With internet banking, mobile banking and point-of-sale transactions growing rapidly in Seychelles, safeguarding critical information systems has become an imperative for national security, economic stability, and public safety. 

Like other countries, Seychelles has not been spared from cyberattacks, which increases people’s vulnerability to various types of cyber threats, such as phishing, smishing, vishing, or romance scams. A compromised system or disruption of services could erode consumer trust in digital payments, just as we’re trying to facilitate our population’s adoption of digital financial services. 

The Central Bank of Seychelles’ Cybersecurity Journey 

From an organisational standpoint, following an Information Security Audit in 2010, various steps were taken to address identified control gaps and strengthen our resilience. We created a Chief Information Security Officer role, as part of the Risk Management Unit and adopted a “defense-in-depth” approach, which encompasses physical, technical, as administrative controls. Investment in new technologies to replace outdated and prone-to-risk legacy systems was also deemed crucial.  

Cognisant of additional cyber risks and increased exposure to potential cyber threats arising from more publicly accessible systems, such as the Seychelles Electronic Fund Transfer System and Credit Information System, we also deployed appropriate defense solutions to enable us to detect and respond to threats more effectively and proactively. 

Nevertheless, as a small island state, the limited local availability of expert services and personnel is a challenge. Consequently, we have had to invest in and outsource information security monitoring services and cybersecurity specialists to further assist our efforts. 

COVID-19: The Disruptive Accelerator 

When the pandemic struck, the Central Bank issued Cyber Security Guidelines to provide guidance to Commercial Banks, Bureau de Change, and other financial institutions. We also initiated a Cybersecurity Working Group to share threat intelligence within the financial sector. 

On an organisational level, staff used Virtual Private Network (VPN) services to work from home. With the inevitable vulnerabilities that this creates, new and more cyberattacks emerged, requiring a new layer of defense. This led to the deployment of adequate solutions for comprehensive visibility and monitoring of remote users’ internet traffic and activity to identify potential security issues. 

People, Process & Cyber Hygiene 

While processes and technology generally remain constant in a business, people are volatile and hence present the biggest risk. We’ve seen many big companies spending millions of dollars on state-of-the-art defenses, only to be outdone by one click. 

Therefore, our staff need to be consistently trained to protect our valuable information assets.  We have implemented an Information Security Awareness Training platform, which offers a library of interactive modules, videos, games, and posters covering cybersecurity basics, risks, and forms of attacks. 

In the Cloud or On the Premises? 

At one point, we had to choose between Cloud and on-premises solutions. The Cloud offers greater flexibility, and most technologies are now developed with a cloud-first approach. An organisation acquiring new applications can pay based on actual usage, IT infrastructure investments are more efficient, and start-up costs are minimal.  

The challenge, however, is controlling data in cyberspace. 

On-premises solutions provide full control over data, but require expensive upfront investment in hardware, software licenses, and business continuity provisions. They also require significant human resources (IT Specialists), as well as physical space for ICT infrastructure, energy use, cooling, and enhanced physical security. It also needs investment in training and retaining key IT employees. 

Currently, the Central Bank of Seychelles uses a combination of both solutions. 

A Complex and Evolving Threat Landscape  

The internet is a breeding ground for identity theft, ransomware attacks, credit card fraud, and hacking. Cybercriminals are constantly evolving, deploying complex and sophisticated attacks.  

Our biggest challenge is keeping abreast of emerging technologies. Devices, for instance, introduce new vulnerabilities, as they are often not as secure as traditional computing systems.  

Third-party risks have risen significantly due to our growing reliance on external vendors and suppliers. The shift to remote and hybrid work models has increased our attack surface, and the risk of phishing and credential theft.  

And of course, there’s the new kid on the block, Artificial Intelligence (AI). While we have much to gain from AI, such technologies are already being widely exploited by bad actors for criminal purposes. 

We will need to stay vigilant, keeping a close eye on all these areas.