There’s an email in my Yahoo inbox from a man named John. John, who has addressed me as a “dear friend”, wants me to fill out an attached questionnaire because he is “working on a Renewable Energies Project with a foreign based business associate…”
It seems like an honest request. Except John, a stranger to me, hasn’t given any details about himself, his associate or his project. I am cautious because I could be one click away from divulging sensitive information to an unknown and potentially dangerous source.
With our lives gradually converging online, the number of ways for us to become a victim of cybercrimes is increasing, and individuals, although the most susceptible, aren’t the only targets.
As the Nigerian tech sector continues to expand and internet penetration trudges on, is our cybersecurity infrastructure growing in tandem?
The federal government estimates the annual cost of cybercrime in Nigeria to be about 0.08% of the country’s gross domestic product (GDP), which represents about N127 billion. To put this in context, this sum will cover the 2019 proposed budget by the Enugu State government, with some left over.
Serianu’s Africa Cyber Security Report estimated cybercrime costs to government and private institutions in 2017 to be about N236 trillion. Globally, the cost of cybercrime is estimated to be about $600 billion annually and growing.
Estimated Cost of Cybercrime in Africa, 2017
Source: Africa Cyber Security Report 2017
The nature of malware attacks has evolved over the years into sophisticated and nuanced socially engineered attacks. With artificial intelligence and other emerging unregulated tech terrains, like cryptocurrency and blockchain, there’ll be more complex attacks to worry about.
Unfortunately, Nigerian organisations are still ill-equipped and unprepared to respond to security threats. Findings by Serianu (in its 2017 Nigerian Cybersecurity Report) show that more than 55% of organisations surveyed do not regularly train their staff on cybersecurity which significantly increased in 2017. The onslaught of ransomware WannaCry in 2017, affected more than 200,000 computers across 150 countries including Nigeria.
“What does a hacker have to gain by hacking a Nigerian tech-enabled business or system? Only banks are worth it, and they somehow seem to be able to quench whatever happens before everyone gets to hear,” said Tolu (not his real name), a Lagos-based web developer who’s built voice call solutions as well as worked across fintech and insurtech sectors.
“For the smaller guys, nobody cares,” he added, but if the report is an indication, this might be changing.
Mobile payment platforms and their growing investment profiles, are fast turning into targets. At the Techcabal fintech townhall,Tomi Amao, Chief Information Officer of Softcom, the parent company of mobile payments platform Eyowo, expressed surprise at the amount of cyber threats their platform had received since its launch in July.
Due to the wealth of data available (card and bank details, sensitive personal information, etc.), hospitality and retail sectors are also increasingly coming under attack. In a detailed blog posted in October 2018, Justin Payne, a cybersecurity expert, disclosed his discovery of an exposed Amazon S3 bucket he believed belonged to Arik Air (or their payment processor) that contained sensitive information from more than 50,000 customers.
In November, Marriott International, owners of Protea and Sheraton Hotels in Lagos, reported a breach of their premium guest database that compromised booking data of about 500 million guests. Names, addresses, account information, gender, dates of birth, and even arrival and departure times were copied and encrypted by the hackers.
The tech sector in Nigeria is growing rapidly. In 2017, Nigerian tech startups secured investments in excess of $100 million and pulled in $73.7 million in Q2 2018. Nigeria now ranks first in internet usage in Africa and eighth globally. Clearly, access points for cyber attacks are increasing. However, in 2017, Nigeria was said to be the second most at-risk of cyber attacks on the continent. This can be traced to three critical cybersecurity gaps in Nigeria–inadequate funding, substandard cyber security skills and a lack of awareness.
On average, organisations in Nigeria spend a maximum of $1,500 annually on cyber security products and personnel. However, according to Serianu’s “Levels of cyber maturity” table, more than 90% of small businesses in Africa are operating below the cyber security poverty line. This means that they do not have the minimum requirements to employ basic cyber security measures in their businesses.
Levels of Cyber Maturity
Source: Africa Cyber Security Report, 2017
Tolu says his company spends ~$200 monthly securing client products, in addition to the monthly salary paid to a developer in charge of security. While a huge budget is rarely a silver bullet in ensuring cybersecurity, having a substantial budget does help make systems more secure.
Although, sometimes, even with funding available, finding qualified personnel to fill cybersecurity roles is problematic. The Serianu report shows that only 1,800 certified personnel are available in the country, which is grossly inadequate to handle Nigeria’s cybersecurity concerns of the future. Also, advanced training opportunities aren’t yet available, only a handful of Nigerian universities currently offer degree courses in cybersecurity. The Federal Universities of Technology in Akure and Minna have degree courses on Cyber Security Science while the Federal Polytechnic Bida, in Niger State, plans to adopt a cyber security course into their future curriculum.
Awareness about cyber threats and crimes–what constitutes one, how they occur, what one can do when being targeted–is relatively insignificant and often security is reactionary rather than proactive. Organisations only begin to put measures in place after they have been exposed to or been victims of a cyber attack. Take the October Arik Air incident for instance. It took about a month to get the airline to look into the breach and secure the information. In the Equifax case, the attack was discovered 76 days after it began and the Marriott SPG hack had been ongoing since 2014.
In addition, cyber security audits are carried out rarely if at all. Despite existing legislation against cybercrimes, 96% of incidents went unreported in 2017.
Among a long list of things that should be and shouldn’t be done, mindfulness about online activities and staying informed, are small first steps individuals can take to stay safe online. For organisations, proactive cybersecurity risk assessments are good first steps. In addition to increasing budgets and acquiring the right personnel, there is also the need to intensify training on basic internet security measures for staff members.
Cybersecurity conferences and hackathons, which have increasingly become popular, cannot afford to slow down. It behooves government agencies and private organisations to continue to make them happen, increase their frequency and scope. Not only do these provide avenues to keep abreast of developments in the cybersecurity sector, hackathons like Secure Lagos and Cyber Security Challenge offer avenues to build products, showcase them and encourage skill development amongst cybersecurity engineers.
With cyber attacks now considered the third most serious global threat, the future of our expanding tech ecosystem cannot afford cybersecurity playing catch-up.