Cyber attacks is becoming rampant, forcing many organisations and governments to take steps to upgrade their cyber security strategies. Peter Ejiofor, founder of Ethnos IT Solutions, a cyber security firm, is concerned that the Nigerian government is lagging behind other nations and compromising itself by not taking cyber security serious. In this interview with FRANK ELEANYA, he outlined some of the steps that needs to be taking for secure people’s information.
How do we address rising cyber attacks, particularly with the efforts by CBN to go cashless?
We can look at it from different perspectives. Cyber threat is real and growing. It is proven that massive losses and damages can be accomplished through cyber attacks. In Nigeria, we do not have effective statistics of breaches and value of damages incurred. But recently the senate said about N170 billion was lost to cyber crime. What the CBN simply did was to compute fraud that happened in the banking industry and attach it to cyber crime. But if we look at how much is stolen in the cyber space, like the financial value in terms of cash, cost of data that is stolen and sold. As we speak any of us can have their credit card information in the dark web. We may not have witnessed withdrawals because they have not used them. They could be on sale. People are buying credit card information and trying to profile them. Government secrets that are stolen are not accounted for. From time to time I hear that some reports are leaked to the public, if we compute the cost of the damage to the image of the people involved, somebody must have cashed in. We don’t have all of that computed for us. There are intellectual property rights that could be stolen. Who gives us the cost of that?
But N127 billion is large and we can start from there. But cyber crime is real and it is right here. People in Nigeria can commit cyber crime that may have effect in America; people in America could also commit cyber crime that may have effect in Nigeria. Cyber crime is like a global village. You cannot tie everything to Nigeria. It is impossible to stop cyber criminals. Google, U.S. government, British Stock Exchange, have all been hacked. Basically anybody can be hacked.
Singapore recently made some announcements on investment in cyber security and data analytics because they are hoping that with better data they can ensure cyber security. Do you think we can borrow from some of these strategies when it comes to cyber security?
We do need data because it is through data that you can determine all of these factors. So if we have effective data collation system, we capture the activities and present a more accurate data that we can work with. Here in Ethnos we are making investments in data that enables us determine threat traffic. We can start from there. We are developing a scanning tool that we can deploy for people to scan their infrastructure or their enterprise. With the scanning tools we are able to see how much threat that comes into the business environment. We can do further analysis to determine what could have been the potential costs. We are also developing capability to monitor things within the company.
Are you satisfied with the response of the government to cyber security in Nigeria?
I’m not satisfied with how much government is committing to security protection in the cyber space. It requires commitment and a bit of sincerity in what you want to do. If you want to do something you have to make up your mind to do the real thing, not just do what everybody is doing. That feeds into the commitment to implement what has been said. Government needs to start from their own house by defining security policies. You do not have to cut and paste, you can define what you think is achievable and measureable and you can upscale it with time. That security policy becomes the minimum standard that can be implemented across board. For instance, we have seen massive threat of emails in Nigeria, same thing globally. In fact it is said that attacks that happens today about 70 percent result from email. Through the email the infrastructure can easily be compromised. We can send you a phishing email and you will not have an idea that it is a phishing email and once you activate it you are compromised. A few years ago, I spoke to a bank in this country and I said, “Your website has a phishing mail and we can see it.” The bank said I was using a threat mechanism to get their attention. I told them I was not trying to get their attention but that the threat is real, they should go and check it. It took them about four months to take down the threat on their URL. What that meant was that anybody that browsed through that URL, the hackers have the capability to filter their information and if they are not effectively encrypted, it will be seen in clear text. It can be transmitted to a command and control centre where they can do further analysis and do what they want to do.
What’s the level of insiders’ involvement in the attacks?
There is a possibility of insider involvement, but we do not have evidence. There is also possibility of a compromise that an insider did not play a role in, but it is the inability of the institution to protect their infrastructure. Some cyber criminals have tools that they use in constantly scanning the network – the cyber space. If they find something that is open, they could follow that traffic and see where it is going. When they get to the destination and find information that is useful to them, they can sit there and start analysing the information.
For instance when a hacker comes into your system, it could take up to 100 and 150 days before you realise that they are there. That is amount of time it could take them to cause damage. The hacker does not immediately come in today and cause damage. When he comes in, he has to understand what you do, your environment, and decide what he can do and where he can take it to. All these take a bit of time. Do not forget, you as a company is making efforts to protect your environment, but it could be one or two days error that leaves you exposed. Equifax was a few days of error or a server that was not batched. Even though they had to repair it later, the damage was a already done before they could repair it. So it takes a bit of time.
All over the world, because the government have the authority, it drives every development in any area. Today there is a local regulatory standard in South Africa that they develop where they can borrow ISO, global standards to create local standards to protect their citizens’ information. They said if anyone must trade with smart cards – either receive or store credit card information – you must comply with the standard. Standards drive protection. But if you do not tell them what to do, they will only be looking at the business objectives, how do they make profits. So government should come up with Nigerian domain policies as the minimum standards. The policies can be improved over time. The minimum standard will start from the government. For instance, the government can mandate that everybody must have biannual security awareness training. We can conduct simulated cyber attack. We do that in Ethnos. Once members of staff fall prey to the attacks we sent, they are immediately referred to training.
From your experience, what is the response of companies in Nigeria with regard to cyber security?
I have worked within the financial services industry mostly, so I can tell you that they are lagging behind in cyber security integration. I cannot tell you the response from the board level, because the trend is that security is driven from the board level. Every company should have security objectives imbedded in their annual strategy. That is why the security decision should be made from the board, the same way they approve budget. Security protection should be part of the budget.
The practice however is gaining ground in the banking sector industry. I have not worked with the oil and gas companies and others. For the banks it could be because the Central Bank of Nigeria is taking it very serious, if you do not meet a certain standard there are penalty. A good number of Nigerian banks are committed to cyber security. They have various layers of monitoring and certifying their traffic for accuracy and protection of customer information to a reasonable level.
Notwithstanding, the merchants whose services some of the banks depend to thrive, are not measuring up. This is obvious because the banks who are suppose to take responsibility for the merchants are not doing so. The CBN however have stepped in and want to get a good grasp of the banks’ commitment before they can move to the next service. The insurance industry is rated as serious as the banking industry because they are more concerned not necessarily in profits but the identity of the customers. Data is priced higher than drugs. The efforts are geared towards protecting data. However other industries that hold data may be doing anything with them but the absence of regulation means people cannot do anything about them. You cannot sue anybody when they misuse your information. But it is not the same elsewhere.
What is your view about cyber insurance in Nigeria?
We are not too young to think about cyber insurance, it’s a new trend that is coming up globally. It is also being debated around the world. We are not too young for it but whether we can underwrite it and value it is what is in doubt.
How far of a threat are we facing going towards 2019, do you see something happening in form of cyber activity to influence maybe?
Yes! I’m very positive that social media platform would greatly influence voters’ direction in the coming election. The only thing that will change that is if the politicians are able to rig the election the way they usually do. Besides social media has seen massive influence on our actions and opinions on different subject. If somebody decides to put information that is damaging to a potential candidate we can’t verify it, so social media would influence. In terms of real election, if we really vote that would have live action. What social media has done, once you like information and share it, it goes further. Generally social media influences action, there may not be a deliberate strategic cyber collision to either change the result of the election but there may be cyber influence.
Are there strategies that can mitigate the effect of cyber security from social media platforms?
A company processes information on a daily basis. A lot of social media negative attacks are not targeted at destroying companies, they are mostly complaints. On twitter, organizations can solve problems quickly, the negative impact on social media can also be used to solve problem. Through social media many organizations have improved their businesses.
Small businesses often think of big money when cyber security is mentioned. Is the cost really that high?
Attacks have come down from the bigger companies to the smaller companies because bigger companies protect themselves and smaller companies are left out. Attacks come into smaller companies, because the smaller companies feed into bigger companies. Smaller companies think its expensive to protect themselves. To back up your data isn’t expensive; it’s about $200 to $300 a year. They think it’s expensive because they’ve not asked.
How long does it take to integrate a cyber security solution?
Cyber security solution is a process. If we deploy a privilege access solution for a bank it may take two weeks, but if it is a smaller company it may take 1 week. If we are deploying a stimulated attack, we can do the configuration in 1 week and start the implementation next week. it depends on the size of the customer. There’s no end to end cyber security solution.
What is the attraction in this business?
The scope of the work keeps expanding, various companies are into security. We are facing security revolution, every complication on networking would have to feed into security, everything needs to be protected. Recently, there was a report we were reviewing on an aircraft that crashed, it was revealed the security of the aircraft was compromised because the computer gave a wrong reading.