The average Nigerian is used to the tedious task of registering for digital services. The amount of information and data that is first collected is rich - our banks and cell phone service providers know our names, date of birth, address, how much we earn and even what we spend our money on. We routinely save our bank card details on company websites, and a lot of people reuse the same password across multiple sites. For most, giving up this information is just a necessary hurdle to overcome before they get the utility of a service.
Few people question what happens to the data and the chances of it being stolen. Consumers are interested in getting service and see giving out data as a hurdle to overcome - that's fair enough. However, the data collectors don't always treat this data with the right amount of care. The conversation around data protection is yet to be fully discussed.
Data is the new oil - we’ve heard it time and again. If past experiences teach us anything, we should ensure Nigeria learns proper management of its new “oil”. Cyber experts- people who deal with data security, are certain that cyber incidents will continue to occur. Having a plan to stop attacks and knowing how to respond to them will determine how well we score with managing our new resource.
Cyber incidents can be a permanent loss of resources such as data, money or servers. It can be malicious, like hackers targeting one of the largest credit agencies in the world to steal millions of personal information, or an honest mistake, like sending sensitive medical information to the wrong person.
However, combating data incidents requires knowledge of what data has been stolen, and by whom. It is with this information that businesses and customers can react to protect themselves.
It's hard to find any reports on any cyberattacks in the Nigerian media. It's hard to use that as a gauge of actual loss of information, given that companies are not mandated to report when they lose customer information.
How bad are cyber incidents in Nigeria?
It turns out that Nigeria is one of the world's most vulnerable countries to cyber attacks - 16th worst in the world in 2016, an improvement from 2nd the year before. In 2018 alone, about 60% of Nigerian firms suffered an attack, and we spent about $270 million on cybersecurity.
So Nigerian firms are being attacked, but no one is reporting what is stolen.
Despite spending good money on cybersecurity, Nigerian companies reportedly lost “billions” of naira to cyber attacks in 2018. Even the NCC lamented that cyber-attacks are one of the biggest headaches of the telecommunications industry.
The puzzle though is that Nigerian firms spend in-line with the average global spending per GDP, but are far more vulnerable.
So how effective is money spent?
Spending money effectively would mean gathering data on the most common types of successful cyberattacks and then developing a national, or sector-specific, strategy that would have the greatest impact.
For example, if phishing scams - those fake emails in junk mailboxes - are resulting in huge losses, low-cost targeted education may be the best solution. If some sectors are suffering complex attacks, they will need to develop deep cyber skills and invest in the right software. Without the data on the type of breaches, it's hard to fight against them.
Who suffers when companies don’t report breaches?
Not forcing companies to report data breaches is a critical missing piece in the 2019 National Information Technology Development Agency's (NITDA), Nigeria Data Protection Regulation (NDPR).
The regulation undermines our national cybersecurity strategy. It means that without the public information on breaches both customers and other companies can't react.
If a hacker steals your data from a bank, they can use your identity to attack you directly, your colleagues or even loved ones. When companies are made to report they have lost your data, you can protect yourself by simply changing passwords and warning relevant people of any potential fraud or impersonation.
Without reporting data breaches, Nigerian companies can not learn from the mistakes of their peers. This has led to a divide in cyber preparedness between sectors of the economy. While the maritime, telco and consumer goods sectors struggle with phishing attacks, the financial services industry has made better progress. If breaches are reported, the NITDA can analyse them, discover themes and publically share findings. This is how the system works in places like the US and the UK.
“In God we trust, everyone else must bring data.”
Our closest African competitors, Kenya, and South Africa also make it compulsory to report data breaches to both affected consumers and the responsible government agency. Unsurprisingly, surveys show citizens of both countries are more concerned about the risks of cybercrime and they both rank higher than Nigeria in the global cybersecurity index.
Nigerian firms do not have the capacity or budget to run a billion-dollar security infrastructure. But without any major adjustments, companies can share information about breaches with government agencies, industry peers and affected customers.
In 2017, the office of the National Security Adviser tasked the NITDA with implementing guidelines and policies for information sharing between the public and private sectors by January 2020. There are still guidelines for information sharing.
When they come, the guidelines should clearly define: how and when data breaches should be reported, such as a timeframe (24 - 48hrs) for companies to report breaches after identifying them, and factors that will require a company to notify users. These actions will help create a transparent process for timely intervention to help affected business and protect the public.
The Nigerian government has taken small steps concerning reporting. The Nigerian Computer Emergency Response Team (nCert) has developed a form for anyone to report vulnerabilities and incidents. Without making reporting mandatory at some level, we're still only a fraction on the way to the goal. Without reforms, Nigeria's internet will continue to be a vulnerable place.