Concerns over national security are growing as federal and state governments turn to virtual space for meetings.
The worries stem from the porous state of the Nigerian space, which unless it is adequately protected could be breached by cybercriminals desperate to explore loopholes and wreak havoc on unsuspecting individuals.
Governments, business organisations, religious bodies and schools among others have had to work remotely due to the lockdown imposed because of the coronavirus. This has led to the use of technology applications such as Zoom, Microsoft Team, Mixlr, Facebook Messenger and Skype.
Several government meetings, including those of Nigeria’s Federal Executive Council (FEC) chaired by President Muhammadu Buhari, have been held virtually. Church services, business conferences and classroom lectures have been carried out on Zoom, whose market capitalisation is put at $48.78 billion. This amount, according to Visual Capitalist of the USA, exceeds the share of seven global airlines in the last few months.
Experts on information and communications technology (ICT) and the security sector who spoke to The Guardian maintained that more efforts were needed to stop the leaky nature of the country’s online space.
Some funds have already been lost. According to the Nigeria Cybersecurity Report, about $800 million disappeared in 2018. Earlier this year, the Chartered Institute of Forensic and Investigative Professionals of Nigeria (CIFIPN) revealed that in the last 10 years, the country lost about N5.5 trillion to fraud, corruption and cyber crimes.
Breaches are expected to increase significantly as more people work remotely. Already, one of the oldest churches in San Francisco, USA, is suing Zoom Video Communications Inc. after a hacker infiltrated its virtual Bible study session and subjected participants to pornography.
According to the lawsuit filed by Saint Paulus Lutheran Church, hackers took over users’ computers and played “sick and disturbing videos.”The church’s leaders contacted Zoom for help, but the company “did nothing”, the suit claimed.
In a statement, a Zoom spokesperson condemned the “horrific event,” saying: “Our hearts go out to those impacted. On the same day we learned of this incident, we identified the offender, took action to block their access to the platform and reported them to the relevant authorities.”
The company pointed to its “recently updated security features”, adding that Zoom users should not widely share meeting access and passwords “as appeared to be the case” with the church group.
Earlier in the month also, hackers reportedly disrupted a virtual meeting of South African lawmakers, flooding the video call with pornographic images. In the May 7 incident, the hackers hurled racial and sexual insults at the Speaker of the National Assembly, Thandi Modise.
South Africa’s parliament is closed and all its meetings are currently held via video conference calls as the country remains under strict lockdown to combat the spread of the coronavirus.
A shocked Modise said she had earlier warned about using Zoom for the meeting. The session later continued with a different link. At least one other South African parliament video call was also hacked.
The chairman, Mobile Software Solution, Chris Uwaje, noted that there would be a spike in cyber activities, especially crimes. He said there were several imminent security risks attached to some of the apps used in Nigeria, especially as COVID-19 had forced people to work online.
According to him, Nigeria is using external platforms as hosts. Secondly, all the sensitive data and information (oral, text and graphics) are transferred to the cloud.“In doing this, the country loses national Internet Protocol (IP) in the process. Some of the devices used may not be well configured by IT professionals, leaving sensitive ports open for hackers intrusion.”
To urgently curb possible impact, the Mobile Software Solution boss recommended the building of secure national gateways, empowering of data centres to host locally, applying Edge Computing and migrating all national ICT Infrastructure from IPv4 to Internet Protocol Version 6 (IPv6) within the next 18 months.
The Guardian learnt that Nigeria loses about $60 billion (approximately N21.4 trillion) yearly to foreign countries hosting the data and websites of its institutions and businesses.
Asked if there was a national security risk involved in deploying some applications, a security consultant, Dennis Amachree, answered yes and no.
“Yes, because security of information is at risk here. Companies have to spend extra to ensure a secure platform for their employees, using company-issued laptops and Virtual Private Networks (PVN) to work from home. Are their firewalls strong enough to withstand the new breed of hackers and cyber criminals? The leakage of vital information or lack of electricity could hinder the smooth flow of company or government business.
“No, because we are now in the information/cyber age where all partakers will, in no time, adjust to the risks and move on. Being the optimist that I am, I would say it’s not too late to seriously address these issues.”
According to him, cyber criminals are already having a field day, cashing in on the existing opportunity where Nigerians, especially the ones that are not Internet savvy, are scammed of their hard-earned money.
“Our security agencies especially the police have to sharpen their capability in handling cyber crimes. Bank accounts are being emptied. ATM cards are being cloned and the theft of identity is no longer a myth in Nigeria, but a reality. Even in the security world, the revolution is on. We have been talking about the convergence of information technology and security. This is happening at a very fast pace and security professionals have to rebrand themselves to meet this new challenge,” he said.
Chukwuemeka Ani, a cyber security expert and chief technology officer, Njalo.ng, stressed the need for government to put into effective use the Cybersecurity Act 2015 and prosecute anyone found guilty.
“We need to wake up as we move online because the period is coming when someone will wake up one day, and discover that the whole money in his or her account has been wiped away be criminals. It’s the same for information and data. People must be careful.”
The Chief Executive Officer, Jidaw System, Jide Awe, said: “Cyber threats tend to increase with growing digital deployment and adoption. But that shouldn’t deter us from adopting the innovative practices this era demands.
“In a digital world offering a wide range of digital products and services, some are more secure than others. You must, therefore, assess both functionalities for your needs as well as security while choosing digital solutions for virtual activities,” he said.
He added: “Organisers of such meetings should be aware of the threats and put the necessary cyber security measures in place.”
Meanwhile, findings by The Guardian showed that the Federal Government does not use Zoom but rather Microsoft Teams, which is said to be more secure.
The Head, Corporate Affairs and External Relations of the National Information Technology Development Agency (NITDA), Mrs. Hadiza Umar, said the government had earlier warned Nigerians against the use of free conferencing platforms like Zoom and had provided security tips.
“That’s what we can do on our part. It is at an individual’s discretion. Government cannot protect you from such apps. It is free, designed by a company for one’s use with their Ts&Cs. If you want total protection on virtual conferencing, you can use apps like Microsoft Teams which is highly secure,” she said.
Umar also advised Nigerians to protect their data by backing it up and running a regular software update. They should always change the default router password for Wi-fi, review app permissions and delete apps they don’t use
Other steps include securing electronic devices with passwords, PIN or biometric information. Installing anti-virus software on all devices connected to the Internet, choosing strong and different passwords for email and social media accounts and reviewing the privacy settings of social media accounts.
This was as Sophos, a global leader in next-generation cybersecurity, has announced the findings of its global survey, The State of Ransomware 2020, which revealed that paying cybercriminals to restore data encrypted during a ransomware attack is not an easy and inexpensive path to recovery. In fact, the total cost of recovery almost doubles when organisations pay a ransom.
The survey polled 5,000 IT decisionmakers in organisations in 26 countries across six continents, including Europe, the Americas, Asia-Pacific and central Asia, the Middle East, and Africa.
More than half (51 per cent) of organisations had experienced a significant ransomware attack in the previous 12 months, compared to 54 per cent in 2017.
In Nigeria, 53 per cent of the organisations surveyed mentioned a ransomware attack in the last one year. Globally, data was encrypted in nearly three quarters (73 per cent) of attacks that successfully breached an organisation. In Nigeria, it was 74 per cent.
The average cost of addressing the impact of such an attack, including business downtime, lost orders, operational costs, and more, but not including the ransom, was more than $730,000. This average cost rose to $1.4 million, almost twice as much, when organizations paid the ransom.
More than one quarter (27 per cent) of organisations hit by ransomware admitted paying the ransom. The survey also revealed that 38 per cent of the organisations that were attacked in Nigeria admitted to paying the ransom.
The Principal Research Scientist, Sophos, Chester Wisniewski, said organisations might feel intense pressure to pay the ransom to avoid damaging downtime.“On the face of it, paying the ransom appears to be an effective way of getting data restored, but this is illusory.
“Sophos’ findings show that paying the ransom makes little difference to the recovery burden in terms of time and cost. This could be because it is unlikely that a single magical decryption key is all that’s needed to recover. Often, the attackers may share several keys and using them to restore data may be a complex and time-consuming affair.”
He further explained that more than half (56 per cent) of the IT managers surveyed were able to recover their data from backups without paying the ransom, compared to 44 per cent in Nigeria.