Gbenga Aiyegbusi is the chief information security officer of Sterling Bank plc. In this interview, he explains factors responsible for the incidences of fraud in the banking sector, highlights steps that should be taken by the banking public to safeguard their information, and the role the bank is playing in educating Nigerians on information security. Excerpt:
What is information security?
Information security is defined as those practices and procedures that help identify information risks and protect information from unauthorised access, modification, duplication, destruction, or disclosure, whether accidental or intentional and that ensure that the information is available to authorised users on request. Information resources include all data, hardware, software, people and processes involved with the storage, processing and output of information.
Simply put, information security is all about protecting valuable information to ensure that a third party does not have access to it and at the same time guarantee that the information is available at the time it is required by a valid user. Everyone has his/her identity that is unique to him/her. From birth, you already have certain attributes such as the family you are born into, your date of birth and other features that you begin to have as you grow up. For instance, you have information about your health status, financial position and many others that are peculiar to you. All of these are critical information about you that must be protected at all times.
How do you protect your identity to avoid being impersonated or a part of your information being used for illegal transactions?
To start with, it is very important for everyone to acknowledge that they have something of value that must be protected. Information is key and we must protect all information about us. We must exercise great care about our personal information. We have seen people who give out vital information about themselves to people they trust and then end up with their fingers burnt. For instance, some people give their credit and debit card and password(s) to spouses, children, housemaids or even friends to make withdrawals on their behalf from the ATM, but at the end of the day, these people clone the cards. Since they already have the password, it becomes very easy for them to carry out illegal transactions on such accounts. We have seen cases where multiple withdrawals were made on accounts by trusted friends, spouses or even children, so we must be careful about protecting information about ourselves. The main point here is that we must dimension the risks associated with such practices and not treat sensitive information with levity.
Cases of fraud in banks have been on the increase and most of them are related to the use of information. What are banks doing to correct this?
Banking cannot exist without information. Information gathering starts from the time you request for vital information from a customer at the point of opening a bank account through the customer’s overall interaction with the bank. Banks are financial institutions involved in receiving deposits from customers and giving same out as loans to customers to finance their transactions and pay back with interest. To give out loans, banks would request data from customers. This is to ensure that they have valid information about such customers that could be used as the need arises. Thus, banking is all about information gathering and processing.
In summary, banks put in place mechanisms to ensure non-disclosure of information about customers to unauthorised persons and ensure that information is not compromised at any point in time. In security parlance, we have three key elements. They include confidentiality, integrity and availability. Confidentiality speaks to the assurance that information is available to only those authorised to have access. Confidentiality breaches may occur due to improper data handling or hacking attempts. Integrity speaks to the assurance that the information asset is protected against improper or unauthorised modification or manipulation. Availability is ensuring that the information assets responsible for delivering, storing and processing information are accessible when required by the authorised user.
At Sterling Bank we have deployed tools to improve the security of information about our customers and the bank, and create security awareness to internal and external customers on how to secure their information.
What is your bank doing to educate Nigerians on how to protect their information?
As part of our corporate social responsibility initiative, we have taken it upon ourselves to organise seminars and workshops for members of the banking public on the need to protect their information. We consider this very important as this will protect them against fraudsters cloning their cards and making away with their hard earned money. The good thing is that we are not limiting it to our customers alone. We are engaging all members of the banking public, irrespective of where they bank, because Sterling Bank is all about enriching lives.
Are banks doing enough to protect customers’ information?
Anything that has value that can be easily transferred to another person is subject to risk. Most banks, especially Sterling Bank, are investing heavily in information security to protect the interest of customers. Like I said, banking is all about information management and it starts with gathering information from customers at the point of opening an account up to the point of gathering information about the businesses of the customers in order to provide adequate funding when required.
When we gather information, we keep or store such information electronically and/or in hard copies for use when needed. However, we must note that in all these processes, people are involved. Issues regarding information security often involve the people managing the process. Thus threats to information security could come from a variety of sources.
At Sterling Bank, what we have done is to come up with information security policies and guidelines that contain acceptable practices that new staff are subjected to. Existing staff are also taken through the training from time to time to remind them of what is expected of them in terms of information management. This is in a bid to mitigate internal risk to information security breaches. The second challenge is social engineering. This is a situation whereby information of value about an individual is given out without his/her knowledge.
If l need information about another bank’s salary structure for instance, l need not go to the Human Resources of that bank to obtain the information because they will not oblige. All I need to do is to get in touch with a friend in the bank and obtain such information from him. The challenge is that such a friend will not know that he is giving out information of value to me. This is social engineering and this happens from time to time.
How would you assess the issue of fraud via ATM in recent time?
The incidence of fraud through the ATM has gone down a bit. The reason is that we have upscaled the security devices in the card. For instance, we started with the magnetic strip. The challenge with that was that it could easily be cloned by a skimming device that copied the information, making it easy to have the card cloned. We have since moved from that to an Advanced Chip and PIN Card. All information about the card and the customers are not stored in the card. Rather, some parts are stored in the card while the rest is stored in the machine. This has made it near impossible for anyone to clone it because they will not have access to all the information. This has reduced the high incidence of card cloning in the country and encouraged the use of cards.
However, I must emphasise that we must be careful about the challenge of social engineering as discussed earlier. We must avoid giving our debit and credit cards to others to make withdrawals on our behalf because after repeated usage they may begin to have malicious ideas: picking the card, cram the PIN and duplicate the card. We also need to address the use of skimming device by fraudsters.
What is the CBN doing in this regard?
The apex bank is supporting the industry in this regard. For instance, the CBN has instructed all banks to install anti-skimming devices on all ATMs to prevent fraudsters from getting data from the ATM users. The CBN has also mandated all banks to comply with the Information Technology (IT) Standard, which requires banks to be Payment Card Industry Data Security Standard (PCIDSS) certified. The guideline came out in 2012 and Sterling Bank was the third commercial bank to be PCIDSS certified in February 8, 2013. The certification is meant to control the way sensitive information of cardholders is stored and used in the country. ISO 27001 Certification is another IT Standard that CBN wants banks to achieve to further protect customers’ information.
Can you shed more light on ISO 27001?
ISO 27001 is a security governance standard certification developed to provide a model for establishing, implementing, operating, monitoring and maintaining information security management systems. It is widely recognised as the highest security standard in the industry for examining the efficacy of an organisation’s overall security posture.
ISO 27001 provides confidence in management business, partners, customers and auditors that the organisation is serious about information security management. It is frequently used to assure customers that an organisation’s people, processes and facilities follow the most stringent guidelines for securing an organisation’s sensitive assets (including data).
Sterling Bank has also commenced the ISO 27001 Certification project aimed at enhancing the security of our customers’ information.
