An organisation is only as strong as its weakest link. Cybersecurity concerns in Nigeria are growing in direct proportion to Nigeria’s technological advancement. The National Identity Management Commission recently announced it is investigating suspected data breaches resulting from what may have been a cybersecurity incident relating to a subcontractor. Cybersecurity threats could not possibly come closer home. The National Identity Management Commission is charged with collecting detailed personal information about every Nigerian at home and abroad and issuing national identification numbers to us all. A data breach of this magnitude touches every Nigerian.
Read also: Kaspersky predicts shifts in industrial cybersecurity practices in 2024
Organisations require a structured risk management strategy to facilitate risk assessments that are systematic, documented, reviewed, and hopefully redone periodically to ensure they insulate themselves against accidental data exposure or hackers infiltrating their network.
Nigeria’s current and future participation in regional and global digital economies is assured, grounded by impressive information and communication technology (ICT) structures established and continuously expanded by indigenous experts in the field. We are at the vanguard of innovative technology. Our educational system, despite its hiccups and setbacks, is brimming with yearnings, drive, and determination from both teachers and students to keep our nation informed and equipped, solidifying our place in the information age.
However, is cybersecurity given the paramount position it deserves? Is data protection prioritised?
In today’s fast-paced, highly competitive environment, businesses are faced with diverse issues demanding their attention and drawing heavily on their limited resources. Operational performance and meeting customer demand remain their focus. Cybersecurity can very easily slide out of view.
With the best intentions and infrastructure, an organisation’s security position always remains precarious. One way an organisation can continue to insulate itself against accidentally running afoul of the law or experiencing malicious attacks is to constantly evaluate its data privacy protection strategy, cybersecurity infrastructure, and policy implementation.
An area often overlooked is third-party risk management (TPRM). Your organisation may have established procedures and measured performance methodically. However, exposure may lie with your suppliers, vendors, contractors, partners, associates, and service providers—all words used interchangeably to mean support providers—without which your organisation will not achieve its goals and smoothly provide services to customers. Most organisations would believe they can rest, assured that they have this loophole covered.
Before taking on a vendor, organisations usually undertake in-depth third-party risk assessment to ensure the contractor has adequate systems in place to forestall exposure to themselves and their clients. The days of taking on a vendor simply because they are well established, have a verified long list of happy customers, and show sizable revenue are long gone. With businesses all running on various forms of ICT platforms, you should investigate what your potential vendor has under the hood.
Your cleaning contractor may be the avenue through which hackers infiltrate your system. A veritable example of this occurred in 2014 when Target, a large chain of supermarkets in the USA, was hacked. Target’s network credentials had been stolen from the subcontractor of the vendor that Target had hired to maintain its refrigerator and air conditioning units. Here, the subcontractor was the weak link, not the contractor.
Read also: 5 major cybersecurity trends to watch in 2024
Having undertaken the initial risk assessment, go a step further to assure continuous assessment of contractors, paying attention to TPRM procedures. Organisations are dynamic, ever-changing organisms. A vendor may be risk-free at the time of contract but may not remain risk-free throughout the period of their relationship with your organisation. They develop new alliances, take on new contractors, or sever relationships with others. Without continuously evaluating and re-evaluating your contractor, you would not be aware of these changes.
While the fintech sector can be expected to vigilantly keep their fingers on the pulse of their TPRM, operators in other sectors may find themselves lagging behind. Healthcare providers, law firms, public libraries, universities, other educational institutions, and non-profit organisations are equally at risk.
Collecting clients’s data is incidental to their daily operations; these organisations are veritable reservoirs of personal information attractive to hackers. What their contractors are doing to manage cybersecurity is often not their priority.
Continuous third-party risk assessments of subcontractors hardly get a cut of their already overstretched resources. If the contractor takes on a weak link, a subcontractor with inadequate cybersecurity infrastructure, there may arise liability under the Nigerian Data Protection Act 2023 and other regulations. Periodic third-party security audits will save your organisation time, money, embarrassment, and the loss of clients.
The second part of this article will discuss relevant regulations and how your organisation can effectively implement a third-party risk management system.
Olufunmilola J. Oyelahan; Cybersecurity Cert.(Harvard), MBA(Ife): Barrister and Solicitor, Nigeria (1991), Solicitor, England and Wales, UK (2005)
