Cyberattacks: Most Nigerian government websites not security-tested—Expert

The increasing threat of cybersecurity breaches is becoming a major concern for many Nigerians, with hackers targeting banks and organizations to steal vast sums of money and sensitive data.

A data breach refers to a security incident in which confidential or protected data is copied, transmitted, viewed, or stolen by unauthorized individuals.

These breaches are becoming more sophisticated, with threat actors employing malicious methods to compromise the data security of key organizations.

The breaches often involve large-scale data exfiltration and cross-platform compromises across interconnected systems.

One of the most alarming cases reportedly occurred recently at the Corporate Affairs Commission (CAC), where approximately 25 million documents were reportedly stolen from the Commission’s database. This breach has raised serious concerns about the vulnerability of government systems to cyber threats.

Earlier in April, the Nigeria Data Protection Commission (NDPC) launched an investigation into alleged breaches involving Remita Payment Services and Sterling Bank. Reports suggested that a hacker had accessed extensive datasets, including sensitive financial records, identity documents, and internal system data.

In March, First City Monument Bank (FCMB) fell victim to a large-scale cyber fraud operation, initially aimed at stealing over N3 billion. Although preventive measures were taken, fraudsters succeeded in transferring N677 million before the bank’s systems detected and halted further attacks.

These cybersecurity concerns have also extended to other digital platforms. In February, the NDPC initiated an investigation into the e-commerce platform Temu over the mishandling of personal data belonging to approximately 12.7 million Nigerians.

This investigation highlights the growing scrutiny of digital platforms and their responsibility to secure user data.

In this interview with Nairametrics, Adedoyin Adedeji, an IT consultant and Managing Partner at BlueRave Ltd, discussed the rising threat of cyber fraud and data breaches in Nigeria, and the urgent need for organizations to adopt stronger security measures and stay ahead of evolving cyber threats.

Nairametrics: From your perspective as a professional, what do these incidents reveal about the current state of cyber security readiness in Nigeria’s public institutions?

Adedoyin Adedeji: I feel that we have a long way to go. There are numerous government platforms that offer services to citizens, and most of the time, we do not conduct enough due diligence on the part of both citizens and the government to ensure that whatever we are doing is secure enough, especially from the government’s perspective.

A lot of the time, when some of these platforms were built, there should usually be a chain of review of government platforms. Usually, what should be the standard is that if you build a platform, before it goes out there to the public, there should be checks and balances from a third-party agency like NITDA to do a review, a threat assessment, a penetration assessment and be sure that everything is in place before going ahead.

But most times, what we have is government agencies working with a third-party service provider, likely in the private sector, to build those platforms. They build the platforms, and most times they just deploy. There are no checks and balances to look at what this set of people has done.

Nairametrics: How can this be well-managed?

Adedoyin Adedeji: First, we really need to improve our cybersecurity awareness and proactiveness, which needs to be better than what we have at the moment.

What I would suggest as a way forward would be to fully implement what they started, which is that every government website or every government online service should go through a security audit, through a third-party government agent.

And then have like a security certification that, yes, we’ve gone through this thing. And yes, we can certify that this platform meets the minimum standard the government would require for every platform that is interfacing and collecting citizen information.

So even if there’s a breach tomorrow, then we can hold whoever provided or whoever gave that certification accountable because most of the breaches are due to negligence and lack of oversight.

Nairametrics: After an incident of data breach, what should agencies do to restore trust and confidence from the public?

Adedoyin Adedeji: I think that falls under the purview of the Federal Ministry of Innovation, Science and Technology. They are the ones that need to come out because this is their domain, their territory, because when a banking breach happened recently, I remember the minister saying something about trying to put some policies in place in conjunction with the CBN, which is good.

But I think we need to do more. The ministry and the Office of the National Security Adviser, need to come together to create a stronger cybersecurity framework for the government and set minimum standards.

And let that standard be known to everybody, so any vendor that is building anything for the government can follow through those guidelines. If there’s a strict guideline of what you need to do if you are building a platform for government, and this kind of breach happens, you can hold the third-party vendor accountable. Even if it’s built internally, you can hold all the development team accountable, because we can’t build confidence if there’s no accountability.

Nairametrics: We have seen cyber fraud against banks and banks losing billions of Naira. Why is the banking sector porous?

Adedoyin Adedeji: I think it goes back to what we discussed earlier, which is a lack of accountability in the sense that up until now, Nigeria has not really dealt with sophisticated threat actors. Most of the actors we’ve dealt with are threat actors that likely use social engineering to try to get information from citizens, like bank customers, to steal money from their accounts.

But now we are dealing with threat actors that are finding it harder to get audiences in other places. And they’re like, okay, I think we can try maybe Nigeria. Nigeria is a big country, they are rich, and let’s see what we can find.

And then they start scanning through the banks and everything, and they realize that, oh, their security is not that tight. They start looking for loopholes. So a lot of the time, what we have is that most of these banks rely on third-party services to scan through their network for cybersecurity threats.

For me, I still don’t feel that banks think that security is hard enough. But you need an in-house team that continuously monitors and reviews activities that are happening on your platform against all these threats. And so if you have those things, then some of these things might be mitigated.