Nigeria: 2018 Nigeria Cybersecurity Outlook

Last Updated: 18 July 2018
Article by Tope Aladenusi

Most Read Contributor in Nigeria, October 2018

The year 2017 recorded some historic events in cyber space with a fierce battle for supremacy between the cyber criminals and the good guys. As the battle continues to take different twists and turns, I do hope in 2018, the good guys would gain more ground. But for this to be possible, we need to abide by basic security tenets, we must be secure, we must remain vigilant and we must be resilient! 

Looking back to the early months of 2017 within the Nigerian context, we noticed a swift rise in several cyber Ponzi schemes (schemes that promised unbelievable financial returns on investment). These schemes vanished one after the other just as we predicted, whilst looting millions of Naira from unlucky individuals who participated in such schemes. Another noticeable trend in 2017 that was predicted in our cyber outlook for last year was the evolving of ransomware attacks. A good example of ransomware that most, if not all security folks became aware of, was the Wannacry ransomware, which affected more than 150 countries. Wannacry went on to affect thousands of PCs all around the world; it started on a Friday evening and kept many IT departments for organizations in Nigeria very busy over the weekend following the attack. I believe at this point, it is very clear to everyone that the attacks are real, organizations and individuals are losing money, IT executives and businesses are having sleepless nights and some have even lost their jobs. It is then paramount that we should expect even more of these in 2018 because cyber-attacks have now become inevitable. 

Without being a doomsday sayer, for 2018, here are the major trends we should expect:

Ransomware won't fade anytime soon

Ransomware became lucrative business for cyber criminals in 2017 especially since the code / malicious program could easily be bought online by anyone and used to render an organization or any target captive. Ransomware was the fastest growing security threat in 2017 as evidenced in several reports. Not only did we see more attacks on more businesses demanding more money, but the level of sophistication in distributing ransomware also expanded. These happened despite several warnings that people should not give in and pay the ransom to attackers so as not to encourage them to continue. There were cases where the data that could be lost if the targeted organization / victim did not pay up was very vital to the existence of the organization, hence the victims had to give in and negotiate with the criminals. Unfortunately this trend is expected to continue in the New Year given the relative ease with which the attack could be set up and the attacker could quickly cash in. It is also expected that ransomware in 2018 would start to target other platforms apart from computers; majority of the attacks in the past were on systems running windows operating systems, but it is expected that there would be a shift and focus would also be on mobile devices especially those running on the Android platform. Just like we predicted in the outlook for last year and in several conferences we presented, prevention of ransomware attacks is possible only if individuals and organizations would follow some of the most basic cyber security practices.

Attackers increasingly turning to cryptocurrency

There are several reasons or motivations behind cyber-attacks, it could be for the fun of it, the challenge, hacktivism and many more, but majority of the time it is because of the money involved. 2017 saw many cyber criminals make use of cryptocurrencies because of its anonymous nature of payments. 2017 also saw increased adoption of cryptocurrency as the combined market share for cryptocurrencies surged past the valuation of major banks across the world. Several people now see cryptocurrency as an investment opportunity to make profit while some have lost their fortune. As it is normal for criminals to follow the money, cryptocurrency is not left out. Cyber criminals are operating at every phase of the cryptocurrency ecosystem. The most common attacks is on cryptocurrency exchanges (an exchange just like the Stock Exchange which allows buying or selling using different currencies) by flooding the exchanges with requests so that it becomes unusable (what we call Distributed Denial of Service DDoS attacks) in other to swing the value of the currencies. Another area is compromising of user systems in order for the criminals to add to their "mining botnets" (group of comprised systems that are used for mining. Mining in this context is using a computer to solve a mathematical problem which is a process required to generate a cryptocurrency). Lastly, there are several cryptocurrencies (over 1300) and several exchanges where they could be traded, this increases the chances for newbies or unsuspecting people to be tricked into investing in a fake cryptocurrency (good old social engineering). The above mentioned trends are expected to continue in 2018 as interest in cryptocurrency continue to dominate the headlines. Individuals and organizations should seek counsel from professionals as they tread this new path.

War for cyber security talents

As technology keeps advancing, disrupting legacy businesses and changing the way business is carried out, almost every industry has been disrupted in one way or the other and we are yet to see the end of this. In 2017, we saw increased number of new players in Nigeria in the Fintech space leaving the incumbents to struggle to keep up with the pace of these changes. In a bid to catch up, several organizations are opening up their systems, partnering with third party players and adopting cloud systems. This trend is expected to continue as we gradually move into an open era (open API, open banking etc.). All of these has led to organizations becoming more exposed than ever in their effort to remain relevant and they are finding it difficult to stay secured. Having the right technology is not enough to deal with these challenges, the people and process aspect needs to be strengthened as well.

With the increasing shortage of skills and rising cost of technologies, a quick fix for organizations is to look towards outsourcing their cybersecurity functions. While outsourcing is a common business practice, we have only seen little traction in this area for cybersecurity in Nigeria where organizations outsource their security functions.  In 2018, there will be a continuous increase in demand for cybersecurity services/functions from cybersecurity service providers. This request would come from all sizes of businesses and the demand for cyber security talents would not just be local but global where there is already a massive shortage of supply. This is expected to lead to migration of skills outside Nigeria, and servicing of other African and Western markets from Nigeria. The few available professionals that are highly skilled will command premium remuneration in the market. In addition, upcoming graduates and undergraduates would continue to eye cyber security and would start acquiring the necessary skills needed to thrive in the field of cybersecurity, as it is fast becoming one of the most lucrative skills globally.

Man-in-the-Cloud attack – leading to increased focus on Cloud security

It's no news that organisations have progressively migrated to cloud based environments, and an increasing amount of information has been transferred to and stored within many cloud platforms. Most cloud providers have also made their services very easy to set up, such that anyone that can easily surf the web can set up a cloud service. Some early cloud users have even gone to set up cloud platforms for businesses without consulting skilled cloud professionals. Though cloud services are generally secure, the task of ensuring that it is securely configured lies with each organization or user that enrols for such a service. It was then not surprising that 2017 was marred with several cloud based security breaches, barely would a week go by without news of a data breach exposing business or customer data. Some have even labelled year 2017 as the year of the data breach.

A trend we are beginning to see is an attack commonly referred to as the Man in the Cloud (MitC) attack and this is expected to continue to evolve this year.  All the attacker needs to do is steal a copy of the synchronization token that the victim uses to access the cloud service and the rest is history. The cyber-criminal can have access to the victim's cloud environment without running any malicious codes or exploits. What exacerbates this attack is that majority of cloud service users do not have visibility of what is happening inside their cloud infrastructure hence, the cyber-criminal can have unrestricted access and make changes to the environment without knowledge of the victim. Organisations are therefore tasked with the responsibility of ensuring their cloud environment is well secured, that security trainings are conducted for users, comprehensive service level agreements are in place and continuous security audits are performed to ensure there is proper visibility and that changes are tracked.

IoT (Internet of Things) compromises to gain more ground

The year 2017 witnessed a continuous increase in the use of Internet-connected consumer devices but a similar increase cannot be said of the security of these devices as customer experience, cost and time-to-market requirements continue to take precedence over security requirements.  The challenge is that many IoT devices are not designed or maintained with security considerations as priority as they are often sold with old and unpatched operating systems and software.

Nigeria is also not left out, as 2017 saw a proliferation in the use of Smart TVs, Apple watches, Smart Projectors, Smart whiteboards etc.  The year 2018 will see an increase in IoT-related attacks both on endpoint devices and on the cloud. Businesses should take special care as they are ripe candidates and more liable to be victims, as these devices are being plugged into their corporate networks without proper security checks. Organisations would need to re-evaluate and set clear policies in order to stay safe. Individuals on the other hand have to employ security measures such as immediately updating the device firmware and changing passwords.

Cyber Security Regulation would continue to play a key role

Cyber Security regulation provides an effective framework for prohibiting and preventing Cybercrime as well as punishment for every form of Cybercrime. Though it usually comes late to the party as the technology usually grows to a level of maturity before regulations can come, this delay has also contributed to the free reign of criminal elements. However, regulations in cyber security took giant strides in 2017 especially with the advent of the Society for Worldwide Interbank Financial Telecommunication (SWIFT) Customer Security Program (CSP) and the European Union's General Data Protection Regulation (GDPR).

The General Data Protection Regulation (GDPR), Europe's new framework for data protection laws intended to strengthen and unify data protection for all individuals within the European Union has been in the light for a while now. It will come into force on 25 May 2018. The GDPR applies to all companies worldwide that process personal data of European Union (EU) citizens. This means that any company that works with information relating to EU citizens will have to comply with the requirements of the GDPR, which invariably means its coverage may go global except you can find a country that none of her companies transact with EU citizens. Even if there is one, Nigeria is definitely not one of them

SWIFT provides a network that enables financial institutions across the globe to send and receive information about financial transactions - the CSP program became a talking point towards the end of 2017. SWIFT established the CSP program to ensure its customers take proactive steps to protect their "SWIFT" environment against cyber-attacks. SWIFT identified 16 mandatory and 11 optional security controls, against which all its 11,000 customers worldwide must assess their infrastructure. SWIFT is used by majority of the companies in the Financial Service Industry in Nigeria and they would all need to be compliant.

2018 will witness an increase in companies rushing to get their affairs in order as the reality of implementation imperatives of the GDPR and SWIFT CSP dawns closer. We are also likely to see regulatory organizations such as National Insurance Commission (NAICOM), Nigerian Communications Commission (NCC), National Information Technology Development Agency (NITDA) begin to consider the enforcement of compliance to standards in relation to cyber security; with countries not far behind striving to equate local laws with those of the EU. We also expect the Central Bank of Nigeria (CBN) to make additional giant leaps in its regulatory drive in financial sector especially within the payment space.

Conclusion

While I have focused on the above mentioned trends for 2018, I want to stress that the one major threat that would always remain - social engineering attacks conducted via emails, SMS and calls is still the number one threat being faced in Nigeria as at today. Also, it is not enough to just know more about this trends or attacks, it is about putting the right measures in place so as to be better prepared to defend against them. As always, we wish you all a cyber-secure new year.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Deloitte Nigeria
Deloitte Nigeria
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Deloitte Nigeria
Deloitte Nigeria
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions