Your core banking system is not your biggest risk. Your tellers are.
The wheelbarrow mentality is a condition where staff wait to be pushed to do what they are already paid to do. In banking, this mentality is lethal. A teller who logs into the core system with one hand, while texting a cousin on mobile money with the other, is not just inefficient; he is your greatest cyber liability.
CEOs love to boast about multimillion-dollar core banking upgrades. “We bought the latest system,” they say, as if code could cure culture. It cannot. A teller with a smartphone can reroute millions faster than your IT firewall can blink. Hackers don’t need to break through your perimeter when the insiders open the gates daily.
Every fraud story I have investigated begins the same way: with misplaced trust in “loyal” staff. The weak passwords are written on sticky notes. The workstation was left unlocked for tea. The supervisor who signs off without verifying. Banks do not lose billions through Russian hackers; they lose them through inattentive, underpaid, or compromised insiders.
It’s a paradox. The more technology you deploy, the more human discipline you require. Yet most boards spend 90% of their budgets on systems, and less than 5% on building a security-aware culture. That is like buying a bulletproof car but hiring a reckless driver.
“Cybersecurity is not about technology. It is about trust. And trust, once broken, is uninsurable.”
If you are a CEO, your greatest cyber risk does not sit in Moscow or Lagos. It sits in your banking hall, smiling, stamping, and waiting for a chance to strike.
Audit culture as aggressively as you audit systems. Train, monitor, and enforce discipline daily. Technology is only as strong as the teller who uses it. Stay safe.
Most leaders talk about cyber as if it were an IT line item. That is why they lose. Hackers don’t attack firewalls; they exploit governance gaps. The weakest control is often not the system; it is the boardroom silence. To win, directors need a simple but ruthless tool that cuts through jargon and exposes blind spots. Enter the Cyber Risk Radar™: a one-page governance weapon that forces the right questions, demands evidence, and shows instantly whether your organization is drifting toward breach or building resilience.
This is not a checklist for IT. It is a mirror for the board.
Table 1: The board’s Cyber Risk Radar
| Dimension | Board question to ask | Evidence required | What “weak” looks like | What “strong” looks like | Board action |
| 1. Insider threat exposure | If a teller left their desk unlocked, how much could we lose before detection? | Data on maximum exposure per workstation, incident logs | No monitoring; staff share logins; no transaction caps | Real-time monitoring; auto-logouts; transaction caps per user | Demand simulation results; insist on quarterly insider threat testing |
| 2. Cyber red flag dashboard | Do we have a one-page quarterly dashboard? | Dashboard showing logins, insider breaches, near-misses, and financial exposure | IT jargon slides, no metrics linked to money | Clear numbers tied to financial risk and trends | Require dashboard as a standing board pack item |
| 3. Executive accountability | Whose bonus is reduced if we suffer a breach? | HR policy linking EXCO pay to cyber incidents | “Cyber is IT’s problem.” | CRO, CIO, and COO have performance-linked accountability | Direct RemCo to tie pay to cyber outcomes |
| 4. Business continuity drill | What happens if the system goes down for 1 hour? | Documented BCP/DRP test results, staff performance logs | Panic; no plan; reliance on IT improvisation | Blackout drill executed; operations continue via backups/manual fallback | Order an annual “blackout drill” with the board observing the results |
| 5. Board cyber maturity score | How do we rate ourselves: ignorant, informed, or intelligent? | Independent maturity assessment, board training records | Board waits for IT updates; no training | Board challenges assumptions, links cyber to strategy, demands controls | Schedule quarterly board self-assessment and annual cyber training |
How to use this table in practice
- Insert it into every quarterly board pack.
- Score yourselves honestly on each dimension (1 = weak, 5 = strong).
- Track movement quarter by quarter. If you’re not moving up, you’re drifting into irrelevance.
“Cybersecurity is not a technical war. It is a governance war. And boards lose by silence.” Mr Strategy.
About the IFIS, https://forensicsinstitute.org/about/
At IFIS, we live by our motto, “Discere Faciendo. Learn by Doing.”
Every course, certification, and training session emphasizes practical, hands-on skills that empower you to solve real-world challenges from day one.
Learn by doing, be empowered to transform your career and life. At the Institute of Forensics & ICT Security (IFIS), we specialize in bridging the gap between knowledge and application.
Whether you are navigating the challenges of cybersecurity, mitigating enterprise risks, investigating fraud, or analyzing complex data, our cutting-edge certifications and practical training programs prepare you to lead in today’s dynamic world.
Come and get skills that you can apply to your job instantly and transform your career and life.
Copyright IFIS 2025. All rights reserved.
