This is that time of the season when different economic actors and regulators are in celebratory mood for variety of reasons. It is such a time that economic actors and regulators recount their major successes and failings in the outgone year and define expectations for the New Year.
Unfortunately, cyber-criminals are not left out of this process of stock taking as well as the associated orgy of celebrations for obvious reasons. These groups of people benefit largely from cybercrimes, and according to a research by Norton a few years ago, global annual costs from cybercrimes is estimated to be significantly higher than the combined global black market for marijuana, cocaine and heroin.
It is trite to assert that cybercrime is one of the biggest sources of threats organisations and governments are likely to face in Nigeria, especially as our dependence on computers increases and as the cashless policy of the Central Bank of Nigeria becomes operational in many more states.
Accordingly, we have reviewed below some of the cyber trends, threats and security measures that are likely be significant in 2014.
Cybercrime that leverages unsupported software will increase, especially in the north:
Attackers usually find the easiest way to gain access to systems. Unsupported or unpatched systems provide easy access since such systems have publicly known security flaws that have been exploited. Windows XP will no longer be supported by Microsoft by April 2014 and software like Java 6 will no longer receive vendor support in 2014.
This means that the vendors will no longer be able to provide security updates or any form of assistance. Given that thousands of PCs / laptops in Nigeria are still running such software, they are likely to become easy prey to attackers. Furthermore, some organisations with branches in the North especially the North-Eastern region of the country may experience challenges in performing the usual operating system and antivirus updates on their PCs due to the recent security concerns in this region and restricted access of the IT teams in some cases.
From experience, organisations with centralised IT functions usually record a high failure rate when sending updates via the network to these regions due to network and bandwidth limitations. PCs with unsupported software in such regions are likely to form the weakest link in a companies’ network.
One way to stay ahead in 2014 and beyond would be to migrate from unsupported or unpatched systems to updated systems that can provide increased and on-going protection.
Many hackers will migrate from banks to other targets, especially online shops and government portals:
Just like a lion that is defeated in a territory seeks to take control of other smaller territories to exercise its authority, the constant hardening of the security of Bank’s e-business platforms (which had been the major focus of attackers) will drive the move to other platforms in the country.
As the cashless society is embraced, with more online shops, e-government and e-business platforms, attackers are likely to focus on low hanging fruits. Moreover, the recently concluded Deloitte security survey on e-business platforms in Nigeria showed that online shops appear to be the most vulnerable at the moment. They must therefore deploy appropriate counter-measures with professional assistance or capitulate to unremitting cyber-attacks in 2014.
Government and its agencies are likely to experience a major leap in the fight against cybercrime:
The Federal Executive Council in August 2013 approved the content of the Cybercrime Bill and passed it to the National Assembly for enactment into law. The Bill has gone through its second reading and is likely to be passed into law in 2014.
This Bill will hopefully provide a comprehensive framework that will begin a more detailed and strategic conversation on its requirements and what organisations need to do to be compliant. The Bill should also provide more adequate basis for law enforcement agencies to prosecute cybercrime.
In addition, the adoption of the COBIT 5 framework by National Information Technology Development Agency (NITDA) in December 2013 is expected to help improve the security of our cyber space if effectively implemented.
Current authentication mechanisms will be clearly inadequate:
The password-only security model has proved to be highly ineffective as tools are readily and freely available to crack passwords within minutes depending on the complexity. As a result, organisations like banks have introduced the two-factor authentication system which incorporates the use of passwords and tokens.
However, this measure still appears inadequate as attackers are more motivated than ever to circumvent the mechanisms. For instance, the two-step verification mechanism for mobile banking can be bypassed using man-in-the-middle attacks.
In addition, Deloitte’s cyber security team recently demonstrated to some of our clients how tokens can be compromised. It is therefore essential that the authentication techniques employed should be appropriate to the risks associated with those products and services. Also, it is advisable to conduct independent periodic security assessment on IT platforms as appropriate.
Mobile devices and BYOD will further complicate threat landscape:
The bring-your-own-device (BYOD) trend that permits users access to the corporate network using their personal and mobile devices has changed the dynamics of cyber security in the workplace. The rise of BYOD has continued to provide a fertile ground for cyber criminals as many mobile device platforms still lack the security functions that have been addressed in the traditional desktop systems.
Issues such as device configuration management and patching are still being tackled by IT departments as complete control of these privately owned mobile devices is still a struggle. This makes employees devices easily vulnerable to malwares.
Social engineering, especially phishing will still be around:
While phishing attacks may continue to drop in some other parts of the world, it is likely to increase in Nigeria, at least for the first half of the year.
This is due to the large number of people who are still ignorant and attackers who have devised several means of evading detection e.g. using the target name as a picture and not text. Of more concern are phishing attempts directed at specific individuals or organisations; this has been termed “spear phishing”.
In regular phishing attempts e-mail messages are used and the source can be from any random address but in spear phishing the e-mail messages will appear to come from a trusted source such as e-mail from an individual within the recipient’s own organisation especially someone in a position of authority. Due to the increase in sophistication of phishing attacks, many organisations are likely to change their anti-phishing vendors whose solutions may not address the current trends.
Businesses will begin to question return on security investment:
With the high costs of cybercrime, CEOs and boards are beginning to pay more attention to cyber security, while viewing it as an integral part of their business strategy, a matter that was once considered an IT issue.
Such CEOs that are still experiencing security breaches in their organisations despite the huge investments in cyber security will begin to question their security spend.
This will particularly affect the banks as many have employed a technology-oriented focus which requires implementing more tools/ technologies, and they often have a false feeling that their compliance certifications like 1SO27001 and PCIDSS equates security.
It is expected that to drive down cost, businesses would shift their focus from just tools to gaining better visibility of risks and threats and mitigating the specific risks. Also, some organisations are likely to consider outsourcing their security operating centres.
Though the easiest thing to do is to wish all economic actors and regulators a cyber-secure New Year, this will only be possible by increasing the level of vigilance and deploying appropriate counter-measures which build on the success or failings of the previous year to manage the exposure to risk in 2014.
Nevertheless, I still wish you a cyber-secure New Year!
Tope is a Partner in Akintola Williams Deloitte and he writes from Lagos.