. This allows security investment to be prioritised on assets that are valuable to an attacker, and whose loss will have the most impact on your business. The second stage of building an effective defence is to work out where these assets are located. This is critical, as it will have a significant impact on a company’s vulnerability. The location can vary between companies, and within a single company. For example, assets could be stored on a local network, or an outsourced datacentre or cloud provider. How to protect identified assets Traditional cyber defence has focussed on securing a network’s perimeter with technology, including firewalls and intrusion detection systems. However, modern attackers increasingly bypass the perimeter and target users directly, via phishing emails1 or watering hole attacks.2 Once an adversary has compromised a user, they are inside your network. Depending on how the network is designed and where the data is, they will be able to move laterally around the network and escalate their privileges (i.e. increase their level of access). By prioritising security investment on critical assets you can apply additional layers of protection to those areas that will significantly damage your business should they be compromised by an attacker. Some technical controls that

What damage can data breaches have on a business? Operational damage: business processes can be disrupted or destroyed, resulting in revenue or profit impact, e.g. payment processing systems being disrupted. Direct financial loss: assets or cash stolen or can be damaged, e.g. money stolen from accounts or the replacement cost of computers rendered unusable by malware. Legal damages: compensation or damages can be payable following confidentiality breach, e.g. compensation payable to customers following a leak of personal information. Deal-specific compromise: confidential information that is compromised during a deal, e.g., an increase in the price paid in an M&A transaction because the selling party has full access to the buyer’s negotiation strategy. Long-term competitive damage: a competitive advantage eroded through competitors accessing confidential information, e.g. loss of opportunity as a result of a competitor stealing business strategy documents. Reputational harm: public embarrassment after being compromised, e.g. long-term revenue loss after a cyber attack becomes public. Employee welfare: employee health, safety or well-being is affected, e.g. employees put at risk after personal data is leaked.

A social engineering attack which involves sending an email, with the aim of getting the recipient to open an attachment or click on a link (thereby downloading malicious software) or to give confidential or personal information. 2 A hacking technique where the attacker injects malicious software into legitimate websites that are most visited by the target audience the offender wants to penetrate. The users are then infected when visiting that website. 1

MAY / JUNE 2015

www.technologybanker.com

organisations could consider using to protect their critical assets include: •• Network segmentation: implementing technical controls across your network so that compromising a single user does not compromise the whole network •• Individual or role-based access permissions (i.e. not everyone has access to everything by default) •• Two factor authentication •• Encryption of sensitive data at rest and in transit •• Using a virtual private network to access your corporate systems remotely. Another implication of the decline of the perimeter is that traditional (“external”) penetration testing does not give you an accurate picture of your vulnerabilities, as a savvy attacker can bypass your external controls with a phishing email. An external penetration test usually involves scanning the perimeter for vulnerabilities, but an “internal” penetration test gives you a much more realistic perspective of your defences as it simulates an attacker having access to a compromised machine on the network. However, applying technical controls in isolation does not lead to good defence. The US retailer Target had an advanced technical system that monitored their network and alerted them to a compromise in 2013. Unfortunately, they did not have a business process in place to make sense of what the system was telling them, so they could respond appropriately. This allowed the attackers to take 70 million customer records. The breach has cost Target an estimated $162 million (not including the $90 million costs that were covered by insurers). Computers do not attack computers and systems, it is people who do this by using computers. So business, people and process controls are equally as important

www.technologybanker.com

in designing cyber defences. Some key steps all businesses can take include: •• Understanding the specific threat that you face so that you can actually defend against it. •• Ensuring cyber security is seen as a business risk, not an IT risk, as cyber breaches can have a massive impact on the business and board-level ownership. Cross-company awareness and buy-in are also crucial to good cyber security, especially when the attackers rely on compromising individual users. •• Ensuring that this business culture of cyber security is underpinned by policies and processes that balance security with business need.

Responding to a breach No organisation can guarantee 100% security against cyber breaches. Only recently, the US government disclosed that malicious attackers had penetrated the White House network. On this basis, detecting and responding to a breach quickly and efficiently can minimise the potential damage caused by the incident. The key aspects of responding to any crisis are planning, testing and implementing. Planning is vital to enable a swift and decisive response when a breach occurs. Most administrative and logistical planning can be done in advance, and it is important to have clearly defined policies and procedures, roles and responsibilities, call-out systems and data recovery procedures. Planning is fundamental, but it is difficult to remember the specifics of a plan you read about 12 months ago when you are called in the middle of the night with news of a breach. Companies need to ensure that their plans are regularly tested

by using realistic scenarios that draw on their understanding of the threat and generating the most likely compromise scenarios. It is also important that these tests are fully debriefed and the plans are refined and updated, if required. When you do have to respond to a real breach, stay calm. A bad breach response can be as damaging to the company as the breach itself, so act swiftly but in a considered manner. Of course, if you have exercised your plans then you will be able to cover the basics instinctively, allowing you to concentrate on the important decisions. Finally, don’t let the technical incident response drive crisis management. The technical/forensic response to a breach is vital in stopping more damage, getting the business back up and running, and gathering evidence. But remember, good business-led crisis management looks at the bigger picture and coordinates across all of the additional areas of investigation, communication and general business continuity. Good cyber defence is more than a firewall To summarise, a good cyber defence is about more than using good technology. It combines people, policy and process, along with technology. It is about understanding what your critical digital assets are and the business impact will be should they be compromised. Finally, it is about appreciating that cyber breaches do not just happen to other people and your company could be the next victim, so being prepared and ready to respond is vital.

MAY / JUNE 2015

ATM

Giving banks the edge on security Martin Koffijberg, Director of Security Solutions Marketing at Diebold EMEA, answers questions about security solutions that protect financial institutions against evolving security threats and help them to become more efficient.

In what ways can Diebold’s innovative solutions help banks and financial institutions to treat ATM security as an enterprise-wide risk and develop a clear risk appetite? And how can this be done in a way that suits their specific circumstances, especially in remote locations of Africa? ATMs have become an important component of financial institutions’ strategy, as consumers rely on them not only for cash withdrawal, but also for an increasing number of non-cash related transactions. The success of

MAY / JUNE 2015

an ATM network strategy relies on its availability at all time and its safe use. Trust is one of the most critical elements of a positive banking experience. Financial institutions face a large number of threats, including card and cash fraud, logical attacks and physical attacks. As these become increasingly sophisticated, security has become one of their top priorities because fraud can have a negative impact on a financial institution’s image, as well as lead to substantial losses. Diebold has been securing

confidence for financial institutions and their customers for over 150 years and continues to deliver purposeful innovations that manage risk. Our multi-layered security solutions help to enhance the consumer experience and add efficiency to financial institutions’ operations, even in the most remote locations, while also protecting financial institutions against evolving threats. Diebold recently announced Diebold ActivEdge, the greatest weapon against card fraud. While current skimming technology relies upon its ability to

www.technologybanker.com

ATM

read the full magnetic stripe to copy card data, ActivEdge requires a card to be inserted sideways, i.e. with the long edge first and magnetic stripe facing down. This makes all current skimming devices obsolete because they will never be granted access to the entire magnetic stripe. This revolutionary technology provides a simplified security solution that prevents attacks from every vector. Another security solution recently launched is Dieboldâ&#x20AC;&#x2122;s Self-Service Trusted Computing, which features a self-encrypting hard drive with trusted boot technology to secure the integrity of the software stack. All data on the hard drive are encrypted and the hard drive remains locked until the proper credentials are provided to unlock the hard drive at system startup, offering financial institutions total peace of mind. As attacks become more sophisticated, Diebold is committed to ensuring that all existing solutions are relevant to counter both current and future threats.

www.technologybanker.com

What types of ATM threats are there, and what steps should be taken by banks and financial institutions to secure their ATMs? Financial institutions need a comprehensive approach to ATM security as they face three different types of threats: card and cash fraud, physical and logical attacks. More than ever, they need multi-layered defence with different solutions to detect, prevent and deter all types of breaches. With card and cash fraud, criminals illegally obtain cards, card data, PIN data, withdrawals or deposits from an ATM, relying on fraudulent operations, such as card skimming, phishing and trapping. Financial institutions should not underestimate these threats, as losses associated with skimming attacks total more than $2 billion annually worldwide, according to the ATM Industry Association. Anti-skimming technology, such as the Diebold ActivEdge card reader, is crucial to stop these attacks. To limit

cash fraud, financial institutions need to deploy secure cash dispensers that can detect cash trapping and prying attacks. Cameras can also be installed on ATMs, even though this is more for evidence purposes. Physical security threats at the ATM are intended to penetrate the safe or safe door through forceful attacks. Mechanical tools, thermal lenses and gas or solid explosives are used by criminals to compromise the safe. In 2013, the South African Banking Risk Information Centre (SABRIC) projected that ATM bombings for the full year of 2013 would be between 158 and 278 incidents, with a total industry cash loss estimated at 3.6 million Euros. Financial institutions therefore need to ensure their ATMs are protected against these attacks. They can choose from a range of safe and lock options in order to fulfil a variety of safe security requirements and global standards, such as the European Committee for Standardisation (CEN). Gas and

MAY / JUNE 2015

ATM

explosive ratings have also been added to safes. Besides this, financial institutions should utilise a built-in alarm panel that collects and sends all sensor information to an alarm centre, a crucial step to getting an early notification of a developing attack. It is important to consider a variety of security features to protect the entire ATM environment and help deter the many types of physical attacks. Threats are continuously evolving and logical attacks can be some of the most damaging ones in terms of financial losses and the consumer data that is compromised. They target the ATM’s software, operating system and communications systems and are very difficult to detect. Logical fraud, which includes malware/hacking (that violates the confidentiality, integrity or authenticity of transaction-related data) and malicious software, such as viruses, worms, Trojans and rootkits, poses an ever-increasing threat to the security of ATM networks. Diebold recommends a multilayered protection against logical threats for total protection. A first layer, and the best protection against offline attacks, is hard drive encryption, as provided by Diebold’s Self-Service Trusted Computing solution. We recommend endpoint protection, such as the Symantec technology, against online attacks, which we use on our ATMs. This technology enables the installation of a firewall that stops ATMs from connecting to unknown devices or vice versa, as well as blocking any unknown USB stick. It has a blacklist of known ATM malware which blocks them, whilst its SONAR technology can recognise more than 1,400 suspicious behaviours. In addition, communications between PC and critical devices like the dispenser, the card reader and EPP should all be encrypted. Lastly, we should not forget the human factor.

MAY / JUNE 2015

Technicians who perform any operation on the ATM should have secure tokens to connect to ATMs, instead of using a User ID and password, making it more secure and easier for financial institutions to manage. Threats at the ATM are real and can have damaging effects on financial institutions and we, at Diebold, believe that a multi-layered solution provides total protection. What are the key regulations and compliance that banks and financial institutions in Africa must adhere to? Two major global standards are the Payment Card Industry Data Security Standard (PCI DSS) and the EMV chip card processing. The PCI DSS is a set of data security standards introduced by the payment card industry to ensure that all businesses and organisations that process, store or transmit credit card information maintain a secure environment. The objective is to protect cardholder payment data and cover security management, policies, procedures, network architecture, software design and other critical protective measures. These standards have been developed due to the rising incidence of stolen cardholder account data, which has become a major concern for all participants in the payment card industry. Another important global standard is the EMV chip technology, also known as ‘chip and PIN’, which features payment instruments with embedded microprocessor chips that store and protect cardholder data. This embedded microprocessor provides strong security features and other capabilities, which are not possible with traditional magnetic stripe cards. According to official figures by EMVCo, nearly 30% of all cardpresent transactions conducted globally between July 2013 and June 2014 used EMV chip technology, and the EMV

chip transaction volume in Africa and the Middle East reached nearly 76%. EMV chip technology, combined with PCI Security Standards, offers a powerful combination for increasing card data security and reducing fraud. What does Diebold feel will be the biggest fraud risk to the ATM channel over the next few years? We believe that skimming will remain an important threat in the next few years. A number of countries, including the United States, are in the process of migrating their payment infrastructure to EMV chip technology. However, cards will keep a magnetic stripe as long as countries around the world use it, and skimming will continue to represent an opportunity for fraudsters. However, criminals are already looking for new ways of attacking ATMs and we are seeing an increase in malware attacks. We believe that this will be one of the major threats at ATMs that financial institutions will face in the next few years. Diebold has always been committed to staying one step ahead of the game and offers solutions on both new products and older models to ensure that financial institutions’ ATM networks are fully protected.

www.technologybanker.com

FREE PASSES FOR MERCHANTS AND EXCLUSIVE RATES FOR BANKS AND MNOS

19 - 21 MAY 2015 HYATT REGENCY, JOHANNESBURG, SOUTH AFRICA BOOK BE FORE 10 APRIL 2015 TO BENEF IT FROM TH E EARLY BO OKING DISCOUN T!

AN EXCITING THREEDAY PROGRAMME FEATURING: Kim Dancey, Strategic Legal Advisor, FNB eWallet Solutions

Kimathi Githachuri, Head of the Helix Institute of Digital Finance, MicroSave

Hillary Miller-Wise, CEO, Africa Region, Grameen Foundation Kevin Marisia Amateshe, Product Manager Orange Money, Orange Kenya Dr Tumubweinee Twinemanzi, Head â&#x20AC;&#x201C; Competition and Consumer Affairs, Uganda Communications Commission

Peter Goldstein, Program Director, Financial Inclusion Insights Program, InterMedia Charles Inwani, Regional Cash and Voucher Programme Officer, UN World Food Programme Ronald Wakabi, Product Manager, Diamond Trust Bank, Uganda

FOCUSING ON THE FOLLOWING TOPICS: Is there a place for NFC in Africa? Is interoperability between competitors the best way to achieve scale and sustainability? Will cryptocurrency make waves or drown? Can new regulations standardise best practice in cross-border remittances? Financial Inclusion: Are we really meeting development goals? What will the African payments landscape look like in 2015?

SCALING AND SUSTAINING AFRICA'S CASHLESS FUTURE www.mobile-money-africa.com

SECURITY

Curbing the menace of cybercrime in Nigeria There has been a dramatic growth in both the number and sophistication of cyber attacks in Nigeria, which has resulted in serious economic losses. Seyi Akindeinde, CTO at Digital Encode, writes about the concerted efforts that are currently being carried out to tackle this increasing problem.

Cyberspace is a place full of exciting innovation and opportunity, as well as good people. It is also, however, a place of risk and danger, where bad actors will take advantage of security weaknesses to cause harm. Banks and businesses that operate in cyberspace are therefore vulnerable to an everevolving number of threats, which range from identity and data theft to espionage and the disruption of critical functions, carried out by many different kinds of criminals, including nation-state actors. As Nigeriaâ&#x20AC;&#x2122;s reliance on cyber networks has grown, so have the number of incidents that impact on the safety of our online operations. We need to understand that cybercrime is very lucrative, as it is a relatively easy way for criminals to make

MAY / JUNE 2015

money. The tools, techniques and services that are needed to perpetrate these cybercrimes can be readily found or purchased through the internet, while mobile technology, outsourcing and data sharing trends have also potentially heightened our exposure to these threats. Dynamic Evolution of Technology At the moment, a lot more needs to be done to curb the menace of cybercrime in Nigeria because the countryâ&#x20AC;&#x2122;s legal system is inadequate, due to its inability to prosecute offenders in the areas of electronic communication and transaction. Whilst the Evidence Act appears to support the admissibility of computer-generated evidence in court, enforcement still remains a major problem because

www.technologybanker.com

SECURITY

of the various conditions that are attached to this. Another challenge facing cybercrime investigators is the dynamic evolution of technology that has led to vulnerabilities in these technologies. Vulnerabilities that many fraudsters are now being speedily exploiting. The number of these criminals is vast and so well organised in their use of technology, they are currently far ahead of Nigeria’s crime investigation agencies. The Cybersecurity Act in Nigeria recognises that cybersecurity threats are major offences but these crimes have yet to be seriously enforced, compared to cash-related fraud. The Act also impacts on the principal tension that exists in cybersecurity, which is between the need to protect citizens, property and infrastructure, and the need to respect people’s legal, civil and property rights. Major Challenges One of the major challenges that we face in fighting cybercrimes is capacity building. The cyber

MAY / JUNE 2015

landscape is an ever-changing one and therefore those who run and manage the investigation incident response departments of various financial institutions must be well informed and have adequate training to combat sophisticated cybercrime. The move to a cashless economy means that regulatory agencies and lawmakers should collaborate with each other to pass cybercrime law that will protect consumers. This, and the need for all financial institutions to build and equip digital and incident response units, is a matter of urgency. There are several different types of cybersecurity threats, which are targeted at different parts of a financial institution’s information technology infrastructure. These threats have different goals and motivations and can be broadly divided into three categories: 1 Theft/Fraud – where the motive is profit 2 Espionage/exposure – where the motive is to acquire private and

protected information 3 Disruption/destruction – where the motive is to cause harm or loss by slowing, disabling or destroying critical systems and operations. Effective Solutions Most of the banks have put in place solutions that can appropriately and effectively address the threat of each of these categories. In an effort to promote compliance, the CBN has mandated that banks and financial institutions comply with all the international information security standards, from PCI DSS to ISO 27001. In conclusion, institutions need to take a top-down approach to cybersecurity to effectively combat cybercrime. Effective processes and procedures need to be instituted to complement the various technologies that are already in place. To this end, organisations should consider and adopt the ISO27001 ISMS as a framework to safeguard customer data.

www.technologybanker.com

12-13 May 2015 Dubai International Convention and Exhibition Centre Dubai, UAE

Payment innovation for banks, government, telcos and retailers 10,000 Attendees | 300 Exhibitors Hear from payment guru speakers including:

Robert Scoble

Technical Evangelist and Author Age of Context

Mung Ki Woo

Professor Viktor MayerSchรถnberger

Executive VP Digital Platforms MasterCard

Author Big Data: A Revolution That Will Transform How We Live, Work, and Think

Strategic Partner

(1112) Cards & Payments ME 2015 TELETIMES ADVERT 216-279mm 1.3.indd 1

Sponsors

17/02/2015 09:

GOVERNANCE

Building control into your business Obadare Peter Adewale, the COO at Digital Encode Limited,, provides a brief insight into directing and controlling Information Technology by using a COBIT 5 Business Framework.

The word governance comes from the Greek verb Kubernao, which means to steer. Information Technology Governance is a subset discipline of Corporate Governance that focuses on information technology (IT) systems and their performance and risk management. The rising interest in IT Governance is partly due to compliance initiatives, such as Sarbanes-Oxley in the USA and Basel II in Europe, as well as the acknowledgment that IT projects can easily get out of control and profoundly affect an organisationâ&#x20AC;&#x2122;s performance.

1. Direct IT for optimal advantage 2. Measure the value provided by IT 3. Manage IT-related risks To achieve this objective, an IT Governance dashboard is recommended, a sample of which is shown below:

The key issue IT Governance is the key issue, as enterprises are sacrificing money, productivity and competitive advantage by not implementing effective IT governance. Executives need a better way to:

MAY / JUNE 2015

www.technologybanker.com

GOVERNANCE

Key questions about IT Governance 1. Is my IT organisation doing the right things? 2. Are we doing them the right way? 3. Are we getting them done well? 4. Are we receiving the benefits? The following list further amplifies the IT Governance challenges in an institution: 1. IT is in competition for budgets and is often being beaten by business for this money 2. IT needs to become a businessfocused discipline 3. IT teams are viewed by senior management as ‘firefighters’, rather than ‘planners or implementers’ 4. IT is viewed as a monetary drain on business 5. IT needs to compete effectively at the ‘C’ level 6. Business does not perceive IT as value for money

COBIT 5.0 COBIT 5 is a business framework that provides an end-to-end business view of the governance of enterprise IT, which reflects the central role of information and technology in creating value for enterprises. The principles, practices, analytical tools and models found in COBIT 5 embody thought leadership and guidance from business, IT and governance experts around the world. COBIT 5 incorporates the latest thinking in enterprise governance and management techniques, and provides globally accepted principles, practices, analytical tools and models to help increase the trust in, and value from, information systems, while also aligning with significant guidance and standards, including ITIL and ISO.

www.technologybanker.com

MAY / JUNE 2015

COMPLIANCE

MAY / JUNE 2015

www.technologybanker.com

COMPLIANCE

COBIT 5â&#x20AC;&#x2122;s flexibility and benefits: 1. It uses a single framework to meet multiple requirements 2. Business and IT talk a common language and COBIT 5.0 focuses on performances that improve the effectiveness and efficiency in organisations

www.technologybanker.com

MAY / JUNE 2015

COMPLIANCE

Conclusion:

Governance is about building control into your business.

The other side of control is Risk. If Risk is not control, it crystallises into loss.

Good leadership and the best managers are required to ensure IT Governance.

Having good policies, procedures and standards are not enough.

COBIT 5 assures the conformance and performance of Information Technology.

Obadare Peter Adewale is a Fellow Chartered Information Technology Professional, the First Licensed Penetration Tester in Nigeria and Second COBIT 5 Certified Assessor in Africa. He is a seasoned Information Technology Assurance Technopreneur with over 26 international professional certifications. Peter is a well recognised cyber security expert with numerous successful engagements to his credit in Africa. His skills and experience spans Information Security, Vulnerability Management, Penetration Testing, Computer Forensics, Business Continuity, IT Governance, Risk Management and Compliance. He is a Gold Team Member of Open Source Security Testing Methodology Manual (OSSTMM), as well as a Senior Member of Risk Managers Association of Nigeria (RIMAN).

Obadare Peter Adewale

COO at Digital Encode Limited

MAY / JUNE 2015

www.technologybanker.com

COMPLIANCE

Money needed in Nigeria

Receive money through Western Union

Add money onto a VTN VCASH Account

• Money can be added into their VTN VCASH account* in Nigeria. • Loved ones can pay monthly expenses straight from their mobile phones.** • Convenient and reliable!

For more information, visit virtualterminalnetwork.com See reverse for details

Available through:

www.technologybanker.com

MARCH / APRIL 2015

EXECUTIVE INTERVIEW

Technology Question Time We interview Adefemi Onanuga, CISO of Jaiz Bank, about the challenges and key technology issues he currently faces, including cyber security, identity management risks and the future of financial services in Africa.

Can you elaborate how Jaiz Bank uses technology as a competitive differentiator? Jaiz Bank Plc is Nigeriaâ&#x20AC;&#x2122;s first fullfledged non-interest bank whose core operation is to provide innovative and value added non-interest financial services to its clientele. It does this by deploying the best technology to provide a variety of services to its customers to remote locations, as desired by our customers through electronic channels. The Bank significantly depends on Information and Communication Technology to provide reliable and sustainable business and banking services. Therefore, the competitive differentiator â&#x20AC;&#x201C; Technology â&#x20AC;&#x201C; constitutes the critical backend. To achieve this, we have provided a robust and resilient Information Technology platform that is critical in providing for the continuous availability and guaranteed security of our information assets. Secondly, we practice a top-down system of IT

MAY / JUNE 2015

management by providing a strategic, information assets focused plan for IT Governance, Information Security management, Systems Development, capacity management and vulnerability and threat management. Thirdly, our personnel are constantly offered the necessary training and information security awareness, according to global trends and best practices. It is common knowledge that humans constitute the weakest link in the Information Security value-chain because a majority of attacks begin from social engineering, so we do not take chances and ensure there is continuous awareness because this is very critical. Recently, the bank attained the ISO 27001:2013 and PCIDSS certifications to demonstrate that we take the issue of Information technology security seriously. Businesses today operate in an interconnected ecosystem and cyber security risks have evolved. What must

enterprises do to ensure that cyber security is at both the front and centre of their business? Reports in the media clearly suggest that cyber threats are increasing in both their levels of persistence and sophistication. This is a result of the digital world that we live in where people, equipment, programs and devices are mostly interconnected to facilitate mobility and demand for internet services. Unfortunately, this situation has opened up a pervasive field of vulnerabilities because the users have not grown in knowledge as fast as the level of sophistication of the attack vectors. A cyber attack can severely impact an organisation by bringing it to its knees, in terms of losing market share or bad publicity. Therefore, we must look at prevention before detection and correction. In my view, this can be primarily achieved by implementing plans and through anticipation. By using sound risk assessments, enterprises can grow to

www.technologybanker.com

EXECUTIVE INTERVIEW

a state of readiness in their assessment of risks and threats, continuously mitigating and adapting their counter measures to the fast changing threat landscape and by making preparations. Attackers now look beyond technology and have moved towards people and processes. In a global cyber security survey, employees were considered as the most likely source of an attack by 57% of respondents, which is quite significant. Enterprises must remain agile in their response to threats, deepen their cyber security skills and increase their budget on security. There must also be a buyin at top management level, as well as several internal departments, otherwise cyber security initiatives will be ignored. As Chief Information Security Officer, what sets you apart? Being responsible for ensuring the security of the organisations’ logical and technical aspects, I work with one goal, which is to “keep an eagle eye on Information security”. My experience

www.technologybanker.com

has led me to conclude that it doesn’t matter what technique is deployed in getting the work done, as long it is done completely and promptly. The CISO’s real job is to interface between the business and technical end of the organisation and this creates a need for a healthy mix of business and technical acumen. This is important because being too technical can stifle business and being too business-minded can lead to unnecessary risk exposures. It is therefore important to have an in-depth understanding of the IT environment and latest industry trends, be observant, conciliatory, dynamic and continue to learn. Once I step in the office premises,

I observe physical security and take note of areas that might require improvement. Once I’m at my desk, the first thing I do is to update the status of items on the todo list, view the security management dashboard and run some reports. Most importantly, one must develop the habits of listening and keen observation. Therefore, learning should not be put on hold as new technologies and concepts evolve on a daily basis. Also, have it in mind that information security is a continuum and your organisation is only as secure as the last recorded incident or intrusion attempt. What identity management strategies

MAY / JUNE 2015

EXECUTIVE INTERVIEW

should enterprises be deploying to ensure they can meet the security challenges of an increasingly connected and cloud-based business environment? Enterprises must be concerned about which users are accessing what resources, as well as the manner in which they are accessed. Identity management is the process of managing who has access to what information. This involves the creation of unique identities for individuals and systems, as well as linking system and application-level accounts to these unique identities. Cloud services are essential for maximising the benefits of today’s technology trends as they enable organisations to optimise the costs of operations and their efficiency and agility, and it is now predicted that identity and access management in the cloud will be one of the top three most sought-after services for cloud-based models in future. Due to security risks, identity management in cloud services is one area that requires special attention if these benefits are to be fully realised. Issues range from having different operating systems and applications supporting different forms of authentication and communication protocols, managing access to sensitive information and the problem of data privacy. Integrating Identity Management components in the standard set-up processes, i.e. including the requirements during selection and procurement and acquiring secure interfaces to support integration with enterprise identity management components is one strategy. Secondly, organisations must ensure that there is a consistent approach to privacy and compliance across the enterprise by considering proper information classification, user identity and user access reviews and the monitoring of privileged users. Thirdly, according to the concept of useable security, enterprises should provide a smooth authentication system that doesn’t affect the experience of users, thereby making them inclined to bypass authentication or divulge credentials. Meeting these objectives will require a lot of investments and may

MAY / JUNE 2015

require an enterprise to fundamentally redesign how it manages user identities in the cloud-based business environment. In the past, decision makers have always moved IT to the side and classed it as ‘techie things’ that nobody understands. Today, IT has become a vital part of business and one that cannot sit on the sidelines anymore. Is IT the backbone or a speed bump for business success? No matter the type or size of the enterprise, technology has immense benefits that will keep you in business by producing the services your customers demand. Information Technology helps business operations by keeping them connected to suppliers, customers, employees and other stakeholders. IT is very critical to the business because it provides a platform to successfully deploy the organisations processes and ensure efficient operations. Simply put, IT promotes the growth of organisations. For businesses, it has become ubiquitous, like air and water is to all humans. Undoubtedly, IT represents the top human developmental achievement in the last century, as it relates to businesses , both large and small. For example, without IT, businesses would not have the ability to view changes in the global markets as they do. It has also brought about an increase in globalisation, as the world’s economy has become an interconnected system without geographic or linguistic boundaries. Communication has also become easier, cheaper and faster. Along with making businesses more cost efficient, IT allows businesses to be within reach of consumers 24/7 through websites, social media and messaging systems. It therefore allows businesses to streamline, increase efficiency and optimise profits, which is a win-win for all stakeholders. Therefore, IT is undoubtedly the backbone for today’s businesses.

second fastest-growing continent, and the fastest in terms of population, but 75% of adults do not yet have a bank account. In the aftermath of the global financial crisis, the African financial services landscape demonstrated resilience because it was not destabilised, unlike many Western institutions. A number of factors are responsible for the financial sector’s rise on the continent in recent times, including the rapidly emerging middle class and an increase in urbanisation, which has led to a higher demand for innovative services. Also, globalisation and digital industrialisation created a need for consuming tech products, either as a factor of production or as a final good. So, in addition to the traditional services that banks provide, they have recognised electronic banking services as an important component in order to remain competitive. In addition, significant development and reforms of the financial sector and tightening of banking regulations in terms of AML, corporate governance and capital adequacy by some countries have increased confidence in the sector and provided entry barriers for less serious competitors. A decade from now, due to a payoff from the demographic influence, Africa’s financial services landscape will be developed enough to compete with the rest of the world in terms of sophistication, depth, offerings, technology and profitability. Technology remains the silver bullet in tapping the benefits of the demographic influences in order to close the gap and reach the desired state.

What do you think the financial services landscape in Africa will look like 10 years from now? Economically, Africa is the world’s

www.technologybanker.com

umidLinks

01 MANAGED SERVICES

We offer a range of flexible ITIL driven managed services, from outsourcing a single element of your IT to a full ICT infrastructure outsource. We have a wealth of experience delivering managed services across a wide range of sectors. 1. 2. 3. 4.

Application Support – Microsoft Portal /Application developments/Hosting Reduce your print costs with a Managed Print Solution – self managed Managed Print as a service – outsourced service

02 PROFESSIONAL SERVICES

HumidLinks works side-by-side with you to develop technology-enabled business strategies to improve performance and reduce costs, both now and in the future. And our job doesn't end with a strategy presentation – we continue to work with you to turn those strategies into reality. 1. 2. 3. 4. 5. 6.

Alliances/Partnerships/Business Consultancy Implementation Services/IT Audit Services/On-site support with dedicated resources Technical Consultancy - Design and improve/Scalable Network Infrastructure Setup Campus wide Network Setup/Hotspot Services/ Hotspot user Billing solution Unified Threat management/Wireless Area Mapping AAA services/NOC Topological Layout/Network Load Balancing and Failover

03 IT HUMAN CAPITAL EMPOWERMENT A majority of CIOs cite the difficulty of finding skilled, talented IT professionals – likely the result of high market demand, emerging technology and innovation, such as distributed work in the cloud, aging workforce and Gen Y factors, and an intense regulatory environment. Yes, talent can be hard to find - but not if you know where to look – with a smart workforce acquisition and management system second to none. • Empowerment Portal – Provides a platform to aggregate fresh and evolving IT talents for development and strategic mentorship to drive achievement of respective IT aspirations both in the entrepreneurial and employment space. • Mentor Portal – Provides a platform for experienced IT experts to lend their services under voluntary grounds towards providing direction to fresh and evolving IT talents. This would be in various capacities ranging from assistance with internships to training to sponsorships for certification in various IT fields. This platform would however also be open to corporate IT firms inclusive of possible collaborations with various OEMs • HumidLinks Microsoft Army – Enrol and develop your Microsoft skills aided by high qualified Microsoft mentors. The platform also would enable you to learn basis entrepreneurial skills to start your Microsoft business within a short period or join our mentor team. • Part Time Services Portal – Provides a platform to aggregate various experienced IT talents for current and future projects to drive achievement of IT aspirations driven by passion in specific areas while also pursuing a stable career path.

5B, Close D, Oba Oyekan, Lekki, Lagos

info@humidlinks.com

+234 (809) 945 6777

www.humidlinks.com

SECURITY

Delivering cyber security solutions in Africa We interview Patrick Grillo, Senior Director of Marketing Solutions at Fortinet, about successful cyber security solutions, the implications of security standards and providing seamless protection for businesses.

Businesses now operate in an interconnected ecosystem and cyber security risks have evolved as a result. Old security models are no longer fit for purpose. What are the characteristics of successful cyber security models? The previous mentality for constructing a cyber security model was to focus on building a strong perimeter defence. It was thought that by incorporating any number of different technologies you would be able to stop whatever malware or hacker from entering the network. The main difference between that model and today’s is a sober realisation that due to the sheer number of attacks, combined with the volume and sophistication of today’s threats, a network breach is inevitable. To defend against these targeted attacks, an enterprise needs to construct a multilayer defensive scheme, one that is able to detect and respond to intrusions to limit the potential damage. Should cyber security standards be imposed by regulation or left to discretion? What will be the implications for a technology provider like Fortinet and the banking and finance organisations? Security standards should be based on effectiveness, not their cost. To that end, cyber security standards should

MAY / JUNE 2015

be imposed by regulation – not necessarily by government but also by key industry groups. The Payment Card Industry, Digital Security Standards (PCI-DSS), is an example of mandated regulatory standard by the payment card industry. The implication to Fortinet is that as more standards are introduced and evolve, meeting these standards will be part of our ongoing product development. How does Fortinet help businesses with a clear risk appetite to treat cyber security as an enterprise-wide risk, and provide solutions to suit their specific circumstances? Fortinet helps enterprise by providing network-wide cyber security solutions that work together to provide seamless protection. These solutions are backed up by the skill and experience of FortiGuard Labs, Fortinet’s industry leading threat research and discovery arm. Constant updates are provided to Fortinet networks worldwide to ensure that their security efficacy is maintained throughout their lifecycle. Fortinet provides a wide range of solutions that are designed to fit every customer’s budget and to meet their level of risk tolerance.

www.technologybanker.com

ice

tech nica na l sup ge port dp rin ts erv ice s

ge na ma

urem

en ts

t u l o

mation

e ar tw

m ocu

s n io

office auto

f so

ma t en

proc

g na

ent

t& en

vin i h arc

erv

as y t i ual

distributor

g n i k r etwo

re u t c u r e t s c a n r f a in ur

y t i r u c e e-S

Africa’s Leading Distributor of IT Infrastructure Astel is the leading distributor of IT infrastructure, office automation and e-Security solutions in Africa. We have years of experience in the region and understand exactly which products and solutions are needed by computer dealers, value added resellers and software houses to satisfy their customers. We distribute a diverse range of products from the word’s leading manufacturers, meaning Astel need be your only point of call for all your IT requirements.

Ph: +44 208 453 0400 info@astel-uk.com www.astel-uk.com United Kingdom • Kenya • Nigeria

EXECUTIVE INTERVIEW

Looking Back on the Road to Success Richard Amafonye, CIO at Skye Bank, talks about information security challenges, getting an edge on the competition and entering a new era with bigger prizes and greater risks.

Who in the technology industry has most influenced your career? I would say Bill Gates. After reading his book ‘The Road Ahead’, I felt excited that I too was on that ‘road’. And his second book, ‘Business @ The Speed of Thought’, which “shows how digital infrastructures and information networks can help someone get an edge on the competition”, more than reinforced the need to stay on course and trudge ahead. Businesses today operate in an interconnected ecosystem and cyber security risks have evolved. What must enterprises do to ensure that cyber security is both at the front and centre of their business? Certainly, the “interconnected ecosystems” represent a concentration of investments for most businesses, and with this concentration and high level of

MAY / JUNE 2015

dependence comes a significant exposure that needs to be properly balanced. In my view, it all boils down to one thing – Risk Management. And to effectively manage and balance risk, you first of all have to do a proper risk assessment, as you have to diagnose before you can prescribe. In a risk assessment, there are three essential questions: what can go wrong, how likely is it to go wrong, and how severe is the penalty if it should go wrong? The best approaches and solutions can be found effectively by answering those three questions. What sets you apart as a CIO? I know, or rather I like to think, that it is not technical wizardry but leadership that sets high performing CIOs apart. As a CIO, you first and foremost have to keep the lights on and, at the same time, you are expected to cut costs, innovate

and execute on long-term transformation programmes. With this kind of pressure, it is very easy to fall into the trap of becoming a reactive CIO and get bogged down by every “urgent” IT issue, which eats up your time, saps your energy and prevents you from doing the kind of “big picture” thinking that career success requires. I am very mindful of this pitfall and avoid it like a plague. And, I always emphasise that the most important thing about technology is not what technology you have, but what you can do with it. I appraise investments in technology from the end user utility perspective and push for value innovation, rather than technological innovation. What identity management strategies should enterprises be deploying to ensure they can meet the security challenges of an increasingly connected

www.technologybanker.com

EXECUTIVE INTERVIEW

and cloud-based business environment? I would say a minimum of two forms of a multi-factor authentication system. This should include something you know, such as security challenges, response questions, a possession factor and something that you have, like a token. With biometrics solutions becoming increasingly more refined and affordable, a third form of factor, an inherence factor will prove more lethal. In the past, decision makers have always moved IT to the side and classed it as ‘techie things’ that nobody understands. Today, IT has become a vital part of business and one that cannot sit on the sidelines anymore. Is IT the backbone or a speed bump for business success? You are right, in the past there was widespread IT attention deficit at executive and board levels because of

www.technologybanker.com

“techie stuff”. But today, the philosophy of most businesses is such that their products and services have no viability without a tremendous investment in contemporary technologies. Increasingly, the competitive business environment has provided the impetus to invest in more efficient and effective ways of carrying out business processes and managing the business. We are well into a new era with bigger prizes and equally greater risks. This is an era in which businesses have become critically dependent on their investments in systems, not just for their success but also for their very survival. IT, more than ever before, is now the BACKBONE!

dramatic turn, and will be characterised by a heavy reliance on technology for the continuity of operations and large geographically distributed external touch points. We will see increasing digitisation of payments and electronic payments replacing cash transactions more and more. Market boundaries will shift, new operators will emerge and transaction volumes explode. Maybe Bill Gates’ prediction that “banking is important but banks are not” will materialise.

What do you think the financial services landscape in Africa will look like in 10 years from now? The future of banking is set to take a

MAY / JUNE 2015

THOUGHT LEADERSHIP

Thinking outside the box Irenosen Ohiwerei, Executive Director at Guaranty Trust Bank Uganda, is interviewed about innovative solutions, cyber security and what sets her apart as a decision maker.

Can you elaborate on how Guaranty Trust Bank uses technology as a competitive differentiator and provides innovative solutions to Africans in the Diaspora? The importance of technology in the financial industry today cannot be overemphasised. GTBank has always been at the forefront of creating innovative technology driven products and services that are suited to our immediate environment, but are also applicable to all customers, irrespective of their location. GTBank brings the bank to your doorstep via the use of technology. Examples of this are cards services for non-resident Nigerians, account opening and transaction services, via various social media platforms. Businesses today operate in an interconnected ecosystem and cyber security risks have evolved. What must enterprises do to ensure that cyber security is at both the front and centre of their business?

MAY / JUNE 2015

www.technologybanker.com

THOUGHT LEADERSHIP

Firstly, they should conduct periodical cyber security awareness amongst their staff. Secondly, it is important to implement robust cyber security measures/policies within the organisation. Thirdly, they need to implement user account access controls and cryptography to protect systems files and data respectively. Fourthly, firewalls, which are the most common prevention systems from a network security perspective, should be implemented as they can, if properly configured, shield access to internal network services, and block certain kinds of attacks through packet filtering. Finally, they must implement Intrusion Detection Systems (IDS), which are designed to detect network attacks in progress and assist in postattack forensics, as well as audit trails and logs that serve a similar function for individual systems. What set you apart as a decision maker? My ability to think outside the box, make critical decisions when required and examine both the benefits and implications of these decisions from multiple perspectives.

In the past, decision makers have always moved IT to the side and cast it as ‘techie things’ that nobody understands. Today IT has become a vital part of business and one that cannot sit on the sidelines anymore. Is IT the backbone or a speed bump for business success? Over the years, IT has become the backbone for business success as it continually evolves to improve every organisation’s business processes and efficiency. What do you think the financial services landscape in Africa will look like 10 years from now? It will continue to evolve, major industry layers will become more competitive, financial institutions will embrace Cloud computing and most of the processes will become technology driven. In addition, organisations will become steadily less reliant on manual processes.

What identity management strategies should enterprises deploy to ensure they can meet the security challenges of an increasingly connected and cloud-based business environment? They should make sure that those who need data or services get the right access and set up, or outsource a process to verify employees’ and contractors’ identities. They should also provide a smooth authentication system that doesn’t affect users’ experience, as well as catch up with the latest developments in identity federation processes.

www.technologybanker.com

MAY / JUNE 2015

TRAINING

Content is key in security training Brian Reed, Director of Inspired eLearning, gives expert advice on the most effective ways to provide employees with online security and privacy training.

You’ve been given the job. Protect company data, intellectual property and trade secrets from hackers, fraudsters and data thieves. You’ve developed a strong network edge with firewalls, spam filters, intrusion detection, and more. There is just one vulnerability left: all your employees… Hardworking, trusting and easily duped into revealing network access credentials, banking information, or holding the door open for the fraudster as she walks into the office. What’s a security engineer to do? There is little doubt that people represent the soft underbelly of even the most sophisticated security architecture. The need to train the employee on how to recognise threats and then foil the attempt is generally accepted by all. The question is how to do it effectively, not just once, but constantly over time. Memorable messages You can’t just throw something together and expect it to stick. You might be able

MAY / JUNE 2015

to get compliance that way, but you’re not going to enhance security. You need a memorable message, repeated often, and specific messages for specific audiences. Supervisors need to know the importance of leading by example and how to do it when it comes to security. IT staff need a more technical message. Security awareness is not a point solution, it is an ongoing process over time. If you have geographically dispersed employees, the best way to train them is through online eLearning. This makes it easy to guarantee that all employees get the same message because everyone sees the same program. eLearning is vended out to the users via a software platform called a Learning Management System (LMS). The LMS makes it easy to measure, monitor, track and report on your users’ progress through the training. You can use training resources from the HR department to build content or look to outsource the effort

through a vendor. Either way, here are some guidelines to help keep you on track: 1. Understand your goals. If compliance to legislated regulations, such as POPIA, is the objective, consult your legal department to review the content to ensure that all applicable requirements are covered, then get their sign-off in writing. If enhanced security is the goal, understand that cultural transformation implies a bigger effort, which requires superior content and constant messaging. People can change their habits, but it takes time and consistent, clear communication. 2. Define your timeline and the drivers behind it. Your overall drop dead date, the date by which everyone must be trained, is crucial to know up front. The tighter it is, the more likely you’ll need a vendor with a turnkey solution to help you out. Know and

www.technologybanker.com

TRAINING

articulate the consequences of missing the deadline. This can help you to align your goals with other departments and get resources. 3. Speaking of resources, are there enough internal resources available to hit the target date? Know the resources that are needed for project success, such as the project manager, subject matter experts, instructional designers, graphic artists and LMS/SCORM experts. Are they available within the company, or will you need to go external? 4. What is your budget? How much will it cost to meet your goals is an obvious question, but you also need to understand that time is a factor as well. You may need to use a vendor with an off- the-shelf solution to meet a tight deadline. 5. Be sure that you have executive sponsorship. You will be asking for time from every employee’s work day. Without support from the top to enforce the deadline, you may be stuck in training mode forever. 6. Course content is key if you want to change people’s behaviour. Using high quality content implies this

www.technologybanker.com

is an important goal that is being taken seriously by the company. If the training is treated like a formality, the users will see that as a green light to not worry about security. Here are some pointers: a. Provide relevant, fresh content. People respond best when they clearly see, “What’s in it for me?” b. Use real world scenarios that make the content concrete. c. Encourage retention by using interactivities that require user engagement and attention. Prevent users from moving forward until these interactivities are complete. d. Training should be based on roles: employees, supervisors, IT personnel, programmers, etc. e. Ensure the training experience for the user is smooth through the use of bookmarking, single sign-on, test-out options, voice-over and certificates. 7. Consider technology. Content developed in Flash is still broadly accepted, but HTML5 is taking over due to the widespread use of iOSbased devices. However, older browser versions may not support HTML5. Verify the content works on your supported browser/OS configurations. If you are using third party hosted learning platforms, be sure that the

learning portal is “white listed” on spam and IPS systems. 8. If you need to provide multilingual training, ensure that at least two in-country native speakers with a technical background do the translation. The first will translate, while the second verifies that the cultural context is relevant. Have internal native speakers who can also verify the course material before deployment. 9. How will you keep security in the forefront of your employees’ minds? Consider using regular eNewsletters, posters, screensavers, daily security awareness tips or other reminders to continuously drive home the message. 10. Maintain a long-term strategy for your program. New threats crop up all the time, laws change and standards evolve. Find a resource that can help you to stay on top of these changes and keep your content current with new, engaging stories and scenarios, as well as exams and fresh content. Professional organisations and vendors are often the best place to look for help.

MAY / JUNE 2015

OPINION

The Secrets of Sustaining Financial Inclusion Financial Inclusion is providing a new way of doing business in Africa, as well as a new world of opportunity for the unbanked population, which has been considered until now the hardto-reach segment. Mouna Fouillade, Head of Financial Inclusion at Ingenico Group E&A Region, reports.

In the search for new growth drivers, banks are now looking to the unbanked segment, as it represents a huge market opportunity. Nearly 2.5 billion people throughout the world do not have access to formal financial services, so the question of financial inclusion is more relevant now than ever. But the real challenge is this: what viable, sustainable models can banks use to reach these financially excluded populations? Understanding the benefits of Financial Inclusion According to the United Nations, Financial Inclusion aims to provide â&#x20AC;&#x153;access at a reasonable cost of all households and enterprises to the range of financial services for which they are â&#x20AC;&#x153;bankable1â&#x20AC;?. The financial services referenced in this definition can range

from setting up bank accounts, paying bills and receiving salary payments to more advanced banking services, such as credit, insurance and savings. The theory of Financial Inclusion is simple, but in practice it is difficult to achieve, given the size and location of the unbanked population. There is no doubt that Financial Inclusion benefits the societies it touches. It encourages entrepreneurship through business loans, improves health standards through insurance and reduces child labour by enabling families to send their children to school. At a national level, Financial Inclusion supports small business development, boosts trade, encourages innovation and much more. Financial Inclusion has long been among the top priorities for governments and NGOs, as it aims not only to improve living conditions

in unbanked communities, but also encourages international economic growth. Principal barriers to banking Banking penetration rate is very low in developing countries. The global financial index shows that 78% of rural residents and 77% of adults who earn less than $2 a day do not have an account at a formal financial institution2. What are the reasons for this? Firstly, geographical distance has always prevented people from accessing the banking system, as bank branches are usually located far away in the big cities. Secondly, unbanked individuals with low incomes simply cannot afford the cost of banking at traditional bank branches. Banking is expensive because building branches is expensive. Finally, low literacy and a lack of trust

Including savings, short and long term credit, leasing and factoring, mortgages, insurance, pensions, payments, local money transfers and international remittances. 2 World Bank Infographic, 2011. 3 Source of data: Financial Inclusion In Africa, AfDB, 2013. 1

MAY / JUNE 2015

www.technologybanker.com

OPINION

in financial services are obstacles to Financial Inclusion. In Africa, adults with a tertiary education are four times more likely to have an account at a formal Financial Institution (53%), compared to people with only a primary education (13%)3. Given all of these barriers, it is clear that while banking services do exist in the developing world, they are not accessible to all. Huge numbers of unbanked people either cannot access financial services or do not feel comfortable using them. A new model is needed to reach further and help communities to adopt financial services; and not just use them once or twice, but to fundamentally change perceptions in unbanked communities, so that banking becomes a long-lasting habit. A new way of doing business Major players in the corporate world are moving beyond the conventional business driver of pure commercial gains, and towards the concept of social benefit – ‘doing good’ – that was previously the reserve of non-profits and charities. This shift enables corporations to have a long-lasting, positive impact on developing communities, while still growing their business and contributing to positive economic growth in the countries where they work. This approach, called Inclusive Business, is fast becoming a hot topic in emerging countries. The corporate social responsibility programs of the past still have their place, but Inclusive Business goes a step further to fundamentally change how companies do business for the better. A key theme emerging among inclusive businesses is the tendency to involve local people in a program

www.technologybanker.com

to ensure its success. The potential benefits of such models are huge, from high staff engagement levels to top quality services, driven by the desire to uphold high standards and develop a good reputation. All this is the catalyst for rapid social change in terms of employment opportunities, equality and empowerment. There are many examples of Inclusive Business in action, as seen in TV series such as ‘It’s Africa’s Time’. This initiative, dedicated to showcasing the human impact of Inclusive Business, is sponsored by the UNDP agency. It demonstrates how improving business practices can benefit communities and contribute to achieving the UN’s Millennium Development Goals (MDGs). As the former UN Secretary General Kofi Annan said, “The MDGs are intended, first and foremost, to help people. But they can be good for business: first, because helping to build the infrastructure is an enormous business opportunity; and second, because, once it is built, business will find larger, eager markets in place.”

merchant (e.g. a grocery store), a third-party network employee (e.g. a post office agent) or an independent agent. They are recruited as they are already known and trusted by the local community, and they will ensure the success of the financial program. Agents are motivated through a commissionbased payment model that incentivizes transactions. The more transactions an agent makes, the more they earn – with no limit. Adding an agency to an existing business, like a corner shop or a mobile phone kiosk, also benefits that business by attracting additional customers. Besides business benefits, agents are willing to help their community develop. Interviewed for ‘It’s Africa’s Time’, Francis Irungu, a Branchless Banking agent in Kenya, said: “I am very keen to develop where I come from… I would like my community to access the bank. When they have banking services, you expect more things to happen; development will be there. People will be having somewhere to keep their money safe.”

Making the link By applying the concept of Inclusive Business to Financial Inclusion, some African banks have developed a branchless banking network by recruiting local representatives to act as banking agents among the community. Once trained and equipped with the necessary technology, these banking advocates can leverage their proximity and trusted relationship with the unbanked to drive adoption of financial services. Branchless Banking agents do not need to be dedicated to Financial Inclusion alone. They can be a local

Bridging the gap Over the past years, Africa has moved from being a passive continent to an innovation-driven region, inspiring countries all over the world. Technology has helped to bridge this gap and overcome the challenge of poor infrastructure. Here again, technology has helped banks to move from a branch-based model to a branchless model. Ingenico Group developed a range of solutions for its customers, entirely dedicated to supporting these programs. “There is no point in providing technology if we don’t help our end

MAY / JUNE 2015

OPINION

users to sustain their business. Our strategy is based on the principle of inclusive business because we enable Financial Inclusion, we do not just sell technical solutions,” said Mouna Fouillade, Head of Financial Inclusion at Ingenico Group, Europe Africa region. Thanks to Ingenico Group technology, financial services are now accessible to the unbanked target segment that was previously excluded by their geography, income or literacy level. Banks have extended their reach beyond traditional branches by adopting a decentralised model. A network of trusted local agents regularly travels from one village to another and meet with their customers wherever they may be. The available services range from electronic financial transactions4 to banking products5. Ingenico Group provides easy to use, reliable and secure solutions to make these services trustworthy. Multiapp terminals allow banking agency services (e.g. enrolment and account management), financial transactions (such as money transfer or credit repayment) or payment acceptance, ideal for Branchless Banking agents. They can support various services, providing value and flexibility to fit any market. Once installed, the terminal network can also be leveraged for added value services, such as lottery tickets, competitions, school fee payment, bill e-payment, etc. This model offers a complete range of financial services to reach further and meet the needs of the newly banked community better. It helps the unbanked

manage their money more efficiently; the agents to improve their businesses and the banks increase their customer base: a win-win situation. What makes Branchless Banking attractive? Due to inflation, property prices and salary costs, physical bank branches are becoming more expensive to build and maintain. Branchless Banking is an affordable, scalable way for financial institutions to reach customers thanks to its low CAPEX and OPEX, allowing banks to maximise their profits. But the benefits extend further than cost alone. Evidence has proved that Branchless Banking agents are more successful at developing long-lasting relationships with customers than branch staff. Agents are already well known and trusted in their communities, so they engage far better with the unbanked. They maintain close contact with customers, assisting with every transaction to boost repeat usage and build trust in the service. In fact, by ensuring each transaction is facilitated by an agent, the average transaction value doubles compared to when no assistance is provided6. Most compellingly, as part of a scalable, sustainable outreach program, Branchless Banking is invaluable to a bank’s long-term future. It has a huge impact on expanding the customer base, improves brand perception and ensures a strong foundation for future growth. Assisted transactions mean better customer engagement and retention, with lower numbers of inactive customers.

Taking the stress out of banking Overall, Branchless Banking has made financial services more accessible and inclusive for all. Mouna Fouillade recalls a time when “opening a bank account was for the few, for the ‘lucky ones’. People would dress up to meet with their banking agent. Meetings were stressful, like sitting an important exam.” Now, proof of ID is all a customer needs to open a bank account in a few minutes. Banking becomes as normal as making a phone call or going to the shops. Agent Francis Irungu confirmed, “We call it a banking revolution, because banks were for the few. Banking was unheard of in a setting like this village because banking was for those who are rich.” He observes how banking has changed his community, “Now they benefit from it. They can save their money. They can withdraw their money any time they want. So flexible. They don’t have to travel for a long distance to get their finances.” Once familiar with the financial basics, communities can start to reap the benefits. Micro-finance and credit can give small businesses the capital they need to buy stock, invest in transport, or pay an expanding workforce, so their company can grow. Financial education also encourages a responsible ‘little and often’ approach to saving, lifting individuals out of the hand-to-mouth way of living they are accustomed to. This helps people plan for the future, instead of spending their money as soon as they earn it. Savings also offer security and protection against theft, as it is

4 Electronic financial transactions » refers to money transfer and remote payment for goods and services (bill payment, merchant payment, airtime purchase, school fee payment and so on) «Banking products » refers to traditional banking services that are proposed by the banks such as credit, loans, insurance and savings products

MAY / JUNE 2015

www.technologybanker.com

OPINION

impossible for non-account holders to access or withdraw cash – unlike keeping it in the traditional coin jar or hiding it under the mattress at home. Of course, customers are not just saving money, they are also saving time. They no longer have to make the timeconsuming, expensive trip into the city to manage their money, because their bank is now on their doorstep. The main success factors are people, training, technology and support. High quality agents are essential in this decentralised branchless model. Agent Network Managers (ANMs) uses a rigorous four-step process to ensure applicants are not just well suited to the role, but will be excellent representatives of the service. The ideal agent profile combines a number of characteristics. They should serve isolated geographical areas close to reliable infrastructure, and already run a well-established business. Applicants should be literate and motivated individuals, with a strong social standing. Keeping knowledge up to date Banks must balance the time to find and screen new agents and the cost of training to keep recruitment costeffective. A quick onboarding process educates new agents with all the basic knowledge needed to set up. Then, after few months, agents receive follow up training in specialist subjects like money laundering and fraud, enriching their understanding of and interest in financial services. Thanks to Ingenico Group, all traditional agency banking services are accessible through a single device: the Ingenico Smart Terminal. Depending on market needs, the appropriate software

www.technologybanker.com

is downloaded on the terminal and in an instant the agent is fully equipped to serve customers anywhere, at any time. In developing countries, not only does the terminal itself need to withstand harsh, hot and dusty conditions but connectivity must also be good, even in remote areas. Ingenico Group is dedicated to developing trustworthy and reliable technology. Innovations like the dual SIM terminals ensure that when one network is unavailable, the terminal can access another instantly. All terminals are connected to the back office system, where transactions are logged and tracked. ANMs in each branch can see which agents are performing well and which ones may need help. Performance data can also be used to identify rising demand, and allows the branch to recruit more agents based on these trends. Because terminals are securely connected and every activity is recorded in the system, fraud is impossible and the correct amount of commission can be accurately paid later on. New agents have daily contact with their ANMs, either in person or by phone, then weekly meetings, which become monthly and eventually quarterly as the agent becomes more knowledgeable and confident. Banks seek to prevent agent churn with regular training opportunities every three months, plus ongoing support from a team of agent liaison staff based at bank branches. This keeps agents active and engaged with the latest services and updates, so they are less likely to leave or become agents for other banks. Three key elements Financial Inclusion cannot be a standalone program that is put in place

and left to run itself – it must be part of a holistic, long-term evolution, supported by other inclusive strategies. To do this, three key factors are needed to sustain Financial Inclusion, and they combine perfectly in the Branchless Banking model. These are: 1. Sustainability – applying the principle of Inclusive Business in order to provide remote communities with lasting access to financial services that can improve their lives. 2. Efficiency – enabling the right people to become agents and supporting them with training and technology so they can make a real difference. 3. Scalability – having a solid and supportive business model so that new banking models can continue to be rolled out across more communities in the future. Banks have always been perceived as conservative and unadventurous in their business decisions. But they are now showing a truly innovative and visionary side to their character, proving that it is worth investing in inclusive models like this one. Remote and unbanked users, often seen as the unwanted segment of the market, are turning into one of its greatest success stories. A virtuous cycle has begun, offering a world of new opportunities both for banks and their customers. We can only hope this inspires other industries to adopt a similarly inclusive approach to their businesses. Perhaps inclusivity will be the secret to unlocking future prosperity in new markets where the low-end customers have been the unwanted segment.

MAY / JUNE 2015

EVENTS FOR YOUR DIARY

May - July 2015

19 - 21 May 2015 MOBILE MONEY AND DIGITAL PAYMENTS AFRICA 2015

Expert session leaders from across Africa’s payments industry will ask provocative questions; market pioneers will provide their perspectives in a series of industry panels and cutting-edge presentations.

21 May 2015 RETAIL BANKING: LONDON 2015

Retail Banker International is the leading source of global news and in-depth analysis for the retail-banking sector. For more than 20 years we have been the trusted source of reliable, timely and in-depth news and analysis for senior executives in the international banking industry.

26 - 27 May 2015 SATCOM AFRICA

SatCom Africa is the leading marketplace and ideas exchange for African telco’s, broadcasters, ISP’s, end users and governments hungry for innovative solutions.

8 - 9 June 2015 CARD AND MOBILE EAST AFRICA EXPO

This conference/ exhibition addresses the issues affecting mobile money in the East African Community (EAC), where mobile phones are used to transfer more than half a billion dollars every month.

9 - 10 June 2015 PAYEXPO 2015

As more societies are adopting advanced payments channels into mainstream behaviour, we will explore what does a cashless society actually ‘mean’ for traditional infrastructure, and where the commercial business case for deeprooted and new merchants and suppliers lies.

10 - 11 June 2015 4TH ANNUAL OPERATIONAL EXCELLENCE IN FINANCIAL SERVICES (AFRICA) Developing a world class operational excellence framework that supports the business must remain a top priority for the banking and financial services industry.

MAY / JUNE 2015

www.technologybanker.com

10 - 11 June 2015 THE FUTURE OF ATMS IN LATIN AMERICA

In recent years, most countries in the Latin American region have experienced strong growth in ATM populations with increases as high as 16% over the past six years.

10 June 2015 THE PAYMENT SERVICES OF THE FUTURE

The evolution of banking and payment services based on international regulations on electronic money and payment services.

11 - 12 June 2015 PAYMENTS INNOVATION SUMMIT

Innovation Enterprise is an independent business-to-business multi-channel media brand focused on the information needs of Senior Big Data, Strategy, Advanced Analytics, Innovation, Digital, Finance Operations, Publishing & Decision Support executives.

16 - 17 June 2015 EUROPEAN ATMS 2015

European ATMs is the regionâ&#x20AC;&#x2122;s premier ATM conference, bringing together over 500 banks, independent deployers, hardware vendors, software suppliers, network and service providers at one event.

23 - 25 June 2015 CARD EXPO AFRICA 2015

This event is the only event of its kind in Africa where conference fees are largely discounted. We invest our resources into building capacity in the industry by way of the discounted rates.

30 June - 01 July2015 MPOS WORLD

It is the only global conference & exhibition on new generation of mPOS solutions and digital interaction in retail, connecting 300+ merchants with payments, cash register, technology & VAS mPOS providers.

MAY / JUNE 2015

PREMIUM VENDORS DIRECTORY

Computer Warehouse Group offer integrated ICT solutions that add value to the operations of diverse clientele, using highly skilled and well motivated workforce. CWG work with best-inclass partners and technologies from all over the world.

Digital Jewels Limited is an ISMS Certified Information Value Chain Consulting and Capacity Building Firm specialising in Information Technology and Project Management and first in Africa to achieve accreditation to the ISO27001.

Fiserv, Inc., a leading global provider of information management and electronic commerce systems for the financial services industry, providing integrated technology and services that create value and results for our clients.

GRGBanking, a leading provider of currency recognition and cash processing solutions in the global market with great potential and rapid development with comprehensive solutions widely used in Finance, Telecom, CIT and Retail sectors.

Global Bankers Institute is a Training, Communication and Consulting Firm dedicated to serving the financial services community. It provides modern training without sacrificing the principles on which todayâ&#x20AC;&#x2122;s banks were built.

Infosys is a global leader in consulting, technology and outsourcing solutions, helping enterprises transform and thrive in a changing world in areas such as in mobility, sustainability, big data and cloud computing.

Entersekt is an innovator in transaction authentication and introducing an isolated communication channel between phone and financial institution that avoids reliance on the open Internet for user and transaction verification.

VCASH allows you to transfer and receive money locally and through Western Union using your phone or online, plus much more. VCASH is fully licensed by the Central Bank of Nigeria to deploy mobile payment services in Nigeria.

SatADSL offers corporate internet access by satellite, with flexible subscriptions, state-of-the-art equipment and attractive price-setting with a set of tools which allow Distributors, Corporate and Individual users to monitor the terminals they operate.

Website: http://www.entersekt.com

Website: https://www.virtualterminalnetwork.com/Home

Website: http://www.satadsl.net

Website: http://www.cwlgroup.com

Website: http://www.fiserv.com/index. Website: https://www.digitaljewels.net htm

Website: http://www.globalbankersin- Website: http://www.infosys.com/ Website: http://www.grgbanking.com/ stitute.com/index.php pages/index.aspx en/index.asp

Your business not listed here? Get brand awareness and Win new business with Technology Banker Premium Pages Contact Jenny Howard on: +44 (0) 208 528 1536 jenny@technologybanker.com

Mobile Money Transfer VTN VCASH and Western Union Mobile Money Transfer service with Western Union and VTN is an easy, fast and convenient way for VTN customers in Nigeria to receive money from abroad on their VCASH account.

In a few quick steps, a Western Union® Money Transfer can be added into a VTN VCASH account in Nigeria. 1 Western Union sender makes a money transfer at a Western Union® Agent location or online on a Western Union transactional website (where available). 2 Sender provides the VTN receiver the Western Union MTCN tracking number. 3 With the MTCN number, the VCASH customer can follow the Western Union menu prompts on their VTN phone to add the funds directly* onto their VCASH account! 4 The VCASH customer will enter their PIN, for user authentication. Additional information about the transaction may also be requested. (See diagram below) A 1. Send Money 2. Western Union 3. Check Balance 4. Mobile Top-up 5. Pay Bill Select

Western Union

1. Pick-up money

Western Union

Please enter 10-digit Western Union MTCN: _ (3 unsuccessful attempts will result in account blocking)

Select

Cancel

Select

Cancel

Western Union

Please enter the amount you are expecting to receive: _ (3 unsuccessful attempts will result in account blocking)

Select

Cancel

Western Union

Please enter your PIN to continue: _

Pick-up Confirmation: Western Union has deposited XXXXX into your account No. 00045XXX

Select

Cancel

5 The VCASH customer will receive an SMS notification confirming the deposit of funds into VCASH.

If the Western Union sender provides their mobile number on the Western Union Send Form, they will also receive a text message when the funds are delivered1.

Did you know? VCASH consumers in Nigeria can use funds in their VCASH account as determined by VTN, including: • Pay bills • Withdraw cash • Purchase airtime • Buy goods and services For more information, visit virtualterminalnetwork.com or WesternUnionMobile.com Available through:

* Funds will be paid to receiver’s VTN VCASH account provider for credit to account tied to receiver’s mobile number. Additional third- party charges may apply, including SMS and account over-limit and cash-out fees. Funds availability subject to terms and conditions of service. See Send Form for Restrictions. ** Service options are determined by the mobile phone service provider. 1 Standard Message and Data rates may apply. VTN, VCASH and the VTN logo are trademarks of Virtual Terminal Network. © 2013 Western Union Holdings, Inc. All Rights Reserved.

Human Capital Performance Improvement Audit Are you completely satisfied with the Return on Investment (ROI) from your current training? Are your training budgets driven by business goals and Key Performance Indicators (KPIs)? Are you holding training vendors accountable for quantifiable business improvements? Based on over 25 years of providing the BEST! Training, Communication and Consulting Solutions to the banking industry worldwide, the leaders of Global Bankers Institute have designed the Human Capital Performance Improvement (HCPI) Audit. The HCPI Audit is the first-of-its-kind service to offer the following benefits: 1) Ongoing Performance Improvement Plan based on cascading Strategic and Operational Goals. 2) Comprehensive Training Plan with behavioral outcomes aligned to Key Performance Indicators (KPIs) and Key Performance Measures (KPMs) resulting in a concrete Return on Investment for all training. 3) Effective Training showing measurable benefits in Sales, Customer Satisfaction, Operations Productivity and Quality, Employee Motivation, Risk, and Compliance, as well as any other identified bank goal. 4) Efficient Use of Training Budget through improved curriculum priorities and vendor selection and negotiation. 5) Holding Training Vendors Accountable by making them partners in the HCPI Audit process and requiring that they accept responsibility for delivering measureable improvement through their programs. Please contact me to let us know how we may best serve you. Global Bankers Institute brings experience, innovation and value, providing the BEST! Training, Communication and Consulting solutions to the financial services industry.

Dr. Linda Eagle Founder and President Global Bankers Institute 245 Park Avenue New York, NY 10167 +1.212.579.5500 ext. 3106 +1.646.236.7538 (mobile) linda.eagle@globalbankersinstitute.com www.globalbankersinstitute.com

Global Bankers Institute