Why should Nigerian institutions public and private be interested in Cybersecurity?
First, let me explain the concept of cybersecurity. It is a set of processes and technology solutions that safeguard your critical IT assets from malicious attacks. A mature cybersecurity posture reduces the company’s risk of data theft, operational disruption, or reputational damage. In an age of increasing cyberwarfare, cyberterrorism, and hacktivism, cybersecurity safeguards are becoming an increasing necessity for both public and private institutions in Nigeria and across the globe to protect the confidentiality, integrity, and availability of business resources.
At what point should they think about cybersecurity?
Well, no system is completely secure. This is a mantra upheld within the cybersecurity industry, as each “secure” system has proven to have weaknesses time and time again. Cyber Resiliency is what we preach to our clients, the ability to withstand a cyber-attack without any significant impact on business operations. Companies should not wait until they experience a data breach to take action to bolster their security. Good cyber hygiene measures should be “baked” into all processes and solutions right from the beginning, it should not be an add-on.
What are the dangers in the event of a hack?
There are a number of risks involved when there is a hack and many of them with dire consequences. One, a hack leads to inappropriate disclosure of Personally identifiable information (PII)/ Protected Health Information (PHI)/ Protected Financial Information of your employees and customers. Others are, that it leads to ‘Damaged company reputation,’ inappropriate access to sensitive systems and impersonation operators. Hackers steal money, credit card numbers or banking credentials from employees and customers, and then, malicious use of company information.
How best can a company or government prevent a hack?
At Solvitur Systems, we follow a multistep approach for preventing hacks in our client environments: This includes, identifying sensitive information that is stored, transmitted, or processed, identifying what systems contain sensitive information that is stored, transmitted, and processed, and assessing the risk level of these sensitive systems.
Others are to set security controls based on the risk level which involves enabling multi-factor authentication and establishing a minimum password length requirement of 12 characters.
Again, establish an IT security policy that considers the risk level of sensitive systems and the security controls that are set, establish and test an incident response plan, and educate employees on the risks of a malicious cyber intrusion.
There are additional tasks performed at each step, however, this process provides a high-level overview.
Is there any difference between a hack and a data breach?
The main difference between a hack and a data breach lies in the outcome of the intrusion. A data breach refers to a malicious cyber actor stealing personally identifiable information (PII) or sensitive information attributed to an individual. The Equifax data breach is a notable example that occurred in the United States exposing the personal information of 147 million people. The Federal Trade Commission (FTC) has even finalized a settlement offer in February 2022 for all victims of the data breach.
A hack refers to a situation where a malicious attacker infiltrated an organization’s cyber systems with a different intention than the stealing of personal information. For example, “ransomware” is a newly developing approach for hackers where they encrypt the data of an organization and demand a ransom for the data to be unencrypted. While the data is encrypted by the attackers it is unusable by the organization, so it forces the ransom to be paid.
What are the right precautions and measures to ensure optimum security?
In 2021, a business was hit with a ransomware attack every 11 seconds. From our extensive experience in the industry serving both commercial and public sector clients, Solvitur Systems has witnessed firsthand that human error is the weakest link among our clients.
Companies with strong employee security awareness training will reduce this error space with less phishing attacks and social engineering susceptibility, which are both prevalent attack vectors in today’s threat landscape. In addition, strong access control within the business environment bolsters a tried-and-true concept known as the principle of least privilege, which ensures that only work-essential privileges are given to each user, process, and system throughout the environment. In this way, we can reduce our attack surface significantly and prevent the spread of malware. Security standard compliance does not ensure security safeguarding, however, it demonstrates mature and hygienic cybersecurity practices which offer institutions strong precautions to deter attackers, such as the security policies published by the National Institute of Standards and Technology (I.e., NIST SP 800-171 Rev. 2).