IT security is a headache for the banking sector in Africa, but more so, for smaller regional banks Cyber-attack, particularly fraud, is one of the biggest threats to small banking institutions, not only in Africa but globally. Large national and international banks have been spending big budgets to increasingly improve their security systems and implement multiple layers of sophisticated solutions. As a result, fraudsters are developing more sophisticated methods that require advance prevention and detection systems. And they are targeting smaller regional banks, which have smaller IT budgets to invest on robust security facilities. The success of mobile banking has also changed customers expectation. They now demand more from their banks, irrespective of their size; creating another risk management challenge for smaller banks. Fraud specific to mobile banking are getting more common as the sector grows. Mobile ad networks, phishing attempts centred on SMS and mobile malware distributed via the app stores are also growing. Thus, with mobile banking, smaller and regional African banks are faced with a dilemma between convenience, security and profitability. Customers expect quick and hasslefree transaction when using mobile money. To compete, smaller banks have to offer the same convenience to customers, but with only a fraction of the budget that bigger banks have. They end up with only two options, to offer simple applications that dont require complex security wall, or build sophisticated apps and blow their budget if they dont want to compromise security, which as a result, can compromise their bottom line. Lack of local talents, in Africa, who can expertly detect and use IT solutions available to fight cyberattacks, is also a big challenge. To hire an expert in cyber-crime and IT security, banks have to bring them in from abroad and have to offer a handsome fee package to keep them. [h=3]Looking at the bright side[/h] The picture looks grim for smaller banks, but there is always a positive side in every situation. For example, smaller banks dont have big legacy systems to contend with. They can be more flexible and quick to react. And they also have more integrated core-banking environment. Smaller banks also have less number of customers compared to bigger banks, allowing them to have a closer relationship with their clients. And this is a big advantage. As they know their clients better, they know their clients normal behaviour. Therefore, they are able to spot unusual activities. Additionally, with a lesser number of customers compared to big banks, they also have lesser numbers to educate. Smaller banks only need a smaller budget for customer education. [h=3]How smaller banks meet the challenges head-on?[/h] The key to managing IT security, for small banks, is to take an all-inclusive view of all customer relationships from opening the account through to account administration. Screening new customers is vital to preventing account fraud and detecting illegal accounts opened, as an account mule, to receive money from fraudulent transactions. Sanctions and PEP screening are required to comply with money laundering law. This should be done regularly, and if its done manually, smaller banks can end up incurring significant cost in personnel time. It is also inefficient and can increase false matches. Investing on a reliable Sanctions and PEP screening solution can save banks money and time, and there are a number of solutions available in the market. However, choosing the right solution for the bank can be as challenging as the threat it promises to overcome. And investing in the wrong solution is an expensive mistake. Due diligence in choosing core banking solution is key in managing IT security risks. Prior to choosing an IT solution, the bank should understand its priorities and its clients profile and needs. When considering their choices, smaller banks must not only look at the present but also future challenges that may arise. Realistically, banks should use solutions that can easily be upgraded and from suppliers that can guarantee solid technical support, both off-site and on-site, without incurring further charges. Additionally, banks must also be aware of the vulnerabilities of the core banking solution that they are investing on. It will be foolhardy to believe a sales pitch that the product on offer is perfect. No software program is invincible. Being aware of the products weakness, means that it will not come as a surprise and safeguards are put in place to prevent the products weakness from jeopardising the banks IT security. Constant account behaviour monitoring also plays a significant role in IT security risk management. With regular monitoring, banks can see untoward transactions on account and detect account mules and account hacking. Finally, smaller banks should not underestimate the power of customer education. Educating customers serves a two-fold purpose. It manages risk and builds the banks brand and customer trust. By continually communicating with customers, smaller banks are increasing their customers brand recognition and also showing customers their commitment to safeguard their accounts. Additionally, educated customers are less likely to expose their banks to security threat due to their negligence.