Cyber Security In Nigeria’s Financial Sector

Ayotunde Coker

Yemi saka

As Nigerians become more internet savvy, there is a need to create an awareness for cybercrime. Nigeria’s former President Goodluck Jonathan signed the Cybercrime bill into law just two weeks to the end of his tenure. To find out if Nigeria’s Cybercrime Bill will protect the financial sector from attacks, CNBC Africa caught up with Ayotunde Coker, Managing Director at Rack Centre; Niyi Ajao, Executive Director; Technology at the Nigeria Inter-Bank Settlement System (NIBSS) and Yemi Saka, Partner; Advisory Service at Ernst & Young West Africa. 

FAMUREWA: Yemi, what are your thoughts on the significance of this bill in terms of dealing with cybercrime? SAKA: The significance of cyber security today is more of a very complex issue. Although, we have not really dealt with it, we are seeing more proactivity in technology across sectors. A lot of organisations are beginning to focus on the security in cyber challenge.

A lot of factors add to the increasing complexities that we see, such as organisational change, merger acquisitions and these factors are basically traditional in terms of how businesses operate.

FAMUREWA: Is this the right first step to take and does this bill really provide the legal frame work for which we can move forward? SAKA: This is definitely the right first step to take. Taking mature markets in terms of how they deal with cyber securities, a lot has to do with laws, government regulations and how the sectors are being regulated. Laws, regulations, standards are driving the need for cyber security, so this bill is definitely a step in the right direction.

FAMUREWA: Niyi, what are your thoughts on the scale of settlement? The NIBSS would have seen a lot of these in terms of internet banking transactions, I imagine you will have a fair idea of how big the problem is in Nigeria today.

AJAO: In Nigeria, we have a big problem, experience has shown from other countries that the more Internet awareness increases so does cybercrime. Over 54 million Nigerians have access to the Internet, when the number grows hackers join the fray. We have been talking about cashless society for 4 years, the finance sector is increasing awareness and as that is happening people are getting to know and as they do so the hackers will come in.

If you look at studies in other countries, hackers are mostly young people between 20-35 years, very smart and educated, they are lured into this business. The act we have now has come at the right time.

FAMUREWA: Tunde, the survey given to us by Ernst and Young is that over half people that work in organisations tend not to know no how to deal with this issue, how vulnerable is Nigeria to cybercrime?

COKER: Cybercrime is not just Nigeria’s problem, it is an international problem. You can get hacked from any country. Technology creates a global village for one’s usage. We now live in a world where it is not only work place technologies we have, people now bring their own devices to work and access the world through their mobile phones and they could be hacked privately but also the corporate could get hacked from anywhere.

The awareness is absolutely essential, on leadership levels, for companies, banks -for instance, the CBN had to put in place certain processes, this actually looks at the fundamentals we put in place to protect us against hacking. If the people are not aware or uneducated, they would actually not behave in the right way either personally, the way they use their devices or in the work place, the way they use passwords.

Also the market places have to be aware of the behaviours, what are the dangers and how they need to interact with banks whether using electronics systems and your own device also, you have to take into account the internal employees. Hacking is not actually an external issue; you might also get internal employees hacking your own systems.

FAMUREWA: What is the importance of building an infrastructure to deal with a sophisticated problem, For instance, in the United States where you have the Department of Homeland Security focus on terrorism, do you think that Nigeria need to organise itself in that way to deal with cyber security? What is your take on how we organise to deal with the problem locally? COKER: At the National Level, the expertise has to be available with the security organisations with respect to monitoring the kind of traffic we have and interest we get from various parts of the country and also externally.

Surveys show that there are companies who have been hacked and know they have been hacked, companies who have been hacked but they don’t know, there are also companies that expect to be hacked and there are companies that have the right systems and knowledge in place and they haven’t been hacked but are getting a lot of attention, where the attention comes from, the kind of attention, the processes and solutions they need to put in place to make sure they don’t actually get hacked.

The same also should happen at the National level, there has to be knowledge about what kind of attention you are getting from around the world. There is a terrorism aspect to it, not just financially.

FAMUREWA: You are making an interesting point about terrorism. Yemi, I will like to get your thoughts on how we organise to deal with this problem and it is such a big issue that could really blow out of proportion and I believe there is a need to tackle it, the same way we tackle terrorism. SAKA: We actually did a survey specifically around cyber security and we looked at a lot of organisations globally and spoke to a lot at sea level.

What baffled me is 56% of the organisations could not tell if they have been hacked or not and I think that’s a fundamental problem. Organisations have to stop being reactive, they need to move into being more proactive and from that they need to build and mature to being predictive.If you are able to protect yourself and foretell what you are running, you can overall strengthen your posture in cyber security.

FAMUREWA: I do believe there is a need for help especially on the National level, in terms of building that help, let’s start from the financial level, Niyi, can we get your view on that?.

AJAO: For me, there are two areas that give me comfort, before the cybercrime act got signed into law, I am aware that pockets of private sectors already exist.In the financial sector, there is the NEFF(Nigerian Electronic Fraud Forum) that started about three years ago, these are banks coming together with the Central Bank and other service providers in the market to discuss issues, solve issues and create awareness in Nigeria and some other countries, we have some of this going on, which is very good.

The act already has some provisions, the act now positions the national security adviser in a key role in the issue of cyber crime in Nigeria, there’s critical infrastructure that needs to be redefined, the NCERT, National Computer Emergency response Team, I believe as we implement the act, the government will react and put these bodies in place.

The NCERT states that if anybody has an attack or suspects that they have been attacked, it has to be reported to them, so this is then taken to the national level for investigation.

In the area of awareness on the National level, we are already moving towards that path and we need to sustain that tempo. SAKA- The president actually mentioned cybercrime in his speech so I believe that is actually one of his focus areas. Businesses don’t have a choice but to put cybercrime on the agenda. We need to figure out how to protect critical interests.

FAMUREWA- Tunde, you made a point about the link between cybercrime and terrorism, in reality, there is a definitely a close link there. Can you tell us more about it? COKER- There is a significant access to electronic media right now and therefore you find organised activity to try and hack different systems to get more information or actually from the social media point of view to interact.

This is a significant global problem, cyber crime is not just about financial information but there has to be a significant awareness of the broader issues we have beyond financial transactions to security impact of hacking that can happen either to private sector systems or even government systems.

FAMUREWA: Tunde, you have been in the banking sector for a while so you probably understand the race, you have worked in I.T, what are the key initiatives that we need to put in place so that we can better protect bank accounts, banks as well as the customers? COKER: There is a lot of work being done by the banking industry with respect to putting in much more secure systems, being accredited to global standards that actually attest to the level of security you have.

The physical and software security all come together as a holistic view in terms of how you secure banking transactions. A lot of transactions happen by mobile and actual transactions even from the branches depend on electronic security of the bank staff. Banks now are going for being accredited to international standards.

The international standards organisation for informational security is also one of the ones banks increasingly get accredited to. If you have these industry certifications, it means you have the minimum level of proficiency in terms of securing your banking assets. It is not an end point, it is a constant journey, anticipate what will happen and be ahead of the cove. It is a continuous journey that banks and financial institutions have to take to protect their customers and their financial transactions.

FAMUREWA: Niyi, it’s an interesting point to get the Bank Verification Number [BVN] initiative, how will this help in combating the problem of cybercrime? AJAO: BVN has reached a very high level now, we have about 15 million Nigerians already registered, BVN is going to help a lot in combating cybercrime. If you look at cybercrime, there is a mention of identity theft, BVN will help a lot there, one of the problem we have in Nigeria today is identification problem even down to the finance system.

The bank is to pop-up liquidity in the market and give out to those that need the money. People collect loans from banks and the banks are unable to track them because we don’t have the functional ID system but with the BVN it is going to be possible through biometrics and that will help a lot. FAMUREWA: Yemi, EY is contributing $20 million into this battle by creating Manage Security Centre, how will this project assist in combating this issue of cybercrime? SAKA: We have taken a very good measure, we want to be at the centre of solving the challenges that exist globally on cybercrime perspective. We have committed these money into building our first security centre which is located in India, we are also going to take other strategic investments in terms of how we build a right capability from a right perspective and how we strike into our capabilities as well so we can deliver exceptional services in combating cybercrime as well.

FAMUREWA: What does that operation centre do because we are going to see a similar project in Nigeria? SAKA: We are having conversations with a lot of organisations including banks in Nigeria, some of the services we provide out of these sectors are 24/7 monetary, we are also going to provide some specific advisory services, advising clients in terms of understanding a threat that has materialised within their actualized environment, and obviously building the right road maps in their overall infrastructure. It is a very vital service for us and we have definitely made the right investments and we are beginning to have those right conversations in Nigeria as well.

FAMUREWA: To defeat this problem there is going to be a lot of collaboration, I want to hear your thoughts on that, how are the banks going to help in here? AJAO: The banking system has already identified these, the finance team are already coming out and we have a lot of scheme going on, the banks have been asked to create an anti-fraud system which we have now. A lot of collaboration is going on because banks know that we have a common enemy. When we have a cybercrime issue it is not only about one bank, when there are problems it affects the image of the banking system before the public.