Perspectives on Cybersecurity: Risks, prevention, and legal remedies in the face of rising cyber threats

Introduction

Someone falls victim to a cyberattack roughly once every 11 seconds. A 2023 annual data breach report by Identity Theft Resource Center (ITRC) shows that there were 2,365 data breaches in the United States from cyberattacks involving 343,338,964 victims. In Nigeria, the National Communications Commission (NCC) reported that the country loses $500 million annually to various forms of cybercrime. Additionally, a Global Threat Index for July 2024 by Check Point Software Technologies ranked Nigeria 19th out of 112 countries facing an increase in cyberattacks. Cyberattacks are launched on both individuals and organizations. Former Cisco CEO John Chambers once said, “There are two types of companies: those that have been hacked, and those who don’t yet know they have been hacked.” This disturbing global threat has been estimated to cost the world economy USD 10.5 trillion per year by 2025.

In commemoration of Cybersecurity Awareness Month, this article aims to educate readers on some of the potential risks that arise from not implementing effective cybersecurity measures; the forms of cyberattack; how to prevent a cyberattack; and legal remedies for cybercrimes.

According to Cisco, cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. These cyberattacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users through ransomware; or interrupting normal business processes.

A cyberattack is any intentional effort to steal, expose, alter, disable, or destroy data, applications, or other assets through unauthorized access to a network, computer system or digital device. Cyberattacks result in gains for the attacker and loss for the victim which includes data breaches, loss of sensitive data, financial loss, reputational damage, operational downtime for organizations, and even legal action. Cybervergent’s H1 2024 report revealed over 586,000 cyber attacks on Nigerian financial organisations, with 226,103 resolved. Some of the threat actors that targeted Nigeria in the first half of 2024 include Gelsemium, Equation Group, Lyceum, Gamaredon, Circus Spider, Mirage, Common Raven, Bronze Highland, Earth Krahang, as well as Insider Threat Syndrome. Gelsemium is a sophisticated cyber espionage group known for its targeted attacks on high profile organisations across various sectors.

Cyberattacks can take on several forms. Some are addressed below:

First is malware which is a malicious software that disrupts, damages, or steals information once it gains unauthorized access to a system. Malware may infiltrate a device through various means, such as clicking on a suspicious link in an email, downloading an infected application or software, connecting an infected USB drive, visiting a malware-laden website, exploiting vulnerabilities within the device’s operating system, or accessing unsecured networks. Once malware gets into a device, it can steal sensitive information such as passwords, phone contacts, bank account information, and health information. Malware can manifest as viruses, ransomware (malicious software that demands payment before granting access to information), spyware (malicious software that secretly monitors and collects user information), amongst others.

Second is social engineering which refers to psychological manipulation used in tricking individuals into divulging confidential information or performing actions that compromise their security. A cyber attacker using social engineering might pose as a trusted organization, the targeted individual’s bank, or a friend in order to lure the target into taking certain actions or divulging sensitive information. For instance, a cyber attacker may send a sophisticated and unsuspicious email posing as an individual’s bank asking them to verify their account details. This is also known as phishing. In another form, a cyber attacker may gather information about an individual’s interests, preferences and contacts in order to pose as someone the target knows or trusts. The cyber attacker will then send a message requiring urgency, pressuring the target to act quickly without questioning the request. This request may include asking for sensitive information, such as passwords or personal details, often framed as necessary for a legitimate reason. This is known as pre-texting. Other forms of social engineering attacks include voice phishing, baiting, and quid pro quo which are all aimed at manipulating individuals into divulging sensitive information or taking actions that compromise their security, often by exploiting trust.

Third is denial-of-service (DoS) attacks which involve an attacker attempting to block legitimate access to a server, network, or website by overwhelming it with excessive requests, resulting in slowed performance or system crashes. By preventing authorized users from accessing services, such attacks lead to disruptions, including downtime, revenue loss, increased data vulnerability, and potential reputational damage.

Fourth is man-in-the-middle attacks. This is also known as eavesdropping attacks. The terms “man-in-the-middle (MITM)” attacks and “on-path-attacks” are often used interchangeably but they are not the same. In “on-the-path attacks”, the hacker is already on the path of both the sender and the receiver, or the victim and the destination, and in a position to naturally intercept the data without diverting it from the intended route. This is unlike MITM attacks where the attacker need not be on the direct communication pathway between the victim and the destination. In MITM attacks, the attacker secretly intercepts and relays communications between two parties without their knowledge, potentially altering or stealing the information being exchanged. MITM attacks may happen over unsecured public Wi-Fi where the attacker inserts himself between the targeted individual (connected to the Wi-Fi-) and the public network. In this way, the target passes information through the attacker without knowing. Another way this attack may occur is where malware gains entry into a device, and upon entry, the attacker inserts a software to process all of the victim’s information. Some of the techniques of MITM include session hijacking, ARP (Address Resolution Protocol) spoofing which is an established mode for computers on a local network to find out each other’s physical (MAC) address, DNS (Domain Name System) spoofing, SSL/TLS hijacking, HTTP/HTTPS spoofing, credential sniffing, and email hijacking.

How to prevent a Cyberattack

In the face of increasing sophisticated cyberattacks, cybersecurity remains a critical priority point for individuals and organizations. The following are several measures to maintain cybersecurity:

• Refrain from clicking on suspicious links. If an email appears dubious, carefully verify its authenticity before interacting with any links it contains. Additionally, avoid opening attachments or clicking on links in emails from unfamiliar senders.
• Exercise caution when visiting websites and downloading files.
• Install anti-virus software on your systems and regularly update same. This will help block infected sites from opening or being downloaded on your system.
• Utilize strong passwords for your accounts. A strong password contains an uppercase character, a lowercase character, a unique character, numbers, is at least 8 digits. An example of what a strong password should look like is She@90’sGame. Avoid using obvious passwords such as name or date of birth. Additionally, refrain from using the same password across multiple accounts. While it may be challenging to remember all passwords, a password manager can be utilized to streamline the management of online accounts.
• Organizations should consistently provide cybersecurity training to their staff to ensure a unified understanding of a secure digital environment and equip employees with the knowledge to prevent cyberattacks. A single vulnerable link within the team can compromise the entire system.

Regularly backup your data.

Use multi-factor authentication as an additional layer of security. This can be used on your social media accounts or systems.

Avoid connecting your device to public Wi-Fi networks. If it is necessary, ensure you use a VPN for added security. Additionally, refrain from accessing sensitive personal information while using these networks.

Organizations should ensure that their website and network infrastructure are up-to-date with the latest security patches to guard against attacks like denial-of-service attacks.

Remedies under our laws against Cybercrimes

Nigeria has a substantive legislation against cybercrimes which was enacted in 2015. It is the Cybercrimes (Prohibition, Prevention, Etc) Act, 2015. Part of the Act’s objectives is to promote cyber security and the protection of computer systems and networks, electronic communications, data and computer programs, intellectual property and privacy rights.

The Act criminalizes unlawful access to a computer, fraudulent system interference, unlawful interception of electronic messages, tampering with critical infrastructure, willful misdirection of electronic messages, unauthorized modification of computer systems, identity theft and impersonation, amongst others. Penalties for these offences includes fines of up to N10,000,000 and imprisonments of up to 7 years.

However, prosecution of these crimes is only possible where the criminal can be identified. Many cyber-attacks are carried out without identified human involvement. For instance, an individual’s cybersecurity may be breached upon downloading an infected software, clicking on a malicious link or connecting to an unsecured public Wi-Fi. Therefore, in the face of advanced cyberthreats, individuals and organizations have to take proactive steps to stay safe online and protect their data.

Conclusion

Personally identifiable information, financial details, passwords, location data, and intellectual property are essential elements of identity that must be protected. These types of personal information are prime targets for cyber attackers, who actively seek to exploit vulnerabilities for their gain. To preserve identity, security, and integrity in the digital space, robust cybersecurity measures must be implemented by both individuals and organizations.

CONTRIBUTORS

Tilewa Oyefeso – Partner ([email protected])

Emaediong Lawrence – Associate ([email protected])

DISCLAIMER

This article is for informational purposes only and does not constitute legal advice or establish a lawyer-client relationship. For specific legal advice, please consult a qualified legal professional.