Vice President, Information System Audit and Control Association, Mr. Peter Ineh, spoke on the imperative of a new bill that will drive the current digital economy. Amaka Eze presents the excerpts,
Plans to Forestall Cyber Attacks
Currently, we are working with federal organisations; including the Central Bank of Nigeria (CBN); Federal Inland Revenue Service and some other government agencies in passing a bill called Personal Identification Information (PII). The purpose of the bill is to secure, to a large extent, customer identity information.
For some time now, everyone is required to give all sorts of information about one’s self when you visit an office. At the end of the day, you may begin to receive some unsolicited messages on your phones and emails from such offices.
What we are saying is the need to bring up a bill that will regulate how people collect this information as well as make them take responsibility for the information’s collected. It also encompasses what to do as an individual, in case you feel that your privacy has been breached and what steps you can take to get the remedies from such organisations.
Right now, Ghana, the bill has been passed and it is implementing it. So, by the end of this year, we will come up with a draft copy that we would make available to the federal makers for onward passage into law.
Online fraud/personal information theft
On how we can safeguard people and organisations from online fraud and personal information theft in the current cashless economy, I want to note that the Central Bank of Nigeria has done a lot in terms of enlightenment and awareness creation. We are just complementing what the CBN is doing. We have to follow what is happening in the advanced country because we are in a global economy, though we are not there yet, because of some infrastructures challenges. It is not the CBN that provides electricity; and without electricity, the cashless policy might be trampled. So we need to get our infrastructure right for a successful cashless economy because it has a big role to play in this and the government, on its part seem to have stepped up efforts too to boost electricity.
Information available from government quarters show that government is doing a lot in terms of strengthening the infrastructures that they have in supplying the whole country stable power and I have seen that also for the past weeks that the power supply has been stable. From then, it is now easy for the organisations to now build their systems along that infrastructure.
However, the missing link now is genuine awareness. The populace need to know that they are not supposed to give their passwords to anybody, no matter who the person is to you. Nigerians must also know that they should not just go to any website and shop online, filling some personal information and giving some personal details.
If people are informed regularly that they should never give any of their personal information to another person, then we will have a successful electronic transaction regime. That is why it is important that we come up with a bill that regulates the way organisations collect information. It will specify the way the ministry of health collect information from you, also the ministry of education, and other government ministries and agencies as well as business organisations.
This is because all information’s can be hacked into, if not well protected, by some scrupulous element that may prowl online with intent to defraud. We came up with the bill to ensure that those people collecting the information follow some processes in place to protect the information.
It is not enough to just collect this information, without meeting the minimum standard required in identify protection. Do they have IT auditors? Do they have IT managers? Do they have website protection applications? Do they have firewall in place? Do they have intrusion detection system in their organisations? This is because if they don’t have all of these, it is easy for somebody outside to hack into the system and get the information that belongs to other people, especially where financial transactions are involved.
It is important that those people collecting the information also have the minimum requirements in place. Though most banks do have IT auditors and IT managers according to the requirement of CBN who insisted they do. As a result of this, banks have a certain level of experience and qualification to that effect. The same thing must apply to those organisations, private or government, apart from the banks, that collect people’s personal information.
Provision for redress
The PII bill specifies steps for redress in case of any information breach. After passing the bill into law, for instance, we are still going to press it on the government to see that a commissioner is appointed to implement and monitor the activities of people that collect the information. So, in the case of a breach, in that bill, it will be stated the step by step process the effected individual or organisation can follow for a redress.
Basically, we are taking the PII bill beyond the private sector. Part of the plan is to carry out the enlightenment session with the government agencies that also oversee people that collect information. If you go to most of the government agencies, the server room is an eyesore. It is usually nothing to write home about because they don’t have IT auditors or persons with basic IT qualification to manage such infrastructure the way it should be managed to prevent breach of information on the servers.
If you look at what is happening in FIRS, last year, they employed chartered accountant, IT auditors and IT managers and if you see one of the things the tax agency is doing now, I can tell you that it is one of the foremost government agency because they have employed the right people to manage their system and those are the kind of things we at ISACA are trying to preach.
Current security Level of Nigerians cyber-space and the drive for a cashless economy
Basically, the issue of cashless Nigeria is the development that has further heightened the threat issue to the nation’s cyber-space as it concerns organisation and the way they do business. Before now, when we simply had to take cash from the banks, it was so very much easier. But these days, people stay in their homes and offices to make withdrawals and purchase form online shops.
This development has heightened the threats that are not inherent in banking in particular, thus a need to train professionals to reduce or minimise the risk and also make suggestions on how to prevent any form of attack in their organisations.
The training is a forum for Information Technology auditors and organisations in Nigeria and across the globe. We basically provide training session for IT auditors, managers and security managers. The recent training session, ‘Continuing Professional Education’ had to do with cyber security and the professionals were trained on prevention, detection and investigations.
Basically, we are talking about harnessing strategies for protecting business organisations in the area of cyber threats and attacks and we go about that by detecting, preventing and then carrying out investigations. We provide training for all IT personnel in Nigeria. We have internationally-certified IT professionals as board members.
The objective of the training session was to bring to the bare the issues that we have in the industry in terms of cyber-crimes, cyber threats and cyber-attacks to Nigerian cyber-space and other organisations. The training also helps to show ways that organisations can carry out investigations even when faced with such threats.