Managing Consultant of an information security company, Infoprive Services Limited, Mr. Adetokunbo Omotosho, speaks with Jonathan Eze on how cyber breaches affect businesses and the future of cyber security in Nigeria. Excerpts:
May we meet you?
I am the managing Consultant of Infoprive, a business Information Security Company. Infoprive was founded in 2011 with the sole focus of providing top notch and holistic services within the market to address the rising need for cyber protection delivered by skilled, knowledgeable and practical home-grown information security experts.
Many companies are yet to put in place effective cybercrime prevention plans. What is the implication to these companies, their customers and the economy?
The truth is that organisations have started to increase focus on cybercrime prevention and a good number within the financial services have invested considerable resources in this regard. However, the return on security investment and information security maturity is not yet at optimum levels.
Outside the financial services, justifying security investments for the protection of corporate data is tough, especially within privately held companies and thus information security is mostly non-existent. If maturity levels for security is low in some sectors and almost non-existent in others, it means that the ability of these companies to respond to cybercrime or attacks is limited.
Also, a recent global threat impact index by Checkpoint Software, a leading cybersecurity firm, shows that Nigeria has been listed among the countries with the highest risk profile. This erodes the confidence of some customers in digital channels that organisations are increasingly providing to enhance service delivery and accessibility.
The good thing to note is that the recent spate of cyber-attacks has made organisations to increase the focus on cyber defence as top level executives have now seen the dangers of not having adequate information security programs in place.
As a PCI DSS expert, can you talk about the risk faced by non-compliant companies that houses cardholders’ data?
The greatest risk faced by non-compliant companies all over the world is reputational damage and the penalties associated with non-compliance. However, the impact of these, vary for different countries and regions. In Nigeria, PCIDSS (Payment Card Industry Data Security Standard) compliance is driven mainly by CBN for financial institutions and the penalty for non-compliance is largely dictated by them.
For e-payment providers and processors, the risk of non-compliance is higher, as there are strict penalties from card brands and most times entities that require their services out rightly require they are PCIDSS compliant before they can do business together.
What do organisations need to be PCI DSS compliant and is this dependent on the size of the organisation or other salient factors?
All organisations that handle cardholder data or card payments in the following ways i.e. transmitting, processing and storing, are required to be PCIDSS Compliant. The Payment Card Industry Security Standards Council which is the global body that maintains the standard has broken down different levels of compliance required for organisations based on factors such as number of card transactions processed and how the transactions are processed.
Locally, the Central Bank of Nigeria issued a mandate a few years back that requires financial service providers with an electronic payment bias to become and maintain PCIDSS compliance. However, there is a grey area around that, which needs to be addressed in terms of who should become compliant.
Mostly, the focus has been on banks as they issue the debit and credit cards to customers and payment processors like Interswitch, UPSL, etranzact etc.
However, all web merchants or websites that allow consumers to use card details to transact on their websites or mobile applications need to be PCIDSS compliant.
As PCI DSS Compliance Consultant in Sub-Saharan Africa and as a certified Qualified Security Assessor (QSA), how has Infoprive helped her clients especially those in the financial sector to protect cardholders’ data and attain compliance.
Our focus is to help our clients that need to become PCIDSS compliant to do so in a cost effective and timely manner as well as guide them to remain compliant. From the very beginning, we ensure that all efforts and mind-sets are channelled towards security and data protection and not just compliance. Thus makes it easier for our clients to imbibe a culture of security as a continuous initiative rather than a one-off project. This eventually leads to increased security posture and cyber protection levels.
Statistically, what is the average number of compliant companies and financial institutions to those that are not complaint in Nigeria and how is Infoprive helping to mitigate this?
70 per cent of organisations struggle to maintain their PCIDSS compliance for a whole year, hence, to mitigate this we instituted business as usual programs that provide a platform that alleviates the effort required to stay compliant all year long.
As for average compliance of financial institutions, Nigeria probably has the highest ratio of compliant to non-compliant banks in Africa if not globally; due to the CBN mandate that requires our banks to become compliant against a number of information security standards.
How helpful can a cyber-insurance policy be in mitigating the risk of cyber-crime?
Cybersecurity insurance in itself would not mitigate cybercrime, as it doesn’t replace the need for adequate data protection. It allows the insured party transfer the risk of losses to a third party in the event of a cyber incident. Organisations can leverage cyber insurance as an integral part of their risk management strategy as it would help with the cost associated with breaches or cyber-attacks.
Even though cyber insurance would not in itself prevent cybercrime, it might inadvertently reduce the occurrences of a cybersecurity incident as the insurer would require that certain minimum security controls are in put in place by the insured before the policy is underwritten.
Can cyber-attacks be completely eliminated?
The sad truth is that cyber-attack cannot be completed eliminated but can be mitigated and reduced to very minimal levels by concerted and continuously sustained efforts by stakeholders at various levels.
As the spate of cyber-attacks rises with increasing focus on large organisations, government and critical infrastructure, boards and executive management of firms need to respond actively to the reality that their firms are continuously at risk to cyber threats. A good start would include assigning the responsibility for information security to an executive level management who would ensure that the information security posture of the organisation gets to very mature levels and the establishment of security operations and intelligence departments to actively monitor and respond to cyber-threats facing their organisations.
Also at a national level, effort should be made to have a more active computer security incident response team that would analyse and respond to cyber threats facing us as a nation, facilitate sharing of critical cybersecurity information among critical industry segments of the Nigerian economy.
How would you assess our financial institutions especially with regards to its preparedness to mitigate risk and losses?
Most financial institutions have robust risk management practices that cover operational risk under which some of them classify Information security risk. They are mostly prepared and are able to recover from incidents that might affect the availability of their IT systems due to concerted efforts around business continuity and disaster recovery. What they now need to focus on and infuse is cyber resilience into their overall business continuity efforts to ensure that they can withstand targeted and repeated attacks.
What is your advice to individual and corporate organisations especially those that are more vulnerable to cyber-attack, as a result unsecure infrastructure?
All organisations that have IT systems in place and are connected to third parties or the internet should know that their systems are susceptible and might be vulnerable to cyber attack. However, it’s the level of vulnerability that will differ based on a number of factors such as, how well the underlying infrastructure and systems has been setup, ability to continuously maintain it, track events that occur within the infrastructure and the availability of knowledgeable security personnel to administer such infrastructure. Therefore, their starting point should be to ensure a solid foundation by setting up their IT infrastructure in a manner where security is built in from the very scratch in a defence-in-depth approach.
As for individuals, the more data that is shared online through social media, the more vulnerable you become as that information would be readily available to whoever is interested in it. It is advisable to reduce sharing to the barest minimum and ensure the use of antivirus/antimalware that is updated continually on personal devices.
In summary, from an expert’s point of view what are the basic PCI DSS compliance requirements?
The high-level goals of PCIDSS can be termed the basic objectives and these are; Maintain and build a secure network, Protect Cardholder data, Maintain a vulnerability management program, Implement strong access control measures, Regularly monitor and test networks, Maintain an information security policy.
Even though there just seems to be six of them, collectively they come together to form over 200 requirements that make up the standard.
The six high level goals provide a good basis for an effective technical information security program that can be adapted way beyond the scope of the PCIDSS standard by any organisation. The trick is, instead of focusing on cardholder data, an organisation can focus on what it considers its own critical data in place of cardholder data.
What are the services Infoprive render and who are those in need of these services?
We offer services to organisations that have a need to ensure the confidentiality, integrity, and availability of the data and the protection of that critical assets.
This cuts across different industries. We presently have clients in banking, Fintech, telecom sectors as well as government across the West African subcontinent. Our services offering include: Security Advisory & Consulting which covers getting our clients prepared and assessed against standards such as Payment Card industry Data Security Standard (PCIDSS), Information Security Management Systems (ISO27001). We are one of the most technically sound and knowledgeable Qualified Security Assessors (QSA) in sub-Saharan Africa.
We also offer Implementation and integration services where we use our technical expertise to deliver on security projects and initiatives that improve our clients’ security posture. We do this without bringing expatriates in or foreign partners as we have staff who are adequately trained, certified and committed to the vision of being home-grown experts and who can compare favourably with the best in the world.
We help organisations architect and deploy secure IT infrastructure, maintain and continuously monitor IT systems for cyber-attacks and breaches. For organisations that have mobile applications, we help ensure that such applications are built in a secure manner and user data is secure and kept private.