Toluwanimi Banji-Idowu is a cybersecurity engineer, SDG 4 and 9 supporter and Associate Systems Engineer with Trend Micro, a tech company. In this interview with ADEYEMI ADEPETUN, he spoke on what is fuelling the rise in cybercrimes and the potential danger for the Nigerian economy, among other germane issues.
There has been an upsurge in cyber attacks since the beginning of the year. What are the factors fuelling this menace?
First of all, I think we all need to know that people are the weakest link in cyber security, in the sense that you need to create cyber security awareness, training and programme for individuals because before someone could gain access to your network or your mobile phone or any device, basically, it could be as simple as clicking on the link of an email. So, I think businesses and organisations shouldn’t joke with awareness.
People need to know that if you compromise certain things, some things are bound to happen. As simple as it sounds, people should be conscious about whatever links they click in an email, calls they respond to and information divulged.
Those minor things can actually help to avoid things getting out of proportion in terms of cyber attacks. I think policy around cyber crimes should be vital and taken seriously. Businesses and organisations should also comply with ISO standards, not just have the certifications. They need to ensure that after they meet the standards, they keep to those standards.
In addition, attacks that happen in companies start with people. So, it’s high time that we recognised that we are responsible for cybersecurity. We are responsible for our own security. Most times, it is not the responsibility of the company nor is it the responsibility of the cybersecurity vendor, but our responsibility. Cybersecurity starts with you by taking simple and small steps to be secure.
The world is losing greatly to cybercriminals. Can we put a figure to how much Nigeria is losing yearly?
I think as of 2015, news had it that Nigeria was losing about N127 billion yearly. I think the figure was actually from the Federal Government. I want to believe the figure must have increased by now.
To be frank, the challenge here is that companies and businesses don’t come out to say that they have been breached or they suffered a ransomware attack, so, it might be difficult to know how much the figure is now. This is where awareness comes into place and security too. We need to push for more security in terms of solutions that we have deployed in different organisations.
Can we say the Cybercrime Act 2015 has been punitive enough?
I doubt if it has been punitive. Between 2015 and now, so many things have changed in the online space. I don’t think the Act has been reviewed since 2015. And a lot has come into play between now and then, which ordinarily should have necessitated a review of the Act to accommodate new things.
Take for instance, as a result of COVID- 19, so many people went remote and lots of things went into the online space. So, I think the Cybercrime Act 2015 should be reviewed urgently because of the new events around us. So many things are evolving regularly.
Because of the way things are fast evolving, we need to have a framework in place whereby these policies are reviewed regularly and new things are added as trade actors build up. Also, I think I haven’t really seen in the news where punitive measures have been taken as regards the Act.
I think the government also needs to put more effort into actually abiding by the punishments that they set aside for people that are caught to serve as deterrents to would-be offenders.
Also, I feel plea bargains should not be so lenient, criminals plead guilty and then receive a lesser punishment or fine. We need to look into that seriously as a country. Punishment should be put in place that would discourage other people from doing such and not make it seem like I could take the risk and when I am caught, I can opt for a plea bargain. The punishment should not be lenient and it should be in a way that would highly discourage other people from participating in cyber crimes.
What is the CPITS by Trend Micro programme about and its benefits?
The programme is basically a certification programme in IT security that equips young graduates or graduates of computer-related courses or people that have a background in computer-related courses or in cybersecurity.
Basically, with this programme, you are equipped with everything you need to know to be a cybersecurity or IT security professional. You are trained on network security, data security, cloud security, and everything else you need to know. So, the programme is for nine weeks and right now it is open to people in Nigeria, Kenya, South Africa, Ethiopia and Mauritius.
People are trained technically, and once you’re done, you become Trend Micro Certified and that allows you to go into the market space with not just the fundamentals of cyber security and computer networking, but also trademark certification.
You know there is a very huge cyber security gap in terms of talent. So, the programme basically trains individuals on how they can be cyber security-conscious, educators and technical professionals. The need for cyber security professionals is very huge in the market; there are serious demands for them. With this certification, such a person can fill the space and impact Nigeria positively.
At a virtual cybercrime forum in September organised by the U.S. Press Council, there was a claim that Nigeria and others face state-sponsored cyber attacks. What is your take on this?
I think that state-sponsored attacks happen in different countries and across different regions of the world. It is not something that we in Africa are protected against, especially in countries that have weak cybersecurity profiles.
State-sponsored attacks are launched, most times to gain access to secret political powers and control as it were. It has happened many times and to different countries, in different regions. I don’t think our focus should be if it’s going to happen or not. I think our focus should be on what are we putting in place to help us mitigate this if it happens to reduce the impact.
So, how are we protecting ourselves as a government or as a country? How are we protecting ourselves? How is the government protecting itself? What have they put in place to reduce the impact? So for me, the focus should be what we have on the ground to protect us because these things do happen. It could happen any day, any time. It happens in different countries, and different regions. So, our focus should be on how we are protecting ourselves against this.
I think in 2017, there was a North Korean attack on Nigerian banks and I think 17 other countries were also attacked. The motive was to get money for whatever they were planning at that time. And also, there was this Black Hat Group from Russia, they unleashed ransomware and they demanded money from their prey.
Businesses, across different sectors, be it a bank, transport, health and the country as a whole, should adequately prepare because lately, machines and computers have become major hardware that we use and they are vulnerable. We need to be proactive about some of these things.
From which regions are these attacks coming?
I think from a technical point of view, attacks are actually coming from abroad largely. Attacks can be traced through their IP address. We have a team at Trend Micro that analyse, perform incident response and break down these things. So, one is able to detect where the attacks are coming from, how the attacks are even planned from the propagation method and things like that.
And I think one helpful platform that you can leverage is the Media Attack Framework. You can see the various types of attacks that have happened over time and the APTs that have been attacked, also the procedures, techniques and others.
Since the beginning of the year, the Nigerian Communications Commission has issued about nine alerts, warning people to be careful of these hackers. What can Nigerians do as a stopgap for all these attacks?
Some of these measures are what we have been mentioning since we started. There must be cyber security measures by all.
So, first of all, is being aware of what you can do and of what you are exposed to. I think companies should try and educate their employees. Individuals should educate themselves on how they are exposed and then put in place cyber security measures. Even the simplest things like using strong passwords, not sharing your passwords, and not writing them down somewhere for people to have easy access to, could help significantly. There should be multi-factor authentication on applications, using antivirus patching, upgrading your app, as well as being conversant with updates in your apps. Organizations as well should protect the applications they use.