Danjuma Atta: Prepare; the hackers are coming
If cybersecurity is not at the top of your corporate agenda, then it should be. This year alone, organizations in both public and private sectors have lost enormous amounts to cybercriminals, whether publicized or hushed. Just this week, news broke that up to 1500 businesses in the US suffered a combination supply chain and ransomware attack.
Quomodo Social sat down with Danjuma Atta, our country manager and all-around IT guru, to give us a historical overview of cybersecurity and address some of the matters arising.
QS: Where would you say we are today in the cybersecurity conversation, especially in the light of accelerated adoption of digital owing to Covid-19?
Danjuma: Basically, the cybersecurity conversation is as old as technology, and concerns the threats envisaged when people adopt technology. We had this joke back in the day when Microsoft released Windows. We said it was called Windows by design because when thieves want to come into your house, they most often come through the window. Windows essentially accelerated cyber threats because it accelerated the adoption of technology. Windows was great but at the same encouraged shady people to invest in trying to gain an illicit advantage on you.
In Nigeria, cybersecurity conversations were not very mature but for one or two sectors of the economy. The banking sector, for example, because of the competitive landscape and the early adoption of cutting-edge tech to drive business, was operating at a level above others. The banks also needed to protect customers’ money.
Now, in other sectors (for example, the public sector), the conversation was pretty immature. Technology was seen as a mundane tool to drive some activities but not on a large scale. Therefore, threats inherent in adopting that technology were never really considered and investments didn’t go beyond having a data centre or firewall.
But with the advent of the pandemic, it became apparent that we have to adopt new ways of working. With growing cyberactivity, cybercriminals saw an opportunity to cash in and chase data from government and other organizations that had not adopted an adequate cybersecurity posture.
QS: Let’s localize the conversation to Nigeria. You’ve seen many threats in your experience. How does one begin to mitigate these threats? Does everything have to be remedial or do we have to build proactive measures?
Danjuma: Okay, so in Nigeria, we’re not so different from the global community. As I said initially, the adoption of technology was generally weak. Then the pandemic came and there was a rush to adopt digital tools because suddenly, people couldn’t work without them as we were all stuck at home. Naturally, threats began to emerge.
Very mature organizations have significant investments in cybersecurity. In the financial sector, organizations made in 2020 alone four times the investment they made in 2019. Investments are being made in continuous attack simulation tools which helps them simulate attacks that could happen after making significant investments in tools that will support or protect them. They also go a step further to pretend to hack into their own system. So doing that periodically gives them insights into how much vulnerability they have, how many risks they are able to contain or manage over time.
Some hire white hat hackers internally. Some have cybersecurity operating centres both to prevent and manage threats. Some hire third-party firms to provide security coverage. Such third-party firms engage in activities like monitor your cyber traffic and the dark web to alert you about upcoming threats to your platform or data.
Then you have original equipment suppliers who are acknowledging that their products may contain vulnerabilities and starting to supply regular patches.
QS: What is the place of communication in cybersecurity strategy? Some people may take the view that people don’t need to know but that’s not healthy in the long term and doesn’t help to improve the cyber-maturity of the general populace.
Danjuma: Yeah our major weaknesses include the absence of communication and the information flow like you said. It’s not very helpful that some organizations try to hide the extent of breaches from their customers. In the long run, it can only serve to cause suspicion and mistrust. People are only beginning to realize the kinds of information carried in their SIM cards, for example. That’s a failure of communication.
At the individual level, people tend to take the “God forbid” attitude to cybersecurity and that’s not helpful at all. We seem to think only big companies, foreigners, or rich individuals are targeted but nothing could be farther from the truth. We take warnings on phishing attacks for granted and practice poor password hygiene. Some people have had the same password for 20 years for example; that’s a recipe for disaster.
QS: So, our, final question will be about policy standpoints. Where should we be, you know, in terms of driving policy towards improving cybersecurity?
Danjuma: So it’s a case of maturity really. In the government space, technology adoption is weak but when it comes to policy conversations, I think the government has taken the right steps. We have the National Cybersecurity Policy. We’ve got the cybersecurity desk at the Office of the National Security Adviser. We also have the Ministry of Communications and Digital Economy, and initiatives from agencies like NITDA that are pushing action on cybersecurity.
In fact, there’s a level of encouragement from the government on how we can plan a cybersecurity strategy complete with homegrown tools. This achieves two things: catalyzes Nigerian innovation and relieves the huge pressure on the economy from the huge amounts spent on foreign cybersecurity tools. If the banks spent in 2020 four times what they spent in 2019 to procure safeguards, you can imagine what that has meant for the economy.
Government has learned quickly the need to adopt an adequate cybersecurity posture because it has also been the victim of attacks. The same wait-and-see attitude taken with the adoption of technology cannot work here because incalculable damage may have been done already.
QS: Alright. Thank you, Danjuma. We’ll pick up this conversation later.
Danjuma: Thank you.
