At the recent Franco Nigerian Chamber of Commerce and Industry (FNCCI) virtual conference on cybersecurity and process automation in today’s business environment, experts reveal how small businesses can protect themselves against cybersecurity threats within and outside the business writes ISAAC ANYAOGU.
With over 3 billion users connected globally, the internet has brought the world together enabling instant communication, remote work, and business facilitation.
“It is also come embedded with a multitude of vulnerabilities which poses a significant security threat to users and has led to the emergence of a cybersecurity threat,” said Moses Umoru, the director-general of the FNCCI during a recent webinar held May 19.
Read Also: Why cybersecurity lessons are required for Nigerian children
In Nigeria, it is estimated that the annual financial loss due to cybersecurity breaches was N250billion in 2017, N280 billion in 2018, N288billion in 2019 and 2020, it increased to over N1trillion in damages.
What is even more disconcerting is that experts say that 95 percent of security threats are not reported. So if the figures reported are are these huge, it indicates how much threat to businesses, to profits and operations, cybersecurity presents, Umoru said.
It is getting even more dangerous, as the coronavirus pandemic has shifted many businesses online, with remote working becoming a common trend, it is bringing the threat of malicious intrusion into the networks of businesses closer to home.
This is why taking control of the human element which constitutes the weakest link in the security chain is vital, analysts at the virtual conference said.
Funmilola Odumuboni, senior manager, risk advisory at Delloite and Touche, in her presentation said cybersecurity encompasses three main things, confidentiality, integrity, and availability, all factors vulnerable to human errors.
Confidentiality implies that customers’ records, phone numbers, account balances, and other sensitive information do not get into the wrong hands.
Integrity entails an ability to prevent someone from manipulating a customer’s information. It is the correctness of the information a business is processing and relying on to make decisions.
Then availability speaks to systems and processes not failing, being available so as to prevent an outrage because the business cannot render a service. These are the pain points for businesses when cybersecurity is compromised.
Threat landscape
With many businesses going online, the threat landscape in Nigeria is evolving. COVID-19 has forced many businesses online faster than they normally would. Many struggling to deal with the impact of the virus are making the right investments to protect themselves online making them vulnerable to new threats.
“If your business needs to grow, you need technology, now we have remote working, remote customers, so you cannot afford to do business without leveraging technology but also the risks increases,” said Odumuboni.
This has led to the proliferation of bad actors in cyberspace. “Some people go into cyber crimes as a business and they are looking for low hanging fruits like small businesses to attack and there has been a phenomenal increase in attacks on them. Many have shifted to remote work without the facilities to harden their systems,” said Odumuboni.
The threat landscape includes hacktivists who in the name of a social cause hack into systems of public and private institutions. During the #EndSARS protests in Nigeria last year, some hacktivists hacked into the website of the Nigerian police.
Nation-states are investing in cybersecurity both from a defensive and offensive standpoint.
Malicious insiders, according to some experts constitute over 80 percent of attacks. These are people a business has given some level of access through their network and they want to cause harm.
Threats can also come from rogue suppliers and even competitors.
These bad actors are after sensitive data including corporate information, board reports, financial information, and investor confidential details.
Some cybercriminals also seek to commit financial fraud such as wire transfers and payments. Some seek to disrupt a business or threaten the health and safety of a community.
According to Odumuboni, business email compromise has become rife. It is where the attackers take over an email communication between two organisations for financial gain.
Odumuboni explains that in this situation, a company is talking to another on a financial transaction, cybercriminals intercept that communication and change their account detail.
The parties, oblivious to this intrusion, continue their interaction and when one party pays, they will pay into the attacker’s account instead of paying into the correct organisation’s account.
This is becoming rampant now because a lot of organisations are using cloud-based systems for their emails and other processes, many on shared cloud service.
Tactics
Obukohwo Obukonise, senior systems and cybersecurity engineer at Schneider Electric, in his presentation said there are so many hacking tools available online and most do not require a special skill set.
One common method used in cyber crimes is phishing in which a target or targets are contacted by email, telephone, or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data.
Ransomeware is another method that is a type of malicious software that is designed to block access to a computer system until a ransom is paid.
There are also cloud data breaches that describe incidents that have the potential to disclose sensitive information to an unauthorized party.
Another common attack is a denial-of-service attack (DoS attack)in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.
In Zero-day attacks, a computer-software vulnerability unknown to those who should be interested in its mitigation is introduced and until the vulnerability is mitigated, hackers can exploit it to adversely affect programs, data, additional computers, or a network.
Malware, short for malicious software, consists of code developed by cyber attackers, designed to cause extensive damage to data and systems or to gain unauthorized access to a network.
There has been an exponential increase in the creation of malware. Experts estimate that in the last seven years malware has grown from 470million created in 2015 to over 1.2 trillion on the internet today.
Other forms of attacks include negative social media coverage and impersonation, supply chain attacks, and stolen credentials.
Many companies, even if they have smart cybersecurity systems are still susceptible to attacks due to third-party compromise.
Businesses have relationships with organisations and share information, sometimes their network is even extended to other organisations because of the kinds of businesses they do and if their partners are not implementing the same security procedures, they could become the weak link.
Develop a strategy
In many organisations, cybersecurity threats are issues considered at the board level highlighting how important it has become to the well being of a business.
Odumuboni said that organisations need to have a strategy. “It’s great to have firewalls, but you need a strategy, based on what my organisation does, this is how I will protect my business.”
She further recommended that business owners need to be aware of the cybersecurity threat landscape, routinely access their networks for vulnerability, maintain visibility across the system to detect threats before they fester, and develop capabilities to respond quickly to attacks.
According to Babatunde Abagun, channel manager, West, East, and Central Africa at Nutanix, said research has shown that defensive capabilities of businesses such as antimalware are being eroded by machine learning and artificial intelligence employed by cybercriminals.
One organisation in the UK that was recently scammed of over $230,000 in phishing attacks, approved payment based on voice approval from the CEO. It turns out that it was AI software that mimicked the voice of the CEO.
Abagun said businesses should protect their people from themselves. “If you have a child, you will child-proof the house, similarly you need to security-proof your infrastructure not just for threats available now but for those that will come in the future,” said Abagun.
One way to do this is to establish technologies that actually automate certain processes. Some concepts like list privilege which means giving every individual the minimum amount of capability they require to perform their job function was highly recommended.
A few years ago, the Twitter account of former US President Donald Trump was briefly deactivated by a disgruntled Twitter staff on his last day on the job. This could be prevented with list privilege.
The experts also recommend maintaining a zero-trust security process, limiting devices that could be intrusive, effectively training personnel, and writing adequate cybersecurity policies for the business.
