With an annual growth rate of more than 16% for the past five years, ICT is the only sector in Egypt that has consistently maintained double-digit growth rates. That achievement was achieved through a mix of government investment in digitizing its services and operations, favorable regulations, and initiatives.
Such rapid transformation, however, means banks and third-party companies serving them are exposed to more cyber risks than ever before. “Increased reliance on technology and digital services has increased our [vulnerable] surface area,” said Abeer Khedr, head of cybersecurity at the National Bank of Egypt (NBE), at a June AmCham Egypt event. “In the past, our [defensive] perimeter was a firewall around our servers. Now, the ‘attack surface’ [potentially includes] employees and customers.”
Low- and middle-income countries face an uphill battle to protect banking sectors. “Among emerging and developing economies, most financial supervisors haven’t introduced cybersecurity regulations or built resources to enforce them,” Tobias Adrian, financial counselor and director of the IMF’s Monetary and Capital Markets Department said in a March blog.
That could put any economy at risk. Banks hold personal information about depositors and companies as well as their savings. Banks also connect the local economy with the rest of the world and finance domestic economic activity — via loans — and the government — by buying treasury debt. “The stakes are high in the banking and financial industry since substantial financial sums are at risk,” Zeshan Naz, content marketing lead at KnowledgeHut, a provider of accredited training programs, said in September.
A March IMF survey of 51 emerging economies found that “56% of their central banks and supervisory authorities do not have a national cyber strategy for the financial sector.” Of those, 42% don’t have a dedicated cybersecurity or technology risk-management regulation. Meanwhile, 68% don’t have a “specialized risk unit as part of their supervision department.”
The lack of cyber protection also extends to companies. The IMF survey found “64% [of surveyed executives] do not mandate testing and exercising security measures.” Meanwhile, 54% don’t document, let alone report on, attacks, while 48% of companies “do not have cybercrime regulations.”
That is a problem, as cybercriminals, particularly those targeting banks, have decreased the time it takes to mount a cyberattack. Sabine Holl, vice president of technical sales and chief technical officer at IBM Middle East and Africa, told AmCham Egypt in July that ransomware attacks that used to take two months to deploy in 2018 now take four days.
Sherif El Deeb, Microsoft Middle East national security officer, said analytics show ransomware took three days to deploy in 2019. In 2023, that time dropped to 15 minutes. “That is our new normal,” he told AmCham Egypt in July.
Conversely, “the time it takes to identify and react to a data breach has barely improved,” said Holl. “It went from 277 days in 2018 to 266 days in 2022. Time is becoming a constraint when we talk about cybersecurity.”
Top company executives have acknowledged they have a noticeable deficiency. IBM’s latest survey found that “66% of [chief information officers] say cybersecurity is the top area of increased investment.”
Holl said the most popular programs targeting commercial banks use some form of malware that exposes a system’s “backdoors.” According to IBM, malware is involved in 21% of the attacks. Malware can hold a bank’s data hostage by demanding payment to grant the bank access to the data (ransomware). That accounts for 17% of attacks.
A 2022 report by Verizon Telecom, a U.S. mobile operator, found 46% of attacks analyzed focused on bringing down the target company’s online services, 25% came from ransomware, and 50% targeted the company and its customers’ credentials. The report also found that 62% of those attacks happened because of an attack on a bank’s third-party service providers. Meanwhile, most (82%) attacks involved a human element.
El Deeb of Microsoft cited risks from new technologies, particularly “quantum computing and artificial intelligence.” Khedr of NBE said advanced tech that increases the risks of attacks includes open banking, blockchain, and using biometrics instead of passwords to access banking systems. She also noted that some of that “new tech” could have been used for years, but a bank had just started benefiting from it.
According to Khedr, the motivations behind such attacks are usually theft of money. However, El Deeb noted geopolitical warfare also fuels cyberattacks to bring down online government services and disrupt the national communications grid. He cited the conflict in Ukraine and trade tensions between the United States and China. Cyber espionage is also increasing, particularly theft of intellectual property and sensitive information.
Khedr said some cybercriminals just want to make a point. “Those attacks usually bring down the company’s website or smartphone app [denial of service], but take no money or data.”
Threats are increasing in variety and number because of the “growing complexity and interconnectivity of systems,” said El Deeb. Meanwhile, Holl of IBM stated “disconnected tools” for combating threats make the system more prone to attack. “Nearly 80% of organizations use at least 10 different solutions to manage security hygiene,” she said.
Another reason banks are vulnerable to cyberattacks is that “29% of security operations processes are immature and need reengineering,” Holl said. Information overload plagues 51% of security departments, making risks “more difficult to manage over the past two years.” According to IBM research, massive data flows resulted in “51% of organizations struggling to detect and respond to advanced threats.”
A lack of cybersecurity experts worldwide poses another threat. According to El Deeb, companies need 3.4 million cybersecurity experts across all levels of their organizations. Based on IBM’s research, the deficit is approximately 48%. “The odds are against today’s defenders,” said Holl, “and governments and the security industry are struggling to turn the tables.”
Sources of risk
Khedr of NBE said the first step to surviving a cyberattack is to determine whether the bank is the main target or if it is “susceptible” because the cybercriminal is targeting an affiliate or service provider. She added that banks need to “pay special attention to mitigation and prevention controls.” In the latter, the organization would be defending “against unknown threats and types of attack.”
The second step is to identify the nature of the attack. The most common external threat for banks is ransomware. However, there are increasing “zero-day threats” where security researchers identify a vulnerability, report it to the software provider, and then exploit it until the developer finds defenses against it. Khedr said, “That is particularly dangerous because the [only] solution is to find workarounds.”
The other external risk threatening banks is cybercriminals hacking their service providers, who are likely less secure. “Third-party risk is increasingly becoming important for banks because of reliance on fintechs and more banks adopting open banking systems,” Khedr said. “If a fintech company is breached, [the bank’s] data is compromised.”
She also stressed the need to pay attention to “inside jobs.” One type is when a cybercriminal hacks employees’ electronic devices that connect to the bank’s network or their private networks when working remotely. “Networks at home are significantly less secure than the bank,” said El Deeb. “That means the bank is more vulnerable to cyberattacks.”
The other type of “inside job” sees staff illegally accessing the bank’s system. “One of the biggest [threats is] the bank’s own ICT employees,” said Khedr. “They have privileged access to the organization’s infrastructure.”
Protecting the ecosystem
According to El Deeb, government and central bank regulations play a significant role. “Protection from cyber risks comes from adaptive legal and regulatory frameworks, investing in education, supporting research, … and enforcing accountability,” he said.
The Central Bank of Egypt (CBE) announced several cybersecurity-related frameworks in 2022. “It has 300 entries spanning people, process, and technology,” said Khedr. There are also the New Banking Law ratified in 2020, the CBE’s data privacy law introduced in 2021, and the cybercrime regulation passed in 2018.
The government has its own cybersecurity framework, which regulates non-bank financial services companies, but it has yet to become law. Khedr said, “It would cover net banking, mobile payments and digital banking,” said Khedr.
Egypt-based banks operating in other countries also must adhere to the cybersecurity standards of those nations. “All commercial banks in Egypt abide by SWIFT [a global messaging network exclusively used by banks], and some are certified by ISO.”
Within individual banks, Naz of KnowledgeHut pointed out the importance of having “security surveillance [to] scan a network for signs of dangerous or intrusive behavior.” She also stressed the need to ensure that software is secure, with no easily accessible backdoors, adding that a separate security system for the bank’s network is critical.
Holl stressed the importance of changing how cybersecurity departments are structured and operate. They should move from a “technology-focused” system that uses “proprietary ecosystems” to one that suits data analysts, depends on “scale and AI tools,” and “community collaboration.”
To assess the effectiveness of those efforts and build trust, particularly with foreign partners, Naz emphasized the importance of testing a bank’s cybersecurity systems with “some common financial cybersecurity frameworks.” The list includes the NIST Cybersecurity Framework, the Bank of England’s CBEST Vulnerability Testing Framework, and the Cybersecurity and Privacy Framework for Privately Held Information Systems.
Banks seeking to actively protect themselves from cybercriminals would likely face several challenges. According to Naz, the most significant obstacle is “the general [lack] of public’s understanding of cybersecurity. Few businesses have significantly invested in raising that awareness.”
Additionally, many banks have “budgets [that] are too small … due to the low priority given to cybersecurity,” Naz said. The result is that “identities and access are poorly managed” within those banks.
Another implementation challenge is the use of smartphones and apps to execute transactions, which have become desirable targets for hackers. Meanwhile, the proliferation of social media also poses a challenge, as employees share personal or business details on such platforms. “Less knowledgeable customers expose their data to the public, which attackers abuse,” explained Naz.
The third challenge facing banks relates to technology companies. According to El Deeb of Microsoft, banks should select service providers that adopt “responsible development of technology, [create] secure-by-design [solutions], and allow collaboration and standardization.”
Looking ahead, Holl said banks should “work with [what they] have and expand” the protection on parts they need. “We can’t throw away everything.” However, El Deeb stressed cyber risks require a “paradigm shift. What got us here can’t take us further.”