2018 was a year of tremendous technological innovation and landmark shift in thinking. On the other hand, it was plagued with several high profile privacy and cybersecurity breaches within and outside Nigeria. One of the most prominent security breaches was the Facebook data scandal. Cambridge Analytica acquired personally identifiable information of up to 87 million Facebook users resulting in a significant breach. We also saw several high profile organisations around the world in the media for major breaches that affected their profits and share value.
Nigerian companies were not immune to the spree of cyber-attacks and data breaches. We had a mix of cases originating from phishing attacks, malicious software embedded at payment interfaces and ransomware. Although these attacks did not receive heavy media coverage, billions of Naira was lost.
Many organisations also experienced crypto jacking; a situation whereby attackers use the victim’s computer to mine cryptocurrency. There was an increase in crypto jacking due to the fact that it is a cheaper alternative to ransomware that requires much less technical skills.
Just as we predicted in the Deloitte Cyber Security Outlook for 2018, Cyber Security Regulations played a key role in 2018 as it became one of the major drivers for security. Regulations such as the Central Bank of Nigeria (CBN) Cyber Security Framework and the EU’s General Data Protection Regulation (GDPR) came to the fore ultimately raising the importance of security among Nigerian companies. It is also important to note that the GDPR also affects Nigerian companies transacting business with European citizens.
An overview of the 2019 Cyber Security Landscape shows that we can expect some of these trends to continue with a number of them being amplified.
Watch out for these major trends that could impact the Nigerian Cyberspace in 2019.
1) Politically Motivated Attacks would be on the rise
With the upcoming elections, we may expect to see a rise in the number of politically motivated cyber attacks. Hacktivism may be prevalent before and immediately after the elections in order to gain access to the IT systems of government agencies and parastatals.
During the 2015 elections, the website of the Independent National Electoral Commission (INEC) was reportedly hacked and attempts made to gain access to critical information of several government parastatals. This trend will take a new dimension and if left unchecked may pose a threat to future elections as witnessed around the world. We recommend that the necessary authorities be vigilant in order to protect critical technology platforms.
2) The rapid adoption of Cloud services and the Application Programming Interface (API) economy will increase the Cyber-security threat
Cost Management is key to running business globally and so more businesses around the world are looking for better technology to drive processes. This drive has led to a proliferation of several digital channels and increased connectivity. This new trend has led to growing concerns about data privacy and security. Organisations may be required to comply with data privacy policies especially when relating to other international organisations, third parties, and customers. A good case in point is the heightened awareness the GDPR has triggered.
It is important to understand the distinction between information security and privacy and address each of them from an informed standpoint. Security is concerned with how information is protected while Privacy is focused on ensuring that an individual’s personally identifiable information is not compromised, it affords an individual the right to exercise controls on how their personal information is used by organisations.
As more attention is given to data privacy and security, organisations that employ API and Cloud technologies would need to consider additional measures to ensure the privacy and security of customers’, employees’ and third parties data are guaranteed.
3) Data Analytics, a new cyber-security ally
Big Data Technology for Cyber Intelligence can support the storage of large amounts of data and help analysts examine, observe, and detect irregularities within a network. The security-related information available from Big Data has been shown to reduce the time required to detect and resolve issues, allowing cyber analysts to predict and avoid the possibilities of intrusion and invasion.
In 2019, we expect Cyber Security professionals in Nigeria to leverage Data Analytics, Artificial Intelligence and Machine Learning to build more predictive intelligence models into their existing cyber intelligence systems. Attackers may also leverage technology and so organisations need to be one step ahead.
4) More targeted malware attacks
In addition to bigger ransomware attacks, 2019 will bring another strain of malware attacks that will be application or process specific. Some of the targeted applications will include Enterprise Resource Planning (ERP) applications and Payment Processing applications. Most of these attacks will also be undetected by traditional antivirus systems and may even be passed over and seen as trusted network sources. The malware will also leverage the unpatched Internet of Things (IoT) devices within the network to launch attacks and communicate with Command and Control (C&C) Centres. Organisations will need to have a holistic approach to cybersecurity in order to stay ahead and this will involve the right mix of people and skills, awareness, processes, governance and technology.
5) Phishing attacks will still be prevalent and no industry sector will be immune
Reports show that the use of phishing emails to trick people into divulging sensitive information increased in 2018. These attacks will still be prevalent in 2019. Although financial institutions have put in place effective systems to check this trend, other sectors in the economy may become targets. (e.g. Maritime, Consumer Goods, Energy, Telecommunications, etc).
Some organisations in the Financial Service Industry (FSI) have made some significant improvements, thanks to employee awareness; anti-phishing campaigns; email and web security solutions; next-gen antivirus solutions and overall technology hardening. It is important to note that the FSI still remains a target despite the measures in place and other sectors in the economy however need to step up to ensure security. 2019 will witness sophisticated phishing attacks with social engineering-themed messages targeting all sectors. Phishers will look for mechanisms to exploit new technological updates/innovation. Organisations must continue to invest in user awareness campaigns in order to stay ahead of phishing attacks.
6) Integrated Compliance with Cyber Security regulations
In January 2018, we predicted that Cyber Security regulations would play a key role in Nigeria. With the CBN Cyber Security Framework, cybersecurity regulations have become a major driver for security especially within Banks and Payment Service Providers (PSPs). In 2019, financial institutions and PSPs will develop strategies around Cyber Security and begin to explore the adoption of Integrated Compliance and Risk Management (ICRM) techniques to reduce the cost and effort of compliance.
Other regulators would also release cybersecurity requirements for companies in their purview. Regulators will also be more decisive about Cryptocurrency, the GDPR and the application of Blockchain technology. All of these will further improve compliance to standards in relation to cybersecurity.
7) Increased demand for cyber-security professionals
According to the World Economic Forum, Cybersecurity along with Artificial Intelligence (AI) and Data Analytics now offers great career opportunities to professionals. More stringent regulation will see an increased demand for cybersecurity professionals in Nigeria. This is good news for security professionals. In addition, the emigration of skilled professionals to other countries would cause a short-term scarcity in the system. However, the growing interest in Cybersecurity by young professionals will ensure competent resources are available in the medium to long term. Countries around the world will also receive cybersecurity services from Nigeria.
8) Local and International Cooperation on Cyber Awareness
Cyber-attacks and data breaches are on the rise globally and have become a big challenge for many organisations. More worrisome is the similarity in the attack methods. Nigerian Organisations need to actively report Cyber breaches to the appropriate government agencies to create learning opportunities for other companies. Proactive cyber awareness and intelligence sharing about attacks help in building cyber resilience across organisations participating within a given trust community.
We will witness more collaboration in 2019 among organisations in several sectors of the economy as regards sharing of cyber intelligence. There will also be collaboration among countries and government agencies in setting up intelligence sharing mechanisms for organisations in their jurisdiction.
Conclusion
While we focused on some top events that are likely to happen in 2019, we must not forget to prepare ourselves for the common and go-to attacks by cybercriminals, attacks such as Denial-of-service (DOS) attacks, Man-in-the-middle (MITM) attacks, password attacks and so on.
Multiple layers of security controls should be implemented within our environment to provide redundancy in the event of a security breach and we should educate users on their responsibilities to help protect the confidentiality, integrity and availability of their organisation’s information.
We wish you a Cyber Secure 2019!
Written by: Tope Aladenusi, Head, Cyber Risk Services at Deloitte Nigeria. He leads the largest team of information security consultants in Nigeria. Tope has significant security consulting, project management and auditing experience and has served several organizations in Nigeria, Togo, Ghana, South Africa, Cameroon and UK.
