What is the rationale behind Deloitte organising the quarterly Cyber Security Breakfast Session (CSBS)
Last year, Deloitte Nigeria organised the first Chief Information Security Officer (CISO) Roundtable in Nigeria where those in charge of information security and/or information technology of different companies across virtually all the industry sectors were in attendance. The participants were very pleased with the roundtable and requested that we hold such sessions regularly to inform professionals about emerging information security threats and trends that may put their organisations at risk. As a result, we commenced the quarterly Cyber Security Breakfast Session (CSBS) this April. The session is designed to provide a veritable platform for sharing information, experiences and practical solutions to the information security issues we all face in the emerging cashless economy.
There is an increase in malware and DDOS attacks on financial institutions in Nigeria. What is driving this trend and how can banks better protect their systems
Malwares are computer programs with malicious intents and as you rightly observed, there is an increase in malware specifically targeting Banks. The reason for the increase is simple – malware writers see more opportunities to steal money from innocent and unsuspecting people especially in this era where we are conducting more electronic transactions. According to a recent publication by the National Information Technology Development Agency (NITDA), the internet usage in Nigeria grew from about 10million users in 2008 to approximately 44million users in 2012; this is about 400 percent growth increase in internet usage and to malware writers, there is also a 400 percent increase in their chances of defrauding others. The banks are the primary targets because they are the early adopters of online technologies for transaction services however other sectors like telecom, manufacturing, health, hospitality, aviation and government agencies are already facing a similar trend.
There are different types of malware; some are intended to steal internet banking credentials for use by the malware writers. Some target mobile phones and they can steal authentication credentials, prevent updates of patches or even perform unauthorised transactions using valid credentials.
Distributed Denial of Service (DDOS) attacks are configured in a way that they send requests to a financial institutions online resource more than they are capable of handling, and thus forcing the system to ‘crash’ or become unavailable. Generally speaking, such attacks are sometimes executed by kids in the “hackers’ world” who are practicing some newly acquired skills. Also, DDOS is often used by hackers as to distract their target companies from promptly detecting their “real” malicious activities. In some instances, it could be an attempt by competitors to disrupt the operations of an entity.
Banks can protect themselves from malwares and DDOS attacks by having and implementing appropriate information security policies and also performing a continuous (24/7) monitoring of their critical resources as well as monitoring the internet for malwares and planned attacks that targets their brand. Deloitte Nigeria has made strategic investments in continuous monitoring services (Cyber Watch) and we assist our clients to promptly detect and shut down the sources of such attacks.
What is the impact of social media on enterprise security
In the past few years, we have seen how social media was used as a tool to drive businesses and even topple governments. Social media poses a great risk to enterprises because of the numerous opportunities it offers. Such impact could include reputational loss, Intellectual property leakage (could be intentional or unintentional disclosure of confidential information on social networking sites) and identity theft via social engineering
In Nigeria, we have seen instances of targeted attacks on some companies’ executives and brands. For example, a malicious user can create a fake social media profile belonging to the CEO of a corporation and use this profile to attract unsuspecting clients and people of the same calibre. Some banks in Nigeria have even adopted social banking which means that you can do more with the bank (e.g. check account balance, get airtime recharge, perform money transfers, pay bills) through social media. Although this brings the banks closer to its customers, it also exposes the bank’s IT infrastructure to more risks.
Social media comes with a daunting list of potential problems to enterprise security and this is why we are going the extra mile to assist our clients protect their brand online via our continuous monitoring service and also using the platform of the Cyber Security Breakfast Session to enlighten businesses in Nigeria on how to tackle such risks.
The concept of ‘bring your own device’ is creating a lot of complexities for businesses from an enterprise security standpoint. What is your take on this?
One major challenge with ‘Bring Your Own Device’ (BYOD) sterns from the fact that there is limited security consideration before adoption. BYOD is a fancy concept and strives to promote availability and allow employees to work from anywhere. While some organisations provide employees with a mobile device in addition to laptops or desktops, many others allow the employees to access the corporate resources with employee-owned devices.
Some of the questions relating to BYOD that I have asked some IT executives in recent times are: how are you able to prevent unauthorised devices from having access to your network? While you are concerned about who gets into your network, do you also have control on what gets out of your network via the BYODs? Do you have an enterprise visibility of all devices that are currently on your network? Are you able to enforce your company’s security policies on these devices? How do you physically and logically (on the network) differentiate your company’s devices from BYODs? How do you handle the loss or theft of BYOD considering that they may contain your company’s confidential information?
Interestingly, many IT and business executives go speechless when faced with such questions. Although BYOD has its positives (cost being top on the list), it also poses a number of challenges to the security of information within the organisation which would border around confidentiality and integrity, and I believe we should put measures in place to address the risk posed by BYOD because we cannot run away from them in this age.
What is the cost implication of cyber-attacks on businesses and the public sector? Why do the businesses in Nigeria hardly report incidences of cyber-attacks
The Norton Cybercrime Report of 2011 put the cost of cybercrime to the world’s economy at $388 billion annually, which is greater than the combined global market for cocaine, marijuana and heroin. These attacks, coupled with the liability claims that they might encounter, can leave local businesses in ruins, be it in the public or private sector. Apart from financial, other implications of cyber-attack on any enterprise include; loss of customers, brand name damage and potential lawsuits. Sometimes it is even very difficult to quantify the cost of cyber-attacks that appear to majorly affect companies’ reputation.
Organisations in Nigeria always shy away from reporting incidences of cyber-attacks because of the perceived negative image it might have on their brand. I think this is a natural thing an average person or company is inclined to do. For instance, as a journalist, have you ever written a negative report about yourself? However, this is not the case in other countries like the US and UK. For example, in the US, there are security breach notification laws that have been enacted in most US states since 2002. In Nigeria, however, we do not have such laws in place. This is indeed one of the frontiers we are hoping that regulatory bodies and our legislators in Nigeria will drive.
It is important to note that when incidences are reported in a timely manner, it allows for the incidence to be curbed and provides a learning point for other organisations to improve control. This is because one way to curb the menace of cyber-attacks is collaboration.
One other reason why organisations in Nigeria do not report security breaches is because they are not even aware of the security breach they have experienced or are experiencing. As we are discussing right now, there is a possibility that most organisations in Nigeria are suffering from cyber-attacks, but they are not aware of it. Cyber-attack is no longer a matter of “if” but now a matter of “when”. We are all likely to experience it in one form or the other. But the question is – when it happens, will you be ready to promptly detect it and stop it?
Due to the prevailing economic conditions, companies are cutting cost. IT budget is shrinking by the day. How can IT get the buy-in of management in terms of investment in information security
Generally speaking, in an ideal situation, it is not the business of IT to get the buy-in of management to invest in information security. This is because information security is not an IT issue but a business issue. If you see a company in this era where the IT management is striving to get the attention of management regarding securing their business, it may be an indication that the management and Board of such company are not in touch with the realities of doing business nowadays. I will suggest that cyber security awareness session is held for the Board and management of all companies in Nigeria regarding how information security affects their business and even how they should securely handle their own devices. This is because there is now a direct link between information security and their shareholders value. For instance, a breach of a top executive’s laptop while on vacation in another country can lead to disclosure of sensitive information which if it gets to the public domain, can make the company’s share price to crash by 50 prrcent in one day.
Another reason why it is difficult to get management buy-in with respect to investment in information security is because some IT management always speak in technical terms that management (who is concerned with his bottom-line) do not understand. Also, some IT executives are just carried away with buying fancy products that a rival company has purchased. Whereas a company’s information security strategy and budget should be prepared based on its business strategy.
interview with BEN UZOR JR,
