The year 2017 recorded some historic events in cyber space with a fierce battle for supremacy between the cyber criminals and the good guys. As the battle continues to take different twists and turns, I do hope in 2018, the good guys would gain more ground. But for this to be possible, we need to abide by basic security tenets, we must be secure, we must remain vigilant and we must be resilient!
Looking back to the early months of 2017 within the Nigerian context, we noticed a swift rise in several cyber Ponzi schemes (schemes that promised unbelievable financial returns on investment). These schemes vanished one after the other just as we predicted, whilst looting millions of Naira from unlucky individuals who participated in such schemes. Another noticeable trend in 2017 that was predicted in our cyber outlook for last year was the evolving of ransomware attacks. A good example of ransomware that most, if not all security folks became aware of, was the Wannacry ransomware, which affected more than 150 countries. Wannacry went on to affect thousands of PCs all around the world; it started on a Friday evening and kept many IT departments for organizations in Nigeria very busy over the weekend following the attack. I believe at this point, it is very clear to everyone that the attacks are real, organizations and individuals are losing money, IT executives and businesses are having sleepless nights and some have even lost their jobs. It is then paramount that we should expect even more of these in 2018 because cyber-attacks have now become inevitable.
Without being a doomsday sayer, for 2018, here are the major trends we should expect:
Ransomware won't fade anytime soon
Ransomware became lucrative business for cyber criminals in 2017 especially since the code / malicious program could easily be bought online by anyone and used to render an organization or any target captive. Ransomware was the fastest growing security threat in 2017 as evidenced in several reports. Not only did we see more attacks on more businesses demanding more money, but the level of sophistication in distributing ransomware also expanded. These happened despite several warnings that people should not give in and pay the ransom to attackers so as not to encourage them to continue. There were cases where the data that could be lost if the targeted organization / victim did not pay up was very vital to the existence of the organization, hence the victims had to give in and negotiate with the criminals. Unfortunately this trend is expected to continue in the New Year given the relative ease with which the attack could be set up and the attacker could quickly cash in. It is also expected that ransomware in 2018 would start to target other platforms apart from computers; majority of the attacks in the past were on systems running windows operating systems, but it is expected that there would be a shift and focus would also be on mobile devices especially those running on the Android platform. Just like we predicted in the outlook for last year and in several conferences we presented, prevention of ransomware attacks is possible only if individuals and organizations would follow some of the most basic cyber security practices.
Attackers increasingly turning to cryptocurrency
There are several reasons or motivations behind cyber-attacks, it could be for the fun of it, the challenge, hacktivism and many more, but majority of the time it is because of the money involved. 2017 saw many cyber criminals make use of cryptocurrencies because of its anonymous nature of payments. 2017 also saw increased adoption of cryptocurrency as the combined market share for cryptocurrencies surged past the valuation of major banks across the world. Several people now see cryptocurrency as an investment opportunity to make profit while some have lost their fortune. As it is normal for criminals to follow the money, cryptocurrency is not left out. Cyber criminals are operating at every phase of the cryptocurrency ecosystem. The most common attacks is on cryptocurrency exchanges (an exchange just like the Stock Exchange which allows buying or selling using different currencies) by flooding the exchanges with requests so that it becomes unusable (what we call Distributed Denial of Service DDoS attacks) in other to swing the value of the currencies. Another area is compromising of user systems in order for the criminals to add to their "mining botnets" (group of comprised systems that are used for mining. Mining in this context is using a computer to solve a mathematical problem which is a process required to generate a cryptocurrency). Lastly, there are several cryptocurrencies (over 1300) and several exchanges where they could be traded, this increases the chances for newbies or unsuspecting people to be tricked into investing in a fake cryptocurrency (good old social engineering). The above mentioned trends are expected to continue in 2018 as interest in cryptocurrency continue to dominate the headlines. Individuals and organizations should seek counsel from professionals as they tread this new path.
War for cyber security talents
As technology keeps advancing, disrupting legacy businesses and changing the way business is carried out, almost every industry has been disrupted in one way or the other and we are yet to see the end of this. In 2017, we saw increased number of new players in Nigeria in the Fintech space leaving the incumbents to struggle to keep up with the pace of these changes. In a bid to catch up, several organizations are opening up their systems, partnering with third party players and adopting cloud systems. This trend is expected to continue as we gradually move into an open era (open API, open banking etc.). All of these has led to organizations becoming more exposed than ever in their effort to remain relevant and they are finding it difficult to stay secured. Having the right technology is not enough to deal with these challenges, the people and process aspect needs to be strengthened as well.
With the increasing shortage of skills and rising cost of technologies, a quick fix for organizations is to look towards outsourcing their cybersecurity functions. While outsourcing is a common business practice, we have only seen little traction in this area for cybersecurity in Nigeria where organizations outsource their security functions. In 2018, there will be a continuous increase in demand for cybersecurity services/functions from cybersecurity service providers. This request would come from all sizes of businesses and the demand for cyber security talents would not just be local but global where there is already a massive shortage of supply. This is expected to lead to migration of skills outside Nigeria, and servicing of other African and Western markets from Nigeria. The few available professionals that are highly skilled will command premium remuneration in the market. In addition, upcoming graduates and undergraduates would continue to eye cyber security and would start acquiring the necessary skills needed to thrive in the field of cybersecurity, as it is fast becoming one of the most lucrative skills globally.
Man-in-the-Cloud attack – leading to increased focus on Cloud security
It's no news that organisations have progressively migrated to cloud based environments, and an increasing amount of information has been transferred to and stored within many cloud platforms. Most cloud providers have also made their services very easy to set up, such that anyone that can easily surf the web can set up a cloud service. Some early cloud users have even gone to set up cloud platforms for businesses without consulting skilled cloud professionals. Though cloud services are generally secure, the task of ensuring that it is securely configured lies with each organization or user that enrols for such a service. It was then not surprising that 2017 was marred with several cloud based security breaches, barely would a week go by without news of a data breach exposing business or customer data. Some have even labelled year 2017 as the year of the data breach.
A trend we are beginning to see is an attack commonly referred to as the Man in the Cloud (MitC) attack and this is expected to continue to evolve this year. All the attacker needs to do is steal a copy of the synchronization token that the victim uses to access the cloud service and the rest is history. The cyber-criminal can have access to the victim's cloud environment without running any malicious codes or exploits. What exacerbates this attack is that majority of cloud service users do not have visibility of what is happening inside their cloud infrastructure hence, the cyber-criminal can have unrestricted access and make changes to the environment without knowledge of the victim. Organisations are therefore tasked with the responsibility of ensuring their cloud environment is well secured, that security trainings are conducted for users, comprehensive service level agreements are in place and continuous security audits are performed to ensure there is proper visibility and that changes are tracked.
IoT (Internet of Things) compromises to gain more ground
The year 2017 witnessed a continuous increase in the use of Internet-connected consumer devices but a similar increase cannot be said of the security of these devices as customer experience, cost and time-to-market requirements continue to take precedence over security requirements. The challenge is that many IoT devices are not designed or maintained with security considerations as priority as they are often sold with old and unpatched operating systems and software.
Nigeria is also not left out, as 2017 saw a proliferation in the use of Smart TVs, Apple watches, Smart Projectors, Smart whiteboards etc. The year 2018 will see an increase in IoT-related attacks both on endpoint devices and on the cloud. Businesses should take special care as they are ripe candidates and more liable to be victims, as these devices are being plugged into their corporate networks without proper security checks. Organisations would need to re-evaluate and set clear policies in order to stay safe. Individuals on the other hand have to employ security measures such as immediately updating the device firmware and changing passwords.
Cyber Security Regulation would continue to play a key role
Cyber Security regulation provides an effective framework for prohibiting and preventing Cybercrime as well as punishment for every form of Cybercrime. Though it usually comes late to the party as the technology usually grows to a level of maturity before regulations can come, this delay has also contributed to the free reign of criminal elements. However, regulations in cyber security took giant strides in 2017 especially with the advent of the Society for Worldwide Interbank Financial Telecommunication (SWIFT) Customer Security Program (CSP) and the European Union's General Data Protection Regulation (GDPR).
The General Data Protection Regulation (GDPR), Europe's new framework for data protection laws intended to strengthen and unify data protection for all individuals within the European Union has been in the light for a while now. It will come into force on 25 May 2018. The GDPR applies to all companies worldwide that process personal data of European Union (EU) citizens. This means that any company that works with information relating to EU citizens will have to comply with the requirements of the GDPR, which invariably means its coverage may go global except you can find a country that none of her companies transact with EU citizens. Even if there is one, Nigeria is definitely not one of them
SWIFT provides a network that enables financial institutions across the globe to send and receive information about financial transactions - the CSP program became a talking point towards the end of 2017. SWIFT established the CSP program to ensure its customers take proactive steps to protect their "SWIFT" environment against cyber-attacks. SWIFT identified 16 mandatory and 11 optional security controls, against which all its 11,000 customers worldwide must assess their infrastructure. SWIFT is used by majority of the companies in the Financial Service Industry in Nigeria and they would all need to be compliant.
2018 will witness an increase in companies rushing to get their affairs in order as the reality of implementation imperatives of the GDPR and SWIFT CSP dawns closer. We are also likely to see regulatory organizations such as National Insurance Commission (NAICOM), Nigerian Communications Commission (NCC), National Information Technology Development Agency (NITDA) begin to consider the enforcement of compliance to standards in relation to cyber security; with countries not far behind striving to equate local laws with those of the EU. We also expect the Central Bank of Nigeria (CBN) to make additional giant leaps in its regulatory drive in financial sector especially within the payment space.
While I have focused on the above mentioned trends for 2018, I want to stress that the one major threat that would always remain - social engineering attacks conducted via emails, SMS and calls is still the number one threat being faced in Nigeria as at today. Also, it is not enough to just know more about this trends or attacks, it is about putting the right measures in place so as to be better prepared to defend against them. As always, we wish you all a cyber-secure new year.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.