– The Importance of getting cyber security for your business
– Different ways to secure your business space, even as a SME
Deloitte, a leading global provider of audit and assurance, consulting, financial advisory, risk advisory, tax, and related services has revealed the outlook for Nigeria’s Cyber security space in 2021.
In a report recently released by the organization, it revealed that In the year 2021, some events are expected to occur in Nigeria regarding cyber security, given the prevailing trends in social, economic and political events around the world.
One of the trends noted by Deloitte, is the sharp rise in ‘Fake news’ and misinformation used by ‘mischievous people’ who, in a bid to change narratives and social positions go on a deliberate campaign of misinformation and ‘fake news’ either via untrue or altered content including videos and photos.
Another trend facing cyber security, which is a novel and more sophisticated digital threat that might prove more challenging to stop is ‘ Deep Fakes’.
Deep Fakes are hyper-realistic, manipulated digital elements such as sounds, videos, and photos generated using artificial intelligence and machine learning tools and algorithms. In other words, they are unreal digital representations with the aim of looking and sounding as real as possible.
In 2021, Deloitte says it envisages a possible rise in deep fakes within the Nigerian cyberspace.
“It will become imperative to verify the legitimacy of different types of media online, especially during social, political and economic discourse. Therefore, it becomes increasingly important that the public remains cautious about content online and try to verify using different tools at disposal.” It stated.
Another cybercrime is ‘Man at Both Ends’, also know as Business Email Compromise (BEC) which is not new in Nigeria.
BEC is suspected to grow in sophistication and complexity as attackers are getting more creative and patient with their schemes and methods.
Explaining how BEC works, it stated, “This shift in technique, especially in sectors reliant on third party vendors and suppliers, takes the Man-in-the-middle attack pattern a step further by compromising both the victim organisation (customer) and a legitimate third-party/supplier’s email infrastructure.
“By so doing, the attacker has visibility and control over the flow of information and only needs to alterthe payment details of either party.
“Hence, at both ends; you have an attacker manipulating the flow of information eventually resulting in payment being made into wrong accounts. We expect many more of this kind of sophisticated ‘Man at Both Ends’ attacks launched against large organisations and SMEs in 2021.”
Therefore, Businesses are advised to ensure that appropriate email security controls such as multi-factor authentication and strong password policies are in place.
Employee awareness about social engineering (the non-technical tactics hackers use to obtain sensitive information) should also be done periodically.
“It is important to stress that the attack’s success may largely depend on the weakness in controls around payment authentication, verification and authorisation within the Organisation. Therefore, it is necessary to have strong processes and mechanisms in place and strictly adhere to them.” It advised.
However, with the expected increase in cybercrime in the country and the world at large, Deloitte has recommended feasible solutions and outlooks to help overcome this oncoming surge. This include:
More tools, more skills, more ground to play
In the last quarter of 2020, Deloitte says it noted some unprecedented and significant cyber-attacks against major cyber security and technology firms, including FireEye and SolarWinds.
These attacks, according to it were attributed mainly to certain nation-state actors and Advanced Persistent Threat (APT) groups.
These waves of attacks resulted in the theft of proprietary, internal and unreleased security tools as well as the breach of the SolarWinds security monitoring product through the exploitation of a backdoor written in the code.
The full effect of these attacks is yet to be seen, and it remains imminent that some of these tools and exploits will start emerging within forums on the dark web and eventually in the ‘wild’.
In addition, it noted that attackers are getting creative and audacious, and so more daring attacks on cyber security service/solutionsproviders and tech organisations should be expected irrespective of their prowess.
Signature-based antivirus will go extinct in many organisations.
Defensive capabilities are moving away from rule-based and signature-based products to products driven by machine learning and artificial intelligence.
Signature-based products, especially anti-malware, are playing catch up, given the number of new malware strains and the adaptive nature of new malwares.
More organisations are expected to recognize this challenge and move away from signature-based products to embrace products that offer machine learning and artificial intelligence capabilities.
Many of the popular antivirus companies are now providing AI based antivirus solutions.
The spotlight will be on Nigeria
As a result of the #ENDSARS protests and the involvement of several Hacktivist groups in the protests leading to a wave of attacks on governments, private and public web infrastructure, the spotlight may now shift to Nigerian companies as attackers may feel they are seemingly easier targets.
Government and public institutions are likely to face data leaks and sensitive information breaches motivated by local and foreign groups.
However, on the flip side, we are likely to see international donor agencies increase financial support towards cyber security awareness.
The eventual death of single passwords
With many organisations still maintaining their Work From Home (WFH) directives, it becomes necessary for users to access corporate environments remotely. This brings a myriad of security challenges for organisations in terms of protecting and ensuring secure access to resources remotely.
Many studies have shown that about 80% of data breaches were caused by compromised, weak, and reused passwords.
Evidently, using passwords alone has its weaknesses. As long as they are meant to be remembered, they are predictable.
The use of passwords is seen to die off completely in the nearest future, as 2021 will see many organisations enforcing different types of multi-factor authentication mechanisms for all of their users irrespective of their privileges.
There will also be increased adoption of the zero trust architecture to combat remote working threats. This trend started a few years ago, and more adoption will be seen in 2021.
Phishing attacks will still reign; they will be bigger, better and bolder
In 2020, Google reported about 46,000 phishing websites created every week, representing a 20% rise in the number of phishing websites created in 2019. It is no doubt that the pandemic motivated and presented fraud opportunities to many malicious persons.
In 2021, with the pandemic entering its second wave in several countries and vaccines’ increasingly available, the phishing schemes is expected to get more daring and take advantage of the social and economic conditions.
Back to the drawing board
Businesses will have to rebuild their security strategy and architecture to accommodate the new normal (i.e. remote working).
Before now, several organisations’ security architecture was built around having users in a controlled physical environment using tools that have been configured by the Organisation.
However, this architecture will have to change given that a majority of the workforce are working from “unsecure” remote locations and using devices that may be below the security standards of the organisation.
“We will also see organisations build strategies geared explicitly towards circumstances like pandemics and how businesses can sustain their operations without compromise during times like this.
“We will see more Business continuity plans with strategies to cope for unusual circumstances, remote working plans that are security intensive among other plans and strategies.” It stated.
Cybersecurity will become imperative for business survival
Just a couple of years ago, only large organisations had good cybersecurity programs as they felt they were visible to attackers.
Many SMEs were not paying attention to security because of probable sentiments that they had little to no attack surface and visibility.
However, recent times have shown that this is not the case as SMEs are continuously being attacked.
Several SMEs also have minimal capacity to detect, prevent or respond to these attacks appropriately. This trend is unlikely to stop as attackers now see many SMEs as easier targets due to their unwillingness to invest in security.
In 2021, a lot of SMEs is seen to improve their cybersecurity programs and increasing their security budgets to enhance cyber resilience and protection.
“We also expect to see an upsurge in the number of security professionals in 2021, and they will be moved from the background to being trusted allies from planning to execution. We may even see organisations having security professionals as part of their board and executives.” It observed.
There will be more regulations around Cybersecurity and Data Privacy/protection
Over the past two years, many businesses in Nigeria have implemented the Nigerian Data Privacy Regulation (NDPR).
As the number of attacks increases and data leak and breaches occur, there would likely be more stringent cybersecurity regulations and enforcement around security safeguards in place by businesses, especially those within datasensitive sectors.
In 2020, Deloitte says it saw a lot of discourse around the Social Media bill. The Government explored different avenues to regulate social media majorly due to misinformation concerns, especially during the #EndSARS protests.
While this came with much resistance, more discourse is expected around social media regulations and perhaps some semblance of a government regulation to address the different concerns.
Conclusively, it stated that 2021 will prove to be a very interesting year in the economy, health, business and cybersecurity will not be left out.
“Last year showed us that security will always be a major concern irrespective of seemingly tough times as attackers are always looking for an avenue to exploit security weaknesses and profit off them.
“An introspection into the lessons and events in the past will help us develop foresight and adequately prepare as we progress in the New Year.” It stated.
However, Businesses need to focus on beefing up their cybersecurity programs, implementing initiatives to continuously monitor internal people and system activities, proactively managing vulnerabilities and risks, test incidence response and business continuity plans and assume a position of being already breached.
Most times, all it takes is just one successful entry by the attackers; hence businesses cannot afford to be lax about their security.