The rising cyberattacks in Nigeria have caused more economic, social and cultural harms than good.
Nigeria loses about $500m yearly to cybercrime, according to the Nigerian Communications Commission.
This accounts for 0.08 per cent of the country’s Gross Domestic Product. This year, the NCC, through the Nigerian Computer Emergency Response Team and Computer Security Incident Response Team, alerted Nigerians to numerous cyberattacks happening across the country.
The attacks have ranged from those targeting businesses to individuals and bank accounts. Phones and computers have been intended targets. Each new threat alert has shown a significant growth in the sophistication of cybercriminals.
From only targeting bank details, cybercriminals have been emboldened to target and steal cars.
In an advisory on car hacking, the NCC said, “Multiple researchers disclosed a vulnerability, which is said to be used by a nearby attacker to unlock some Honda and Acura car models and start their engines wirelessly.
“The attack consists of a threat actor capturing the radio frequency signals sent from your key fob to the car and resending these signals to take control of your car’s remote keyless entry system.”
According to experts in the cybersecurity space, cybercrime was growing like wildfire while measures to curtail it had failed to ignite a spark.
They stated that cyberattacks were not discriminatory as they affected both rich and poor, old and young.
The Chief Technology Officer, NJALO.NG, Chukwuemeka Orjiani, said the nation’s cybersecurity space had not been taken seriously prior to now, arguing that this was why the threat festered.
He stated, “The nation’s cybersecurity hasn’t really been taken seriously. The truth is that our people have not found it a very serious thing because this is a new threat — Internet security.
“But the fact is every day, people lose their assets online. People lose money, and passwords get hacked. People lose their information online too. On a daily, people are hit, and companies are hit.”
He added that the level of sophistication of cybercriminals was levelling up as cyberattacks were becoming harder to spot. According to him, information regarding cyber threats was still scarce.
Orjiani further said, “The funny thing is cyberattacks do not discriminate. A cyberattack can affect very poor homes as well as rich ones. These guys can mine people’s data, get it, and clear accounts.
“People are not well informed on these issues. Social engineering is a major vulnerability hackers prey on. They prey on the intelligence of people.”
Recently, suspected Russian attackers hacked Bet9ja, locking out for customers of the firm from their accounts. While the firm was able to get back its website after a while, many more companies are faced with cyberattacks daily and can do little or nothing about it.
According to a recent Check Point Research’s Threat Intelligence Report, Nigerian businesses experienced 2,308 attacks across all industries sectors weekly.
The report stated that over a six-month period, 62 per cent of Nigeria’s businesses fell victim to Remote Code Execution attacks which allowed cybercriminals to gain remote control of devices and the private data stored on them.
It added that email was recorded as the origin point for 60 per cent of cyberattacks over a time period of time as it functioned as a vector for the delivery of malicious files.
The report projected that 2022 would see an increase in the weaponization of deepfake technologies by cybercriminals to create fake news campaigns as part of phishing attacks.
A report by Sophos, a United Kingdom-based cybersecurity solutions firm, said 71 per cent of Nigerian organisations were hit by ransomware attacks in 2021.
It added that 44 per cent of the affected firms paid ransoms to get their data back.
It said, “The main findings of the State of Ransomware 2022 global survey from the Nigerian respondents, which covers ransomware incidents experienced during 2021, as well as related cyber insurance issues, include:
“More victims are paying the ransom — In 2021, 44 per cent of organisations that had data encrypted in a ransomware attack paid the ransom.”
The report stated that the firms paid at least $3.43m in ransom and that it took an average of one month for them to recover from the damage and disruption caused by the attacks. It added that 97 per cent of organisations disclosed that the attacks impacted their ability to operate, while 96 per cent of the victims said they lost business and revenue due to the attack.
According to Deloitte’s ‘Nigeria Cybersecurity Outlook 2022 (January 2022),’ Nigeria was ranked 16th among countries mostly affected by Internet crime in 2020, according to the Federal Bureau of Investigation.
It said, “It is no longer news that cybercrime is increasing in Nigeria, even though some of these crimes go unreported. Nigeria was ranked 16th among the countries most affected by internet crime in the world in 2020, according to the FBI in its 2020 internet crime report.
“These crimes come with associated costs to organisations. In 2021, the Special Fraud Unit of the Nigerian Police Force arrested a man for allegedly hacking into the server of a Nigerian bank to steal N1.87bn.”
It added that cyberattacks were becoming more sophisticated, and organisations were struggling to keep up. According to it, cybercriminals now used Artificial Intelligence and Machine Learning to break through organisations’ defences.
The Founder, e86 Limited, OluGbenga Odeyemi, said organisations in the nation were covering up their cyberattacks and trying to sweep them under the carpet in an attempt not to negatively impact customer and investor confidence.
According to him, it was hard to accurately estimate the economic cost of the attacks because of their underreporting. He stated that according to the NSA, the annual losses to cybercrime were estimated at N127bn in 2017 and $649m in 2019 per a report by Serianu.
He said, “Most organisations simply cover up the mess and move on. This is done to ensure they do not negatively impact the confidence they have gained with their customers and within their market.
“I also think most organisations do this to cover up their own inefficiencies, especially those who have not invested in the security of their infrastructure.”
According to him, Nigeria’s cyberspace was improving, although it needed more professionals and awareness. He stated that COVID-19 didn’t necessarily increase the level of sophistication of cyberattacks as believed in many quarters.
He added, “However, with more businesses bringing their operations online, it is expected that the rate at which businesses are attacked will increase.
“The most fundamental element of a successful cyberattack is information. Random attacks are mostly used to gather information about targets. This is why social engineering is one of the most potent techniques of hacking.
“Once the attacker has been able to gain enough information, the attack can become more targeted.”
The ‘CyberCrime (Prohibition, Prevention, etc) Act 2015’ offers an effective, unified, and comprehensive legal, regulatory, and institutional framework for the prohibition, prevention, detection, prosecution, and punishment of cybercrimes in Nigeria.
Part of the objective of the act is to“ensure the protection of critical national information infrastructure; and promote cyber security and the protection of computer systems and networks, electronic communications, data and computer programs, intellectual property and privacy rights.”
According to Chairman, Mobile Software Solution, and a cyber solutions expert, Chris Uwaje, there were a lot of policy issues hampering cyber security in the nation. He added that the nation’s reliance on proprietary software was also limiting its ability to tackle cyberattacks.
He said, “There is also a lot of policy issues we need to look at. We have a cyber security agency in Nigeria, but the question is, why they are not able to govern that space?
“Many factors are responsible for that inability. One, Nigeria is more or less overwhelmingly engaged in the acquisition of proprietary software and this software is, most of the time, mastered by the man in the middle externally and the man in the middle internally.
“If you look at most of the servers that have been hacked, the majority are proprietary. But open source has been, sort of, rugged because software derives its wellbeing and wherewithal from unique root platforms apart from Microsoft that has really twisted some things.”
Uwaje stated that this was not peculiar to Nigeria. He explained that cyberattacks were usually initiated by the man in the middle who was the havoc originator.
According to him, the man in the middle was majorly externalised as a factor but there was a need to explore the internalised man in the middle, the insider. He said the insider perpetuated about 72 per cent of attacks.
He stated that there were close to about half a million cyber threats simultaneously happening around the world per minute and people that were not up-to-date and did not have the commensurate tools automatically became soft spots.
He added the nation needed an institute for cybersecurity research because these threats were haunting everyone. He said there was a need to be miles ahead of the intruders and the way to do this was to have a good research platform.
Uwaje further said, “The EU has been trying to reduce cyberattacks. And one of the ways they’ve been doing this is to ensure that all government platforms operate on open-source software, not proprietary. And this is working for them.
“Cyberattacks are usually random. Nigeria is vulnerable because we are still engaged within the IPV4 domain name. The world is moving to IPV6, the vulnerability of IPV4 is that sometimes when an attack comes in, you are not sure of the source because the addresses can be split to the power of 4, 8, 16, and more.
“The same IP is working. If that IP is domiciled probably in Nigeria, someone in Mexico can use it to hack into the Nigerian environment. We need to migrate to IPV6. The US has given all its company a deadline of 2025 to migrate. The IPV4 has gradually been exhausted in terms of the Internet address layer.”
According to him, there was not much difference between computers and smartphones presently as people could access emails and documents on both. He stated that mobile phones were becoming stronger than computers and could intrude into servers.
He added that there was also a need for a national registry where people and organisations could report cyberattacks.
The National Information Technology Development Agency and the NCC have cyber security arms, amongst others. On its website, NITDA explains that its cybersecurity department was established as a proactive response to cyber incidences and breaches suffered by multinationals and nation-states culminating in monumental financial losses, and reputation, with the attendant implications for business continuity.
Recently, NITDA announced a partnership with MasterCard to train the ecosystem on Cyber Security and Data Protection.
The increasing digitisation of Nigeria is helping the nation’s economy scale and grow tremendously, but it is also leading to an increase in the number of cyberattacks in the nation.
Digitisation comes bearing good and bad fruits — the onus is on the farmer to know how and when to prune the bad fruits.