CREST publishes guide for enhancing cyber resilience in developing countries

CREST publishes guide for enhancing cyber resilience in developing countries

CREST calls for appropriate, multi-party cyber resilience testing on financial entities in developing countries.

Credit: Dreamstime

International information security accreditation and certification body CREST has published a new guide to fostering financial sector cyber resilience in developing countries. The nonprofit’s Resilience in Developing Countries paper forms part of its work in encouraging greater cyber readiness and resilience in emerging nations to help protect bey industries from cyberattacks.

The guide outlines that, while increased financial inclusion is a global goal, the less privileged remain highly susceptible to cyberthreats. It also describes the need for appropriate, multi-party cyber resilience testing to ensure better cyber safety in developing nations, along with advice for governing authorities.

Low cyber resilience of financial entities in developing countries

Cyber resilience of financial entities in developing countries is often relatively low, leaving them and their clients considerably exposed to cyber risks, the guide read. Global developments since 2016 have underscored the need to improve the cyber resilience level of financial entities – and the whole financial sector. “Large-scale rapid digitalisation of financial products and services and supply chain extension by increasing use of third-party entities, combined with geopolitical tensions, have provided new opportunities and motivations for hackers, malicious insiders, organised crime groups, and nation-states alike,” it stated.

While this applies to all countries, developing countries have an additional element, CREST said. Ongoing digitalisation in the financial sector has provided the opportunity for considerable improvements regarding financial inclusion – i.e., embarking less-privileged people into the financial system and giving them access to credit, savings and payment services.

However, this has exposed the formerly unbanked to cyber risk. “Any theft of their digital savings, malicious alteration of their data, or obstruction of the financial infrastructure in general, can affect the less-privileged hardest, directly endangering their businesses, families, and possibly even their lives,” CREST wrote.

Interestingly, Cisco’s Cybersecurity Readiness Index revealed last month that organisations in developing countries in the Asia Pacific region are more prepared for cybersecurity incidents compared to those in developed countries. Less tech debt and legacy systems in organisations in emerging markets compared to their peers in developed markets is likely an influential factor, making it easier to deploy and integrate security solutions across IT infrastructures, Cisco said.

TLPT can develop cyber resilience in developing countries

Central banks and financial authorities have an important task in increasing the level of their financial sector’s cyber resilience, the paper read. One common element being considered is threat led penetration testing (TLPT), which can facilitate the improvement of cyber resilience through controlled testing processes.

However, TLPT is most effective when applied to relatively “cyber mature” financial entities. It’s also dependent on the maturity of the authority in charge and the cyber security service industry in the country or region, CREST said. “If authorities pursue a policy to have financial entities tested according to the respective TLPT frameworks, they have to consider the possible capacity and quality restrictions of local cybersecurity service providers and consider options to catalyse development of the market for cybersecurity services,” the guide read.

Assuming the central bank is the authority in charge, it must invest in a dedicated team, headed by a senior manager, which must closely monitor each test process to ensure tests are performed according to the applicable testing framework and that service providers meet the required quality criteria, CREST said. “To avoid supervisory judgement during the test process and the test becoming a mere compliance exercise, this team must sit at arm’s length of the supervisory and oversight functions to ensure a smooth test process,” the guide noted. As long as supervisors and overseers are involved in the scoping at the beginning and will receive the entity’s remediation plan at the end of the test process, their responsibilities are well taken care of.

Authorities pursuing a TLPT program will help improve the cyber resilience of the most critical financial entities, along contributing to the maturation of the local market for cybersecurity services. However, close and constructive collaboration among all parties, private and public, is key, CREST added.


Show Comments