Organisations in Nigeria suffer more cyberattacks than any other country in Africa. But these attacks go unreported despite a mandatory regulation for disclosure.
On July 17, Twitter suffered an embarrassing cyberattack. Hackers broke into a number verified accounts of popular individuals like Bill Gates, Jeff Bezos and Elon Musk, sending out tweets offering to send $2,000 worth for every $1,000 sent to an anonymous bitcoin wallet. During the short period the wallet link was shared, over $100,000 donations were made.
According to the New York Times, the hackers got access to Twitter’s Slack channel, gaining access to account credentials shared on the organisation’s channels. The attack was disclosed immediately and Twitter continued to provide updates on the situation.
Twitter’s Jack Dorsey called it a “tough day”. “We all feel terrible this happened,” he wrote in a tweet.
Twitter’s attack is a harsh reminder that cyberattacks are a huge problem and threats are on the increase. But it helps that companies are willing to disclose these attacks and help tackle them.
This is not the case in Nigeria.
Cyberattacks in Nigeria
In the West African country, cyberattacks are rarely disclosed, giving an ambience of safety. But in reality, Nigeria suffers some of the worst cyberattacks on the African continent.
According to a report by Sophos, a UK-based cybersecurity company, 86% of Nigerian organisations surveyed said they suffered cyberattacks in the last 12 months; the second-highest after India.
Importantly, the country ranked in the top five for major attacks including malware attacks, ransomware, stolen account credentials and crypto-jacking. 64% of cyberattacks in Nigeria exploited misconfigurations on the organisation’s server.
Nigerian organisations suffered the most data leaks than any country surveyed in the report. 57% of Nigerian organisations said their public cloud data was exposed in the last year. Meanwhile, 46% of Nigerian organisations said their account credentials, the method hackers used to attack Twitter, were stolen in the last 12 months.
While Sophos captured these types of attacks, other attacks such as brute force, email compromises, WhatsApp account hijacking among many others are also real threats.
These are scary threats with increasing threat levels as the internet adoption increases, including growing digitization of enterprise activities like manufacturing and payroll. And with the pandemic forcing more workers in the services industry to work from home, the attack surface for cyberattacks has widened, putting more IT systems at risk.
On the one hand, Nigeria is not a high-value target for cyberattacks, at least not on the scale seen abroad. The relatively low value of the Nigerian currency has also forced more local threat actors to double down on international scams such as dating scams and business email compromise schemes. In the last half of 2019, international anti-fraud efforts led to the arrest of over 100 Nigerian scammers and the disruption of over $100 million in fraudulent transactions.
Yet in Nigeria, the culture of secrecy is strong and makes it difficult to know domestic breaches happen. Organisations are less willing to disclose when and if these attacks happen.
In August 2019, Business Day reported that the Nigerian Yellow Card website was leaking data. The website housed sensitive health information for Nigerian air travellers who have been vaccinated against yellow fever. The government did not respond to the report.
In another incident in 2018, customer data for Arik Air, a Nigerian travel company, was found unsecured on an Amazon S3 bucket on the cloud. The unsecured link held three months of customer data and was discovered on September 6. But it took 18 days for the company to acknowledge the leak after it was exposed. The data was secured after September 24 but Arik did not issue any statement regarding this development.
Why attacks in Nigeria go unreported
Speaking to TechCabal, cybersecurity expert Eyitemi Egbejule explains that Nigerian organisations have trust and cultural problems when it comes to disclosing cyberattacks.
Egbejule, who has over 10 years experience in cybersecurity, says: “we Nigerians have trust issues.” “There are security researchers who would find critical vulnerabilities or get access to company data and want to responsibly disclose it, but some organisations have not fully gotten the importance of crowdsourcing reporting.”
When researchers discover such leaks, rather than address the exploits, some companies choose to intimidate the source and accuse them of malicious intent.
“I have seen cases where people have been arrested or had lawsuits against them for things [vulnerabilities] they’ve found on companies,” Egbejule explains.
Yet, disclosing attacks is good practice, he said, but many companies choose not to do so.
“[Some companies] may not want to go on-the-record about it because it could affect their investments, affect how customers perceive them, how people perceive the company going forward,” Egbejule shared.
He added that in some other cases if the breach was not high impact or critical, companies may not want to talk about it.
Yet, disclosing attacks and having a solid response when other security experts identify exploits are important cybersecurity practices. Nigerian cybersecurity law also makes this mandatory.
The Nigerian Cybercrime Act was signed into law in May 2015. This is the country’s first legislature that covers cybersecurity in the country. Its enforcement is the shared responsibility of the Attorney-General of the Federation and the National Security Adviser.
The Act created a National Computer Emergency Response Team (CERT) to manage cyberattacks. Section 21 of the Act mandates individuals and organisations to report cyberattacks when they happen:
Any Person or institution, who operates a computer system or a network, whether public or private, must immediately inform the National Computer Emergency Response Team (CERT) Coordination Center Of any attacks, intrusions and other disruptions liable to hinder the functioning of another computer system or network so that the National CERT Can take the necessary measures to tackle the issues.
But enforcement has been a problem. “We are still looking forward to seeing the implementation of these laws across organisations that have encountered security breaches,” Egbejule told TechCabal. “Because there is no serious enforcement of these laws, people do not feel the need to report these incidents.”
There is a systemic benefit to reporting cyberattacks when they happen. It helps organisations understand new vulnerabilities that could be a threat to their systems in the future. Disclosures also offer a moment of introspection, causing organisations to review their security practices and tighten their system against known exploits.
“That’s one of the reasons why people are mandated to report,” Egbejule shared, “so that there is a database of known breaches, how it happened and it helps to build security going forward.”
But few organisations are on board with this practice and it is unclear if the government enlightens organisations on the benefits of disclosure.
One challenge is that many organisations treat security as an afterthought, Egbejule said. They adopt basic security practices but rarely have a team handling this critical part of their systems.
This low prioritization of security is more prevalent among newer companies. Older companies, like financial services providers, have more robust security departments said Ezra Olubi, CTO at Paystack. Years of regulatory obligations and standards compliance has allowed these older companies to develop mature teams to handle their security needs.
For newer companies, they tend to move fast, focusing on building out their core business needs without maintaining a dedicated or full-time cybersecurity role.
As tech adoption increases in Nigeria, this trend will have to change.