SAIs and the Cybersecurity challenge

Penetration testing as a defence mechanism against cybercrime

The increase of information systems has brought with it many new developments to increase the efficiency and effectiveness of business processes. But, it has also brought major challenges. Among the most concerning is the concern of cybersecurity in organisations and government institutions and the threat of cyber-attacks against productivity systems.

In defence against these cyber threats, organisations need cybersecurity expertise to detect, prevent and investigate cyber threats.

One aspect of defensive mechanism in cybersecurity is conducting penetration testing. Penetration testing is the practice of testing a computer system, network or web application to find ‘holes’ or security vulnerabilities that can be exploited by hackers. Penetration testing is generally used to detect the following:

  • How a system reacts to an attack
  • Which weak spots exist that could be breached
  • What could be stolen from the system?

As Supreme Audit Institutions (SAIs), it is our duty to support public sector institutions to stay cyber safe by having the proper cybersecurity measures in place. The importance of this was emphasised during the 2018 AFROSAI-E Governing Board meeting which included several presentations and plenary discussions on the topic of cybercrime and digital disruption.

How can SAIs do this? By having:

  • Trained personnel who can perform penetration testing.
  • Expertise in Threat Modelling Techniques to discover and manage vulnerabilities and threats of an organisation’s network infrastructure.
  • Teams with multiple skill-sets in several areas of ICT, including, software engineering, database and network administration, cyber laws, forensics, cyber security. The should also be able to think outside the box.
  • Enough equipment, or by setting up cybersecurity and forensics laboratories.

It is however still the full responsibility of the public sector institutions to ensure they are safe from cyber-attacks. At the very least, this requires them to ensure that:

  • They respond to cyber incidences, through the introduction of a Computer Emergency Response Team (CERT). This CERT may be composed of a Red and Blue team of hackers; where through simulated exercises, the Red team attacks a system and the Blue team defends the attack.
  • They carry out periodic vulnerability assessments
  • Intrusion detection and prevention system are in place

Both SAIs and public sector institutions should champion hands-on cybersecurity expertise for ICT professionals to detect, prevent and investigate cyber threats.  Penetration Tests without action plans to address vulnerabilities is fruitless. It is therefore critical to track and ensure all actions are indeed implemented.

Article by Chikondi R Pindeni, SAI Malawi

AFROSAI-E has developed several capacity building programmes to support member-SAIs in addressing the challenges of cybersecurity. Among these is the IT Audit Champions Programme, consisting of three modules. For more information, you can contact the AFROSAI-E IT Audit Manager, Fredrick Bobo at