With recent financial scams in particular, especially incidents involving Government financial systems, including the $ 2.5 million Treasury cyber breach, and the overall increase in cyber scams in general, concerns regarding the need to strengthen cybersecurity infrastructure, technology, and skills have resurfaced.

Cyber crimes can broadly be categorised into two types: cyber-dependent crimes, such as phishing, ransomware, and website compromises, and other types of scams, commonly referred to as cyber-enabled crimes. 

The Sri Lanka Computer Emergency Readiness Team (Sri Lanka CERT) received a total of 12,650 complaints related to cybersecurity incidents and social media misuse in 2025, and 21,743 in 2024, indicating a rise in online fraud and scams compared to previous years. Moreover, reports indicate that the surge in the usage of Artificial Intelligence (AI) will add to this issue.

These incidents raise the question of how Sri Lanka should strengthen its focus on people, processes, and technology, given the vulnerabilities exposed in the cybersecurity ecosystem.

Sri Lanka CERT efforts

Speaking to The Sunday Morning Business on the actions underway, Sri Lanka CERT Lead Information Security Engineer Charuka Damunupola stated that, within the public sector, a specific information and cybersecurity policy for Government organisations was being implemented at present.

He explained that this policy had been developed based on international standards adapted to the Sri Lankan context, adding that it was aimed at protecting the country’s information and cybersecurity ecosystem. 

According to Damunupola, cybersecurity efforts should consist of technology, processes, and awareness, with a clear focus on the people involved.

He noted that many of these processes would be evaluated through the policy framework, highlighting that a National Cyber Security Strategy had also been developed for the next five years. The strategy includes an action plan at the national level covering several key areas, including building a competent workforce and improving the capacity building of Government organisations and individuals.

Accordingly, a number of programmes have been planned under the strategy targeting Government entities and employees specifically, including awareness and capacity-building initiatives. Damunupola noted that approximately 10,000 Government officials were expected to be covered under these programmes.

“In addition to Government institutions, we also conduct similar awareness sessions for other segments, such as the education sector. Moreover, a separate Cabinet directive has been issued for critical information infrastructure organisations. There are around 37 such organisations that have been identified, and these are expected to be integrated with the National Cyber Security Operations Centre, which is intended to support the detection and monitoring of cyber threats before they affect systems,” he said.

At present, 12 organisations have already been connected to this system as part of ongoing efforts to strengthen cybersecurity.

Industry calls for improved governance

Due to recent developments in cybercrime, joint communication had been sent to the President by several professional bodies, including the Information Systems Audit and Control Association (ISACA), International Information System Security Certification Consortium (ISC2), Cloud Security Alliance, and Digital Trust Alliance (DTA), calling for the Government to strengthen cybersecurity governance and institutional resilience across the public sector. 

The alliance has proposed a structured advisory engagement between Government institutions and professional bodies to identify practical governance and assurance measures. These include establishing a designated Government cybersecurity governance structure, ensuring clear ownership and accountability for recommendations, the need for a structured maturity and gap assessment of current systems, ensuring alignment with recognised frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0, and convening a focused public‑sector cybersecurity roundtable.

Speaking to The Sunday Morning Business, ISC2 Colombo Chapter President Roshan Chandraguptha, a cyber and information security professional, highlighted the importance of focusing on a more coordinated strategy.

He explained that incidents of cybersecurity breaches were not merely technical issues, noting that while systems may meet basic technical standards, human error could still lead to vulnerabilities. Thus, he observed that attention must also be given to the people operating these systems, not just the technology itself.

At a broader level, Chandraguptha observed that while different Government departments may have taken steps at varying scales and capacities, there was a need for a more coordinated national strategy. He noted that Sri Lanka CERT played a key role as a Government entity, adding that other organisations and professional bodies could assist by helping to identify qualified professionals and support implementation efforts.

“These observations are based only on publicly available information. However, these incidents are a reminder to review both technological systems and the people managing them, with the aim of improving overall standards and ensuring that systems operate securely without exposing users to scams,” he said.

From a public awareness perspective, Chandraguptha acknowledged that while authorities such as Sri Lanka CERT were making considerable efforts at educating the public, as awareness improved and people became less susceptible to older scam methods, attackers continued to develop new techniques.

“In this context, there is a need for individuals to remain cautious when using digital technologies, including verifying the authenticity of requests for personal information. For instance, individuals may receive calls claiming to be from banks requesting sensitive details, and such information should not be shared without proper verification,” he said.

Chandraguptha added that while commendable awareness efforts by Sri Lanka CERT were ongoing, there was also scope for improved collaboration with professional bodies to strengthen these initiatives. He highlighted that cybersecurity was not the responsibility of a single entity, but a shared responsibility that required the involvement of all stakeholders.

People, processes and technology

Speaking to The Sunday Morning Business, DTA President Lakmal Embuldeniya stated that when examining cybersecurity issues, it was important to clearly distinguish between individual and corporate perspectives as each required a different approach.

He noted that from a corporate standpoint, organisations needed to focus on three key areas – people, processes, and technology. 

In relation to the people aspect, Embuldeniya explained that this involved proper training, raising awareness, recruiting the right personnel, and ensuring adherence to governance structures.

On processes, he noted recent financial incidents where multiple layers of approval had been in place, yet failures had still occurred. This begs the question of how a transaction that had passed through numerous approvals could still be misdirected, which indicates gaps in internal processes. He noted the need to review organisational policies, including roles and the importance of proper segregation of duties.

On the technology side, the DTA President explained that while infrastructure, hardware, and software were critical, institutions could not address all issues on their own. He added that many organisations were still operating on outdated or end-of-life infrastructure, which increased vulnerability.

Embuldeniya further stated that, based on publicly available information, financial scams of this nature were usually linked to phishing attacks, where either party involved in a transaction could be compromised, and where communication was intercepted and altered without either party being aware.

“There is an increasing push towards digital transactions, including QR-based payments, and such developments can lead to concerns among users when incidents occur. From an individual perspective, people need to take basic precautions, specifically by verifying and validating any communication related to financial transactions, promotions, or requests for personal information,” he said.

He explained that scammers usually tried to create a sense of urgency to pressure individuals into sharing sensitive information. In such situations, he advised that individuals should take a step back, verify the source, and avoid acting immediately. Embuldeniya also noted that scammers may attempt to prevent individuals from ending calls in order to stop them from verifying information independently.

Embuldeniya further pointed out that many security features were already built into modern smartphones, but users sometimes overrode warnings and proceeded without proper checks. Thus, there is a clear need for individuals to pay attention to such alerts and exercise caution when using digital technology.

He also addressed several key gaps in Sri Lanka’s cybersecurity landscape.

“From a holistic perspective, Sri Lanka lacks a dedicated cybersecurity act or a central regulatory authority, and has limited oversight of identified critical national infrastructure. While certain sectors, such as banking and the financial sectors, are subject to regulatory supervision, many other sectors are not consistently evaluated,” he said.

According to Embuldeniya, Sri Lanka is also faced with a significant skills gap, with a large number of cybersecurity professionals having migrated during the economic crisis. Due to this, both the public and private sectors face shortages in expertise.

In addition, Embuldeniya raised concerns about the presence of unqualified individuals and entities presenting themselves as cybersecurity experts. He attributed this to the absence of proper regulatory and evaluation mechanisms, which allowed such actors to operate without adequate oversight.

Thus, it is evident that addressing these issues will require attention across multiple areas, including regulation, oversight, and capacity building.

Security efforts must match digital expansion

With the increasing use of digital tools across financial transactions and day-to-day activities, ensuring adequate cybersecurity in relation to the rising trend has become non-negotiable at this point in time.

Industry expert and former Chairman of the Federation of Information Technology Industry Sri Lanka (FITIS) Indika De Zoysa noted that as more services moved to digital platforms, from large financial transfers to everyday payments carried out via mobile phones, there was a corresponding need to implement an appropriate level of security. 

Accordingly, this requires organisations to understand the level of security required and make a conscious effort to implement it using available technologies.

De Zoysa pointed out that, in many cases, gaps remained due to the lack of proper implementation of security measures. While acknowledging that certain initiatives, such as those executed by Sri Lanka CERT and the establishment of Security Operations Centres (SOCs), had been undertaken, he questioned the extent to which these systems were used and whether security measures were consistently enabled.

Moreover, he highlighted that cybersecurity must be considered from both a technology and a people perspective. 

“In relation to the people aspect, the importance of training and awareness is immense, and individuals at all levels should understand their organisation’s cyber policies and standards. More importantly, individuals handling sensitive information need to be mindful of issues such as password security and digital interactions.”

De Zoysa’s assessment identifies that with the rise of spoofing and email manipulation, users must remain cautious and be adequately trained while also making use of appropriate technological tools to support security practices.

He further expressed his belief that cybersecurity should not be treated as an afterthought, since once an incident occurred, it could not simply be dismissed as a mistake, as managing such risks was part of organisational responsibility.

On the regulatory front, De Zoysa stated that while Sri Lanka CERT had taken steps in this area and legislative developments had been underway in recent years, there was a need for stronger implementation. He added that the cybersecurity authority was expected to play a more active role once fully operational.

Thus, with more Government services and payments moving online, security must be built into system design and consistently applied, as leaving loopholes in systems creates vulnerabilities.