Developing a cybersecurity framework for commercial banks in South Africa - Tlhologelo Mphahlele

[Music] right good afternoon everyone my name is and I'll be taking you through a study that I did over the past couple of years so a little intro into who I am um as I said I'm I work within thread intelligence in one of the local banks and I got interested in cyber like one of was a kid when I watched hackers I think most of you have watched hackers the movie and the green things come down and you're like I don't know what this ISS but this is for me and then yeah it took me a while to actually get around to understanding what that was and then a couple of years later I watch The Matrix which was more

green stuff and I'm like I'm sold where do I sign up and all of that right so because of that I went into computer science I'm like I don't know how to do this so let me go into computer science got into computer science enjoyed it quite a lot um and I'm like it still doesn't ask answer the question like where is security like when I did computer science it was like networking CCNA I'm like where is the security part and then I did my honors trying to solve that problem like okay let me do more security and my honors I focused on security and then that's where I got sort of bit by the research bug and I'm

like I like research and I also like security but I don't see myself working in Academia um I always felt like it was a little bit removed from what's going on in in industry and within the country I always felt like industry is here doing very cool stuff Academia is here doing very cool stuff but the Two Worlds don't Collide so I'm like let me go into the Working World and see what's there so I got into the Working World um I did my masters and then life goes on and then while at the bank or where I work as a bank so I'm like let me do my PhD let me try and bring these two worlds

together and let me try and solve a problem that I felt somewhat passionate about right so which led me to to my research topic um which was developing a cyber security framework for commercial Banks right so the way the the presentation is going to go is that we're going to cover this couple of points so intro that's done already you know who I am and how I ended up here uh the problem statement the theoretical framework the methodology the objectives and results and conclusion apologies this is going to be very academic focused but I did try and lighten it up and not have a lot of words I'm going to try and speak through most of what I

have to share with you guys right so let's first start with the study time frame so I embarked on this journey in 2020 I'm like I'm going to do a PhD I'm going to get the the bank to to work with me and I'm going to do this great thing and solve or solve a problem and add another framework to the equation so 2020 is when I started um if anyone is familiar with the sort of research process you first have to pitch your idea to people and be like this is what I want to solve is it good enough or not and luckily it was good enough and then I started with my study right and then

in April 2021 I was at a point in my study where now I had to collect data to to actually inform what I'm doing and to to draw conclusions and then the rest of the Milestones they are just pretty much other milestones within the research project until I concluded the study last year right so let's start with the problems first things first is that I started my study just as Co started so bad time everybody people are more concerned about living which is fair um then there are about my study right so that was a huge problem because now I have to get people's attention with all of this so that's the first challenge that I faced the Second Challenge was

Data collect ction right I work within a bank my first assumption was that go to a bank tell them I want to do this they'll be like yeah champ you can do this let's fix this however they were like um no we don't do that here we don't give out our information we don't share what's going on within us so you need to go figure this out I'm like okay maybe it's just my bank move on to Bank B hey I'm this guy I have like an ethical certificate to show that I won't mess with your data or anything they're like eh doesn't sound right move on to the next Bank move on to the next Bank short story is

that all the banks that I talked to are like look CH good idea good initiative just not we don't do that right we don't want to share our data with you because we don't know what you'll expose right and I try to tell them that look I'll be very careful I'll I'll remove your name I will do everything but the flut out answer was like we don't do that we're not for that type of initiatives within within our organizations right so that's okay I'm like okay I'm going to do this externally I'm going to try and get the data externally cool move on to the second Point poppy comes out hey now this is fun now I need to send out a

survey and people don't want to share details anymore because remember when poppy came out everybody was like I am going to be perfect I'm not going to share my information and all of this and people were not sure how it's actually done so I talk to you I'm like hey can you give me your friend's details who works in banking and your response is no puppy says I can't do that right I'm like give me something you're like no I can't do that I talk to other Banks like is there a mailon list I can use or someone I can talk to who can give me clearance to sort of reach out to people they're like no we can't do that that

sucks so I'm like okay let's move on next thing cyber Crim that comes into play right although it came in a little bit later into into into my study it also is a span and the works because now I was trying to solve this massive problem and now the crime cyber Crimes Act comes in and sort of undoes some of the work I did right I'm like this sucks what do I do um and at that point it was too late to Pivot it was too late to go back I'm like forward we go we'll see what we have and then the last thing this doesn't really sort of bear any weight on the study itself but it's just

to make people aware if they do have questions that the the S joint standard came out after the study and yes it does address some of the issues that I came across but I am aware of it and what was what I was done in the study is that I Incorporated parts of the draft bill which was in in the in the study right so now that we got sort of the legal stuff and the external factors out let's start with the banking landscape in the country right we all know of the sa we have the SA which is Big Brother of everything sits on top of all the financial institutions and sort of regulates what they can do harken

well how they perform their actions and gives out licenses then we have the big five banks you know investtech Standard Bank FMB cap Tech all of them those are the big players they take up a huge chunk of the market and they sort of dictate how play goes in the market right and then you have your smaller players um for some of you you're actually not aware we have like I think 20 odd banks in the country and some of them are like very Niche ALB barica Bank being one of them I'm sure most of you haven't heard of it access bank is also one of them grid grid grin Rod bank is also one of them so there's a bunch of

banks that exist in our space but no one actually knows about them or what they do but they all service a certain client or a certain niche market that they're trying to address right so we talked to those then we have the digital guys that came in new banking new everything so this is your discoveries your time bank your bank zero although in all hesty I haven't seen a bank zero card but yeah we have Bank zero we have all those guys so these make up the banking landscape that we find ourselves in and that the study focused on right so the scope of a study was limited to commercial Banks and what I mean by that was that we have other

banks in the countries that are not commercial so land bank is actually a legitimate Bank in the country but it's not for me and you I cannot walk into land bank and be like give me a bank account I want to transact we can't do that so we looked at the commercial banks that we can walk into and sort of transact in right and then we looked at previous security incidents within the country specifically in this uh in the banking domain and more so third parties related to Banks so in this case think about something like TransUnion it is not in the banking space but is very tightly related to Banks right and then we went into current cyber legislation

up until 2021 so this is the joint standard the draft Bill rather and the Cyber Crimes Act and Poppy and then we looked at perception of cyber security among employees in the banking sector so for this I looked at particularly people in it so it as a broad term so developers security people everyone and then we looked at GRC Consultants everybody in in governance risk and compliance to sort of build a perception of how do they view security because the Assumption we're basing it on is that they are more close to security rather than someone else who's a bank teller or something like that okay so the problem that we facing and the problem that sort of led to this is

that banks in the country are sort of growing the threat landscape and what we mean by that is that they're offering more and more of their services digitally right if you right now I don't know want to apply for a loan if you go to any Bank mostly they'll be like sit on the phone call them or complete the application on the mobile app which means that there's the the threat landscape is growing attackers can sort of hit them from different angles so this is one of the problems the other problem is ineffective deterrence to cyber criminals right before the Cyber Crimes Act there wasn't a lot that could be done to deter criminals so we're

mostly using common law and criminal law to try and get you arrested for hacking but that really didn't work you could get away with it you know just move your way through it and then the other issue was a lack of security Frameworks for commercial Banks right so yes I know there's a lot of Frameworks a diamond dozen for anything right you have nist iosa you name it it's there but all of these Frameworks sort of work on the premise that you are a Western Country or somewhat from a fairly developed country you have certain resources at your disposal and you don't worry about some things right which works if you are in those situations but if you're in

South Africa how does your security strategy cater for load shading when your analysts are offline you know so that's some of the issues that led to this poor legislation and governance in the country cyber crime in the country and a law is still fragmented um it's still being tackled from a lot of areas and we still can't we don't have a concrete solution for it right we used to have the national cyber security policy framework which predates cyber Crimes Act then we had popular that was trying to do something else to cyber crime so everyone is trying to come at it from very different angles and we don't have a unified view right local issues that influence Banks so this is

skills I think Dom spoke about it in the morning skills is a huge thing in South Africa all right lack of Technology awareness which is also a huge thing also that we are operating our banks are operating in an environment where the generation or the people using their apps is is so varied yes every country has it but we literally have people who didn't get the best of Education trying to do internet banking you have people who grew up with technology who understand it a bit more and then you have people who don't even understand the concept of banking right so if you talk about new entrance into the market yes they understand that we need to do

banking but why should I be using you as a bank why can't everything just be I don't know like a platform or somewhere up there and I can just withraw my money right and then the last thing or the other thing that drove this is increase digital adoption like I said the banks are pushing for a digital first approach which means most of their services are only available digitally and if you go into a bank they'll direct you to a phone which doesn't help you much and then the other issue is the reluctance of information sharing within the cyber community um this was made even more apparent when I tried to gain access into Banks to try

and do this research that we not sharing information um this is the first bsides in jobber but it's it's still not enough like how long has bsides existed so the community or sort of the information sharing is not great and I was trying to figure out how can you solve that and how can you address that right so now that we sort of painted the problem we painted the landscape that we're operating in we look into the research question right how can a cyber security framework mitigate the Cyber threats and attacks within the commercial banks in South Africa right so this was more about if we have a framework if we were able to come up with a framework how

would this framework be able to assist Banks and how would it be able to address some of the key points that were mentioned in the problem statement and the the first assumption I made or sort of the first concession I made is that no matter what I come up with it won't be concrete and it won't be a silver bullet for everything so I need to just try and move the needle slightly right so we move into the research objectives which was first to analyze the factors that play a role in a successful cber attack so what this key Point speaks to is that if we look at all the security incidents that we've had in the country what sort of LED them

to being successful right so one good example is if you look at Standard Bank Japan sorry if there's a standard Bank in the room so I'm not picking on you I'm just saying Japan we look at Japan what are the factors that led to Japan and how was Japan successful right we look at that and then the other thing was not sure if most of you are aware there was an incident at post Bank in I think in balanga where people were stealing money from post bank but because postbank didn't have the latest and greatest tools they were sort of succumbing to that and no one noticed for quite a while right so we I was

trying to look at those factors like what what is it really that makes us unique and what makes some of the tactics that people are using against us successful the other thing was evaluating the interventions in place um to mitigate attacks within commercial Banks so this is pretty much just looking at tooling what tooling is out there what are the banks using and how are they approaching this problem so in this case we're trying to look at it from the three pillars which is people technology and process right so from a people perspective what are they doing from a proc perspective what are they doing and from a technology perspective they have all the money so they can buy

anything they want that is the Assumption I made right and then we assess the impact of cyber threats on Banks and the key thing here is a note I said cyber threats not attacks so an attack is it's already pretty much done you're either being dosed or whatever or someone is actually carrying out the attack but a threat is is that Mony on your back it sits there whenever you do have to think about them so so what is the impact of that how are banks changing their operating model based on the fact that there's a big bad threat actor out there that could com potentially compromise them right and then the other one was evaluating the

frequency of cyber threats within the financial sector this was just to get an understanding of what's going on in South Africa and what are the some of the challenges we're facing right um because prior to this at least to my knowledge no one had ever really gone into looking at the threat landscape into Sou South African putting together an academic piece right so that was just what we're trying to achieve with that and then the last one was developing a conceptual framework for commercial Banks underline conceptual as well so this is just big picture thinking this is what the framework would look like and this is what it would address right so and I can deem you you have to you

have to appease the gods one way or another and the Gods in this case are the research committee that need some sort of backing like what are you basing your thing on how are you doing this so I had to use a framework as a starting point so in this case I chose the national cyber security policy framework which was way before cyber Crimes Act to be like this is the sort of starting block this is what we'll be using right and then from there I looked at other system other theories that will contribute to the study so systems theory and the reason I picked systems theory was that we assume security to be a system a system made up of three parts

people technology and process and all these three interact to do something right and then we look move on to complexity Theory complexity theory was just that how do I bring understanding to a very complicated system to a very complicated architecture or problem and security is fits the mold because there's a lot to be done in it and then Chaos Theory I liked it because the first like if you Google Kos Theory the first thing you'll see is is a butterfly flaps its wings in China something happened somewhere so that was pretty cool to me and what appealed to me is that cyber security is similar in that sense you fix people you might break technology you you harden your

technology people complain right or something is missing in between your process is not addressed properly and that's where the gaps fall through so those are the three Frameworks that sort of theories that let the study uh the boring part is that it used mixed methodology um what that means is just that I did interviews and I did surveys right um also a key thing to note is that many of you in this room did not reply to my LinkedIn requests to do the survey I recognize some faces I pleaded with you guys countless times and and nobody was it's it's I don't know but I guess it also speaks to good training good security training within the companies

you work in they told you don't click on links someone actually replied to my message and was like my company's filtering your thing saying it's a fishing thing I'm not clicking it on your personal laptop he's like oh sure I'll do that I don't think they ever did but yeah that's the thing um interviews were a little bit easier people were more willing to talk to you than that so on the quantitative data side it's just multivariate data analysis which is a somewhat complicated way of just saying use a lot of statistics to try and and solve this right and the qualitative side which is the interviews Sy themematic analysis so what that means is that from the conversations that I

had with some of the people what key themes were coming out right so what were people saying that I think I interviewed like 20 people or so and what are the key things that they were saying that informed the the findings right so we move on to the recommended conceptual framework right so after talking with people after collecting the data it came out to these Seven Pillars right so the Seven Pillars all work together to inform a cyber security framework or what could be the building blocks of a really good framework right so let's start with cyber security resources Dom spoke about it in the morning a bunch of people spoke about it as well we have a resource problem and

not only from people but also from infrastructure when you look at it locally right so you you have this vacuum or this shortage of skills that is really affecting South Africa and there is no direct plug for it because currently students are shying away from stem fields which makes it a little bit hard to get people into security because cyber security is a stem field so if people don't want to do engineering science or whatever how are we going to plug the Gap right second to that we have a resource problem so what uh well this resource problem that I'm speaking about is infrastructure currently to sort of be a cyber security professional you need to

work in one of the major metros where you have Wi-Fi in your area or be located to a relatively good area where you have fiber or something so if you're like from me if you're like me and you're from Limpopo I good luck bro you're not going to get a security job even if it's remote good luck cuz lightning strikes and then there's no internet for like 3 days so it's not a joke it's a real thing so that's that's a that's an issue right so we have those that lack of infrastructure that's a resource right and then the other thing that came up was an alignment of business and security this has been talked about for

years in the security and business space we all know that there's a misalignment but the interesting thing during the study that came across was that how much of a issue it was right so I would speak to someone in security like an analyst i' be like okay what do you think your function is and they're like no my function is to secure the bank and then I'll speak to someone in business I'm like what do you think your function is like no my function is to generate money and then when you speak to these two people are like okay how does Cyber come into business the first thing they say is that business would say cyber is is just a blocker

they they don't want us to do anything right and then you speak to The Tech Guy and it's like business is unreasonable they want us to have this thing that is shiny and whatever and if we protect it we you have to remove these things and now there's a huge mismatch and then when you also sort of sit down with them and be like explain what is cyber to you the business person is like yeah it's just hackers and and people stealing your money and that's it right you speak to a tech guy you're like what is cyber interestingly the ANS is veryy depending on who you speaking to if you speak to a developer most of the time they're like

yeah cyber someone hacking you you just need to make sure that your code is secure secure practice yeah something like that you speak to an analyst who's actually who works in cyber they'll give you a more Fuller answer so this brought the fact that there's a huge misalignment between what business sees as cyber what cyber or what technology professional see as cyber as well and there's no way we'll ever get to a sort of solidified view if we not speak in the same language within ourselves within the different departments between business and security right the other pillar is shared intelligence shared thread intelligence so there's a lot of initiatives within the country to to get

this going I mean you have the national we have the cyber security Hub by the blank stairs on you guys some of you don't know what that is um it's actually part of the information regulator they put it out for us to it's of it's supposed to be the country's sock people don't know about it people aren't using it people aren't even sure how to go about it right and then from the from shared intelligence we have sabric sabric is trying to facilitate information sharing within the banks right which is a good thing but what about everyone else right and what if you're a smaller player who perhaps doesn't have anything to share so this

is one of the key pillars that would feed into the framework to solve the Cyber issue we need an open platform we need something that everyone trusts and they can interact with to solve this huge cyber problem and to sort of make sure that everyone is aware of what's going on in the threat landscape so sorry again but if you're like access bank and you're not sure what the threat actors are doing out there but someone at at Absa has seen it if they shared that information you could protect yourself and you could sort of reduce the the burden needed for you to get an analyst and all of that right and then the other top pillar is practical and

enforcable legislation this is a huge huge issue in South Africa and I don't know how we going to solve it we almost we we the good thing is that we making positive strides towards addressing this with the Cyber Crimes Act out with poppy out but the biggest problem with all of these is that most of them are copy and paste of what's being done in Europe or America or somewhere right so poppy is copy and paste of gdpr to to here talk about South Africa cyber Crimes Act is also a similar thing they copied uh Ana I think and some of the European Frameworks and it's it's it's just not going to work right because we have our own challenges

we have our own issues where firstly we are sorry for the term but we are a third world country with banking systems that are world class so there's a huge disconnect between those two so we need to we need to work around that we need legislation that supports that we need legislation that addresses that and then join standard that came out now is also a good step towards that right and the other part of this is enforceable legislation so if I remember well from the Cyber Crimes Act if you have an incident a material incident you're supposed to report it within 72 hours or something like that if you're a bank you report it to

the sub which sort of helps but if I'm person a and someone has hacked my small business whatever where do I go if I go to saps great on you but you get there and you tell Constable X like yo um my website has been hacked I'm seeing funny things here I'm pretty sure the const will be like uh good for you sir um I've had it I've had it where they want to come and take fingerprints I'm like what the exactly exactly right so Cy security guys come take fingerprints right so that's the problem right so it's it's not enforcable right because right now also if if you Haven an incident um what do you do do you

physically carry a laptop and put it there and be like they hacked this thing do something here I don't think you'll ever get your laptop back if you did that right um and then we have three pillars that are tightly coupled together which is the understanding security part understanding cyber culture and cyber security awareness understanding cyber security this speaks to a general thing of like we need for for commercial Banks to to come up with a framework that actually works they need to address what cyber security is Right example right now you go to a 50-year old or 60y old okay 50 is too young sorry sorry for 50y old sorry um you go to someone who's 70 years old

they used to do banking like they did you fill out that deposit slip you go in you do all of that and now you're telling them like look sir um you have to download our app that's the only way you will get money it's the only way you will transfer money if you come into the bank we will charge you 10 Rand to transfer okay so and then you tell them that no by going digital you're reducing your footprint and you doing great for the environment just be aware of the hackers yeah great what do you mean by hackers what am I supposed to do so we need to educate people or the banks need

to take a framework that educates even the end consumers like your Granddad and whoever they need to explain to them like look this is cyber security treat it just as you would any criminal anyone who's trying to steal something what would you do most likely i' secure my things and translate that into something that is understandable for people right and then we look at cyber security culture what that talks about is that currently cyber security is it's a stick right we tell you that lock your app or the people will steal money and it's it's driven from a fear perspective like do something or something bad will happen but if we create a positive culture around it like I said about

securing your assets if you create a positive culture around it like no just as you lock your doors close your gate and do this this is good security practice make sure that you have an OTP on this what is an OTP that's a different problem and then make sure that no only certain people have access to your laptop if if you're elderly person or whatever and just bring that sort of culture into it and and make it part of us right an interesting thing that came out of the study was that in South Africa we have a concept of Ubuntu which means putting someone before you weirdly Ubuntu plays a massive role in cyber security in the

country right because Uncle Pete called me said I need 500 Grand I've been hijacked I'm not even sure if it's him but because of who I am and what I feel feel is right I just want to help you like no like here you go here's a 500 Grand and what we picked up is that from some of the incidents that happen from some of the interviews that I've had with the people is that syndicates are abusing that that South African thing that I need to help my fellow brother that I need to help you and by doing that it's it's sort of making it difficult to to plug the Gap and to to to change how people do things we can't

change Ubuntu for sure but we need to in a framework that is developed First South Africa we need to cater for Ubuntu and we need to ask people like we need to in the framework itself get people to ask themselves a couple of questions before they do something right but not in a scary way and the other thing is cyber security awareness so it just ties into the other three into the other two pillars we just need to get the word out there get security out there get people understanding what's security is and we need to tackle this thing from a Grassroots level so perhaps it's about time I remember maybe it's not that long

ago but when I was in school Banks would come in to be like this is how you deposit money that would give you like a little slip that You' write on they're like oh this how money works this how youp you deposit money this is how we Throw money you fill out the with throw receipt perhaps it's time that a framework for South Africa would incorporate that how do we go down to the the lowest level maybe we can't help the older generation but we can help the younger generation that lives with the older generation to be like no if your mom wants to do this on their phone they should probably first check this or they

should make sure that they not running some weird malware thing on their phone and if we drive that education in at at a sort of Grassroots low level perhaps we could resolve this issue and perhaps if you take all these seven sort of pillars and feed them into one thing will you come up with a framework so the whole thing is we have different challenges we have very unique problems in South Africa and a cyber security framework that is going to work in the country needs to address these Seven Pillars from my study anyway from what I found and once we address these Seven Pillars we have a pretty solid Bedrock of what's next what do we do how do we

then move from the Cyber Crimes Act to perhaps Nest I don't know we can't call it Nest but is something Africa in information something but how do we move to a platform or to to a framework that is Catered for us for our different problems for our challenges and for the different sort of little nuances that exist in South Africa right so to wrap it up the first thing to note is that we're making positive steps towards a harmonized cyber security framework yes most of us have a problem with the Cyber Crimes Act yes most of us have a problem with the poppy act but we have to give credit where credit is due it is the right step

we're going somewhere right and now we also need to sort of get involved and get our voices heard the second thing I just want to highlight is that there is a place for Academia in cyber security in South Africa currently during my study and as I feel very passionate about about it the Two Worlds exist sort of in parallel and that doesn't make sense if one can inform the other and one can sort of I don't know act on something if we were able to get these two worlds closer to each other if we were able to take real business problems and present them to vity students not CTF ctfs are great but they not

addressing the problem go there tell them to spin up an active directory environment tell them that this is what we're facing yes they might not be able to solve it but they might come up with an completely different way of thinking about it or they might give you a perspective that you haven't thought about and by doing this you also make sure that the talent coming in is employable cuz they now know practical tools and we also investing into the whole C security sort of circle right we making sure that everyone is aware of security and we also making sure that the business or the the banks themselves are are making the best of the skills

that we have in the country so that is me um the QR code on this presentation is a link to the full research paper for those who are interested um it's quite a lengthy document sorry um but that's how it goes so if you're interested you can read the full paper I did sort of gloss over some of the key things that are in the paper so you're more than welcome to go through it so yeah thank you oops any questions yeah

sure as well um I've also done similar research on mobile applications for a secure software development framework and I've also identified the major concern is uh companies don't and especially Banks uh I also work for a bank um they don't talk to each other and yes um uh sa and sabric is there or are there uh but still the companies don't say if if we have have been hacked that that kind of thing we all want to keep everything to ourselves until it's legislation and you're going to be fined if you don't say what's going on so let's fight the cyber crime together and the banks need to differ oh not not not especially Banks but every company

almost um so that they differ on the features they provide that value added service so let's fight this crime together and um uh yeah let's separate our work uh based upon our features but yeah that point that you made there what was it uh practical and enforceable that's definitely almost my number one ow is going to go out the wall and every company's going to do their own thing yeah and they need to talk yeah no for sure um they need to talk more I know that they are talking um but in yeah exactly they are talking and some of the talks happen in telegram channels that are not for everyone but that's still not open enough right some people so if

you're not in those part of those telegram channels you're obviously missing out right and we need legislation that's that's going to force them although we do have it right now but I feel like because there aren't heavy penalties maybe they're not doing that they're not actively working on sharing and actively working on a platform where to exchange information but yeah what you said is is is spot on thanks um any other questions yeah sure oh sorry this one one okay I get that uh the way we do things now and the way they do things back then are so different because time is moving but looking at how we do things now and how they do things back

then which is in the banking sector which one would you say it's more Sever and why I I wouldn't say there's a safer version is that what you're asking right yeah I wouldn't say there a safer version I would say so the the benefit of of how they did it back then when you fill out stuff and you go into the physical bank is that they sort of verify you in person right they they know who you are they they transact based on the fact that they've identified who you are so that's great but we also kind stick to that because then we're not innovating right the problem with this way that we're going now is that and it's horrible to say

banks are closing down branches great but what about the people who actually rely on the branches right what about like people in remote areas that need to go in to do something so it it's there isn't like a safe way it's just we need to have an inclusive way right cater for both maybe it's as morbid as it is maybe wait for the older generation to die before you close the the branches maybe maybe I'm just saying maybe do that but there isn't a safer way both need to exist within the same space right um hand yeah cool man thanks for the talk interesting my question is um interesting if you considered um maybe testing the the framework within

your current environment because it's one thing developing framework is one thing testing its efficacy to see how how well does it like apply to the environment that you initially targeted t fall right yeah so that's where the problem comes in as well currently banks are not pro external research how do you bring that in right because then they assume that if so obviously I'm going to have findings I'm I'm going to come in and be like yeah my framework doesn't really work great um I need to tweak this I need to tweak this which is great but then I need to also put out that piece of information that it failed in these areas because of this

and the reason I I I said it over a couple of times that it's a conceptual framework because testing it is quite difficult Within the banking space they they're very closed they they don't want to share anything and an interesting thing is that when I was doing this research and it's it's just what I found I only found one white paper regarding security from all the banks Only One Bank published their white paper how is that possible so if we could have a more open or more sort of that's why also the last point is that the two worlds need to come together Academia and and and industry need to come together because I can't solve Pie in the Sky problems

while we have real problems right so yeah I don't know if this oh this one hand then how it um so I wanted to find out yes we're looking at the Frameworks and everything that has to be custom made for the banking in South Africa um does that have to in a way speak to also the tooling that the banks use um have you looked at anything that has to do with maybe designing our own tools that would actually speak to our um our environment in South Africa or in Africa as well yeah so from a tooling perspective right um obviously Homegrown Solutions are best but the study didn't look at that the study made the

assumption that banks have money to buy the tools the latest and greatest tools but obviously if you develop local tools maybe some of those tools will will help but it was just a baseline assumption that they have the money to buy the best tools out there and let them do so yeah um well I've got a question it's just a follow-up to it's sort of related to his question um I walked in a bit late so I might have missed some details but um have you validated this elsewhere apart from the banking sector and where I'm coming from with that is I love how you're trying to connect Academia to um this framework right uh from my

experiences I'm from Zambia okay um one of the things that I've noticed is the banks in Zambia don't talk as well uh they don't share when bad things happen in their environment and that's a tough conversation to bring up with the banks and just listening to you I think it's the same problem in South Africa as well um one of the things that I've been thinking about cuz I'm also a huge advocate of a framework like yours and I think Zambia also needs it Africa needs it right um one of the things that we've tried and we've seen that it might have a positive traction is talking to universities and similar institutions um CU they get attacked as well but those

ones are a little bit more kin to have this threat intelligence sharing possibility so to speak right so my question then is have you tried to validate it in environments like universities or similar institutions if yes what's been the outcome uh if no is it something that you would want to maybe consider the short answer is no um obvious L given a scope of a of a study that has to cover something the short answer is no but I would be very interested in trying it out somewhere right in in in in Academia or any even in inmes I think in the country have like very a lot of small companies or small medium Enterprises that are moving

into the digital space it would be very interesting to try and validate that in that space and see what findings we can get and perhaps that would then sort of go up to to more established Industries where they wanted but yeah it be be very interesting to try that sounds good yeah I mean and just a follow-up comment to that please try it out and let me know how it goes I'll keep in touch with you but I still think if if institutions like universities jump onto a framework like this and it proves to work um I kind of feel like maybe the banks would be a little bit more open because they've seen a prototype work and

they've seen that there's an outcome um out of the collaboration right so I I tend to think that maybe that could be a viable approach to first of all try out the framework but then also help with changing mindsets especially in the banking sector yeah yeah thanks for sure thanks thanks a lot um last question have okay yes yeah so uh even if we do Implement all all the checks and balances and all the security um requirements what we've seen well almost in not just the banking industry but everywhere around uh we're going to we're going to close all the doors and the only door that's going to be opened is the hijacking door okay uh honestly

because not just on the banking sector we can Implement all these tools to to secure the mobile app to secure the computer to secure everything but if the society that we live in and your framework probably um well maybe research after this as well uh into what can we do with saps or Secret Service or that kind of thing to to um intr use those kind of um uh integration okay methods yeah no for sure um I'm out of time but an interesting thing that someone said during the study was that maybe if I go to the bank um let's let's say in the hijacking situation that you're giving if I go to the to an ATM under GS and I

put in my card and if I type my pin backwards maybe that sends a message to saps to be like this guy is being forced to withow man he and your rest but the problem is that how long is that going to take them to get there it doesn't work yeah but okay thanks everyone that's so