Cybersecurity: understanding the threat landscape and lessons from the GDPR for Nigerian entities

Cybersecurity threat and cyberattack have emerged as a foremost menace facing global businesses and public institutions over the last decade. The danger is an existential reality private and public institutions have to contend with. The increased sophistication of attacks has resulted in the huge financial losses, loss of trust and reputation. Hacking, Ransomware, Phishing, Cybercrime-as-a-service, Denial of Service (DDoS), and other manifestation of cybercrimes are on a geometric surge in complexity and recurrence.

The internet has created no limit, no rules, and boundaries for criminals. The anonymity garb of the internet reduces the prospect of being caught. The growth of technology and deeper penetration of the internet has resulted in an increase in generation of personal data. According to Forbes, by the year 2020, about 1.7 megabytes of new information will be created every second for every human being on earth. That is 44 zettabytes (44 trillion gigabytes). These data generated are the driver of the modern economy.

According to World Economic Forum Global Risk Report, Cyberattack ranks third, and data theft or fraud ranks fourth on likely threat to the global economy; while Cyberattack ranked sixth on risk in terms of impact. These potential risks include mismanagement, exploiting design vulnerabilities, fraud, identity theft, malware attack, and malicious use that post risks to security and safety of individuals. Technology has continued to churn-out innovative advancement to our existential risks and challenges which has also produced additional risks which must be considered by private and public institutions. Disruptive technologies are opening horizons faster than the regulators can grasp.

THE RISK

Merriam Webster defines cyberattack as “an attempt to gain illegal access to a computer or computer system for the purpose of causing damage or harm.” Article 4 of the GDPR defines ‘personal data breach’ as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Cyberattack exposes organisations to the loss of intellectual property and trade secret; online fraud and financial crimes, theft of personally identifiable information (PII); financial manipulation; disruption in production or services, and reduced trust for online activities. This includes economic loss and cost of securing networks, breach of access Reputational damage, reduced customer confidence, penalty under regulations; risk and liability for the company and its brand, including temporary damage to stock value.

Globally, according to CSIS and Mcafee report, it is estimated that Cybercrime cost the world about $600 billion in 2017. Cybersecurity Ventures predicted that cybercrime will cost the world in excess of $6 trillion by 2021. The risk does not affect just big entities. According to a report, nearly half of all cyberattacks are committed against small businesses.

This is more evident in high profile attacks on Sony, Equifax and more recently Under-Armour that affected over 150 million users of its app, Myfitness. According to Europol, a malware attack in 2017 affected over 150 countries.

THE NIGERIAN EXPERIENCE

Nigeria’s internet penetration currently stands at over 93 million users. In 2017, Nigeria ranked third in the world for cybercrime according to the Nigerian Communication Commission (NCC), the West-African nation only surpassed by the U.S. and the U.K. In 2015, Nigeria recorded 2,175 cyber attacks. In the same year, 14% of the over 90 million Nigerians internet users suffered a form of cyber-attack. According to a report, cyber-attack cost the Nigerian economy about $500 million per annum. According to the FBI’s Internet Crimes Report in 2016, Nigeria ranked 19th on top countries by cybercrimes victims.

According to Delloite’s 2018 Nigeria Cybersecurity Outlook, it is projected the country will witness increased ransomware, attackers will turn to cryptocurrency, increased attack on cloud facility, and Internet of things (IoT) compromise. In a 2016 report, Serianu reported that Nigerian e-Commerce platforms were hit with more online scams, there was Automated Teller Machine (ATM) Skimming and Identity theft, and customised malware targeting critical mobile and Internet banking infrastructure.

This is largely aided by lack of practical regulatory guidance from industry regulators and government, ill preparation of organisations to deal with information security threats, insufficient training of employees amongst other reasons.

THE EMERGING THREAT

The Nigerian Information Technology Development Agency (NITDA) recently issued a warning about an imminent major cyberattack on the nation’s cyberspace. The statement issued by the Director-General (DG) of NITDA stressed that the Nigerian banking, health, transportation, and power system are potential target. The DG warned Ministries, Departments and Agencies, the private sector and the general public to be proactive and vigilant. This is not the first time NITDA is issuing such warning.

HOW PREPARED IS THE NIGERIAN CYBERSPACE?

Generally, Nigeria is not faring poorly. Nigeria has been ranked 15th in information communication technology (ICT) development in Africa by the International Telecommunication Union (ITU) and 143rd globally amongst 176 countries. According to the Global Cybersecurity Index (GCI) by the ITU, that measures the commitment of countries to cybersecurity across industries and sectors. The GCI is based on each country’s level of legal measures, technical measures, organizational measures, capacity building, and cooperation towards Cybersecurity Development. Nigeria is currently ranked 46th globally and 5th in Africa. The country is also grouped alongside 77 other countries in Maturing stage of Cybersecurity development.

The private sector is no doubt the biggest driver of the cybersecurity landscape in the country. Organisations are increasingly investing in Cybersecurity and making it part of their core business enabler. The culture is moving from cost to considering it consequential to continuous existence of the business. Some Nigerian companies have achieved the International Standards Organisation (ISO) information security management certification standard which certifies that organisations keep information assets secure.

On the part of the government, the office of the National Security Adviser (NSA) pursuant to Section 42 of the Cybercrimes Act 2015, the Nigerian Computer Emergency Response Team (ngCERT) has been established, which serves as the Coordination Centre responsible for managing cyber incidents in Nigeria. The government has established the National Digital Forensic Laboratory responsible for advising Government on measures to prevent and combat cybercrimes, threats to national cyberspace and other cybersecurity related issues.

The government has commenced the process for comprehensive identification, classification, and development of protection plan for Critical National Information Infrastructure (CNII); the government also plans to enact Data Protection and Privacy Law to protect the personal data of Nigerians from compromise. The action plan states that the timeline for a data protection law is 2019. Hopefully, there will not be a country scale cyber attack by then requiring the customary parliamentary committee inquiry.

THE LEGAL FRAMEWORK FOR CYBERSECURITY IN NIGERIA

Nigeria like many other countries underestimates the risk of Cybersecurity on the economic well-being of the country. The country lacks a robust legislative framework and practical regulatory guidance from industry regulators. In 2015, the country enacted the Cybercrimes (Prohibition and Prevention) Act that criminalises a considerable number of Cybercrimes prevalent in the country. While the legislative effort was a good move, it has not stemmed the tide of attacks and the machinery for implementation appears to be technologically aback.

The Nigeria government considers the cyberspace critical to its national security, hence, through the office of the National Security Adviser (NSA), issued the National Cybersecurity Strategy and National Cybersecurity Policy in 2014 to steer the path for safety on the country’s cyberspace. Further to the power of the NSA pursuant to the Cybercrimes Act 2015 to develop Cybersecurity policy for the country, In 2017, the NSA released the Draft Action Plan for Implementation of the National Cybersecurity Strategy.

Section 5 of Cybercrimes Act criminalises attack on sectors designated as critical national infrastructure punishable by imprisonment term not less than 15 years without an option of fine. Part 7.5 of the National Cybersecurity Policy designates Information technology and financial services sectors amongst other sectors as National Critical Information Infrastructure (NCII).

There is no civil remedy under any extant law or regulations for victims of cyberattack currently in Nigeria as we have seen in other climes.

CYBERSECURITY IN THE AGE OF GDPR

The GDPR has introduced radical reforms endeared towards a security conscious digital ecosystem. Data security has a symbiotic relationship with data privacy. Recital 39 of the GDPR provides that “any processing of personal data should be lawful and fair… Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.”

The GDPR further provided suggestions on security measures which include:

• The pseudonymization and encryption of personal data;
• The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
• The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
• A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Article 40 and Article 42 requires data Controllers and data processors to adhere to either an approved code of conduct or an approved certification mechanism to demonstrate compliance with the GDPR’s security standards.

The regulations provide that controllers should notify the Supervisory Authority (SA) within 72 hours of being aware if it is likely to result in risk to the rights of the data subject. Therefore, not all instance of attack is expected to be reported to the SA. Controllers are to further notify data subjects if the attack poses a high risk. The processor has obligation to notify only the controller when there is breach.

RECOMMENDATION

There is a need to recognize the different approaches to building and implementing Cyber resilience hinged on detection, prevention, response, and recovery. According to a study, recovery process after a cyber attack gulp (19 percent) of the cost, followed by containment (16 percent), investigation (13 percent) and incident management and ex-post response (11 percent).

Reporting

One of the biggest problems is low reporting by companies that have been attacked. Largely, the companies seek to avoid a public backlash, liability, risk and reputational loss. According to a report by Serianu on the state of cybersecurity in Nigeria, it reported that Cyberattacks did happen but underreported. Industry experts in Nigeria also agreed that Cyberattacks occurred but affected companies did not report.

Section 21 of the Cybercrimes (Prevention and Prohibition) Act mandates that a Cyberattack or threat must be reported to ngCERT. Failure to report within 7 (seven) days is punishable by a fine of N2,000,000 and denial of internet service. Underreporting is a debilitating factor for estimating the cost and extent of cybercrime and deprives the industry of shared common knowledge. In response, the NgCERT has created an online platform to report incidence either as an individual or a corporation.

The 7 days for reporting is considered too long compared to 72 hours under the GDPR and report is only made depending on the extent of the breach, not every breach is mandated to be reported. The policy should make clearer what type of breach that should be reported. The law also failed to stipulate at what point the report should be made as infiltration might have occurred long before detection.

Cyberinsurance

Lack of insurance policy built around the cyberindustry in Nigeria is not an impetus to invest in security. The insurance industry in the country will have to develop policies to protect companies to enable them to mitigate and spread risk across. The Cyber insurance cost is growing globally. The cost of Cyberinsurance in the US is valued at over $1 billion. In a 2016 report, Delloite Nigeria predicted the growth of the cyberinsurance industry in Nigeria. As the cost of recovery after cyber attack increases, so will the cost of cyberinsurance.

Need for more Investment

The cost of cybersecurity is expensive and many businesses still consider it a cost rather than necessity. Cyber-attacks Cost $1 Million on Average to resolve and it cost financial services firms more money than any other sector in 2017, averaging $18.28 million per firm. Lack of funds is hampering the capability of organisations to build strong cyber resilience capability. This includes enhancing ICT Security competencies

There is a need to build strong cyber resilience and incidence response plan. A company under attack must still be able to function without halting its entire operations.

Harmonised legal framework

The absence of a general data protection framework implies there is no law imposing strict responsibility on organizations to ensure the security of personal data. The Credit Reporting Act contains ample provisions on data protection, but its application is sector specific limiting its application.

Nigeria scored low on the GCI in areas of cybersecurity good practices, homegrown industry capability, international legal collaboration, cybersecurity training, and availability of cybersecurity metrics. Considering how strategic the Nigerian market is, the government should enter into strategic Mutual Legal Assistance (MLA), and international agreements focusing on legal cooperation, capacity development, knowledge sharing without risk to national security.

The government needs to enact a general data protection law that will mandate stronger security requirement from data controllers and data processors with a strict penalty for breach.

There could also be a sector driven reform either through regulations or statute. The Credit Reporting Act is a good example of a sector driven framework for data protection, considering the need for data protection differs for each industry. Further to aforementioned, the various government agencies can come up with regulations to protect the Cybersecurity landscape. Industry-focused regulations from government agencies like the Central Bank of Nigeria, National Insurance Commission (NAICOM), Security and Exchange Commission (SEC), Nigeria Stock Exchange (NSE) Nigerian Communications Commission (NCC), National Information Technology Development Agency (NITDA) will drive enforcement of compliance to standards. SEC can decide that demonstration of strong cybersecurity capability as a condition for listing.

Deepening Capacity Development

There is a dearth of skills locally. Nigeria has estimated 1500 professionals as at 2016. Capacity development starts from identifying that security is not strictly the job of the Information Technology (IT) department focusing entirely on external threats but across every stratum of the organization. A common saying goes that “your defence is as strong as its weakest link.” According to EY’s 19th Global Information Security Survey 2016-17, careless or unaware employees are now the most likely source of a cyber attack. There should be conscious effort to commit to research and development to aid capacity development.

Companies should immerse their operations in cybersecurity consciousness and corporate culture. This includes strategic level and risk strategy embedded in the business strategy, and a vibrant Cybersecurity culture embedded in the organization core processes.

The awareness and sensitization should be carried out at the extent of national consciousness and even fused into education curriculum.

Use of Technology

Accroding to Kris Lahiri, Machine Learning, and Artificial intelligence-based computing has shown potential to detect, analyse, and defend against advanced attacks by proactively detecting and tricking attackers faster than human. Analytics is valuable to detect the threat and take more informed decisions. The combination of “very smart security personnel with adaptive technology that continues to change and become smarter over time, this provides a competitive edge to defenders that have primarily been absent from most cybersecurity technologies to date.”

Depending on the business model, companies will need to implement endpoint security, privileged account security, identity and access management to control unrestricted access, network access control, 2Factor authentication, and disaster recovery system.

Risk management

The traditional view is to consider cybersecurity as a cost. The trend is shifting towards it being considered a strategic business enabler that should be optimised. Companies’ security effort is inadequate if a third party supplier is a weak link to vulnerability. Companies will need to step up threat vulnerability capability, and manage third-party risk by conducting due diligence on partners and enforcing security standards. The system should be designed to continue to identify new threats and risk proactively.

There is an urgent need for cyber resilience capability built on the foundation of identifying, protection, detection, incidence response, recovery, and continuous improvement of the process.

Increased Role for Data Governance

Data Governance is a system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what circumstances, using what methods.

Data governance is one such approach that addresses many aspects of data management, including information privacy and security as well as compliance. Good data governance enables compliance in a changing regulatory landscape and takes into account changes in the organization’s own business goals and objectives.

It Protects the organization’s data against internal and external threats to privacy and confidentiality. It ensures that the organization complies with applicable laws, regulations, and standards. It ensures that proof of compliance is generated and documented within the process.

CONCLUSION

According to the Global Cybersecurity Index, “cybersecurity is an increasingly important part of our life today, and the degree of interconnectivity of networks implies that anything and everything can be exposed, and everything from national critical infrastructure to our basic human rights to privacy can be compromised.”

As the country and companies continue to pivot toward the advantages of the Digital Age and Digital Economy, exponentially more data is generated and moved across different parties and jurisdictions. This data has become the lifeblood of today’s interconnected business ecosystem and is increasingly valuable to organizations—and to skilled threat actors. Business digitization also has exposed companies to new digital vulnerabilities, making effective cybersecurity and privacy more important than ever.

For Nigeria to stay ahead of the threat curve, they need to continually invest in research, build local cyber threat management infrastructure and enhance the ability to anticipate, detect, respond and contain information security threats. Companies will need to hire legal and cybersecurity experts to help them ensure compliance and navigate the steep terrain.