The increasing threat of cybersecurity breaches is becoming a major concern for many Nigerians, with hackers targeting banks and organizations to steal vast sums of money and sensitive data.
A data breach refers to a security incident in which confidential or protected data is copied, transmitted, viewed, or stolen by unauthorized individuals.
These breaches are becoming more sophisticated, with threat actors employing malicious methods to compromise the data security of key organizations.
The breaches often involve large-scale data exfiltration and cross-platform compromises across interconnected systems.
One of the most alarming cases reportedly occurred recently at the Corporate Affairs Commission (CAC), where approximately 25 million documents were reportedly stolen from the Commission’s database. This breach has raised serious concerns about the vulnerability of government systems to cyber threats.
Earlier in April, the Nigeria Data Protection Commission (NDPC) launched an investigation into alleged breaches involving Remita Payment Services and Sterling Bank. Reports suggested that a hacker had accessed extensive datasets, including sensitive financial records, identity documents, and internal system data.
In March, First City Monument Bank (FCMB) fell victim to a large-scale cyber fraud operation, initially aimed at stealing over N3 billion. Although preventive measures were taken, fraudsters succeeded in transferring N677 million before the bank’s systems detected and halted further attacks.
These cybersecurity concerns have also extended to other digital platforms. In February, the NDPC initiated an investigation into the e-commerce platform Temu over the mishandling of personal data belonging to approximately 12.7 million Nigerians.
This investigation highlights the growing scrutiny of digital platforms and their responsibility to secure user data.
In this interview with Nairametrics, Adedoyin Adedeji, an IT consultant and Managing Partner at BlueRave Ltd, discussed the rising threat of cyber fraud and data breaches in Nigeria, and the urgent need for organizations to adopt stronger security measures and stay ahead of evolving cyber threats.
Nairametrics: From your perspective as a professional, what do these incidents reveal about the current state of cyber security readiness in Nigeria’s public institutions?
Adedoyin Adedeji: I feel that we have a long way to go. There are numerous government platforms that offer services to citizens, and most of the time, we do not conduct enough due diligence on the part of both citizens and the government to ensure that whatever we are doing is secure enough, especially from the government’s perspective.
A lot of the time, when some of these platforms were built, there should usually be a chain of review of government platforms. Usually, what should be the standard is that if you build a platform, before it goes out there to the public, there should be checks and balances from a third-party agency like NITDA to do a review, a threat assessment, a penetration assessment and be sure that everything is in place before going ahead.
But most times, what we have is government agencies working with a third-party service provider, likely in the private sector, to build those platforms. They build the platforms, and most times they just deploy. There are no checks and balances to look at what this set of people has done.
Nairametrics: How can this be well-managed?
Adedoyin Adedeji: First, we really need to improve our cybersecurity awareness and proactiveness, which needs to be better than what we have at the moment.
What I would suggest as a way forward would be to fully implement what they started, which is that every government website or every government online service should go through a security audit, through a third-party government agent.
And then have like a security certification that, yes, we’ve gone through this thing. And yes, we can certify that this platform meets the minimum standard the government would require for every platform that is interfacing and collecting citizen information.
So even if there’s a breach tomorrow, then we can hold whoever provided or whoever gave that certification accountable because most of the breaches are due to negligence and lack of oversight.
Nairametrics: After an incident of data breach, what should agencies do to restore trust and confidence from the public?
Adedoyin Adedeji: I think that falls under the purview of the Federal Ministry of Innovation, Science and Technology. They are the ones that need to come out because this is their domain, their territory, because when a banking breach happened recently, I remember the minister saying something about trying to put some policies in place in conjunction with the CBN, which is good.
But I think we need to do more. The ministry and the Office of the National Security Adviser, need to come together to create a stronger cybersecurity framework for the government and set minimum standards.
And let that standard be known to everybody, so any vendor that is building anything for the government can follow through those guidelines. If there’s a strict guideline of what you need to do if you are building a platform for government, and this kind of breach happens, you can hold the third-party vendor accountable. Even if it’s built internally, you can hold all the development team accountable, because we can’t build confidence if there’s no accountability.
Nairametrics: We have seen cyber fraud against banks and banks losing billions of Naira. Why is the banking sector porous?
Adedoyin Adedeji: I think it goes back to what we discussed earlier, which is a lack of accountability in the sense that up until now, Nigeria has not really dealt with sophisticated threat actors. Most of the actors we’ve dealt with are threat actors that likely use social engineering to try to get information from citizens, like bank customers, to steal money from their accounts.
But now we are dealing with threat actors that are finding it harder to get audiences in other places. And they’re like, okay, I think we can try maybe Nigeria. Nigeria is a big country, they are rich, and let’s see what we can find.
And then they start scanning through the banks and everything, and they realize that, oh, their security is not that tight. They start looking for loopholes. So a lot of the time, what we have is that most of these banks rely on third-party services to scan through their network for cybersecurity threats.
For me, I still don’t feel that banks think that security is hard enough. But you need an in-house team that continuously monitors and reviews activities that are happening on your platform against all these threats. And so if you have those things, then some of these things might be mitigated.
It’s not as if they won’t steal, but if you have a rapid response team, then some of these things can be stopped at the initial stage before it escalates into something much bigger.
Nairametrics: Why do banks outsource their cybersecurity to a third party? Is it because we do not have the manpower, the skill or the cybersecurity experts in Nigeria?
Adedoyin Adedeji: We have good developers in Nigeria, but for cybersecurity, core cybersecurity professionals, we have a limited number of them. And that’s where everybody needs to come together. When you go to the universities today, you see people studying computer science and computer engineering.
The truth is, the world has moved past all these things. Everything we do today is in the cloud. You should take certain courses with higher priority.
How many universities in Nigeria have cybersecurity as a four-year course that you can study? Because most people who are cybersecurity professionals in Nigeria are mostly self-taught, and the demand is high.
So, if you are self-taught and you have your certification, I will possibly just focus on getting a job abroad. But even if I’m here, I can work remotely from here to be a cybersecurity professional to somebody abroad and get more money than for me to work in the bank or with Nigerian agencies.
We should prioritize not just computer science, but also cybersecurity as a core course in the university. You can start with computer science, but in the last three years of your course, you can focus on cybersecurity.
Nairametrics: What role does artificial intelligence play in detecting, preventing or even enabling cyber threats in Nigeria today?
Adedoyin Adedeji: Artificial intelligence has become part of us. It plays many roles in the sense that it can help with some entry-level weightlifting, meaning that you can’t outsource everything to cybersecurity firms. But AI can do what we call threat identification and reporting.
Based on the pattern this particular network is behaving, it certainly shows that it can do a lot. Because if, for example, you are a cybersecurity professional, you are in charge of monitoring the network for threats, you can train your AI agents for pattern recognition.
Once they recognize the pattern, they can alert you immediately. Because the truth is, AI, no matter how you look at it, is better at complex analysis than humans. It can look at a whole lot of factors and determine the way things are.
Then you have a human who can do a review of it. And in doing that review, even if that human is not sure, you can still tell the AI to do a further investigation and give you a report back.
For example, if you are monitoring multiple networks, it can help you reduce your workload. So, it makes your work faster. If you reduce your workload, then it also helps you to make better decisions. But what I do not encourage is to hand over everything to artificial intelligence.
Nairametrics: Some people argue that AI is a double-edged sword. Like, attackers use AI to attack, while also businesses and government agencies use AI to defend. How should regulators and companies balance this situation?
Adedoyin Adedeji: I think the easiest way to balance it is by creating a policy, a guideline of how to handle cybersecurity, especially for our platforms, both government and private, banks, fintech. Let’s create a general framework for cybersecurity.
In that framework, we can provide guidance on how to use artificial intelligence, what to use it for and what not to use it for.
For example, you do not give AI full access to personal information. What you can do is, for you to create a barrier between the artificial intelligence and your database, we can allow you to scan the network, review whatever needs to be reviewed and give you reports.
Based on those reports, you would react to that. But then, you don’t give your entire data to artificial intelligence.
For me, once we are able to come together and create a framework, it still goes back to the Federal Ministry of Innovation, Science and Technology and the Office of the National Security Adviser. They are the ones that are in the best possible position to create a national policy for cybersecurity. Don’t forget, most of these threat actors, what they are looking for is identifiable information.
I also feel that we need to overhaul our KYC process as a nation. I should be able to identify myself without having to upload my documents all the time.
Because almost everything you do with the government or with banks, you have to upload the documents. You can tell how many places you have uploaded your documents, and that creates a lot of vulnerabilities.
But if we have a unified system by which citizens can do their KYC, even if things happen, you can basically just reset the process so that it becomes invalid. You don’t need to be uploading documents and everything.
So, as I said, once you have a central framework, all these things can come together into that framework.
Nairametrics: Do you think the government, commercial banks, and fintechs are investing enough in cybersecurity?
Adedoyin Adedeji: Well, I don’t think they are investing enough in cybersecurity because if we’re investing enough, there should be a national policy to produce cybersecurity professionals in the country. Right now, we don’t have anything like that. It doesn’t cost too much to do that.
The banks and co. that are more affected by these things, if you look at the money they are losing from cybersecurity cases, if they invest half of that into creating an academy for people to come together and train them, the space could be safer. Rather than outsourcing our cybersecurity to a third party, let’s come together, let’s put some money together, let’s create a national system that will bring young people together, build their capacity and provide the job to them, they will do it.
So if you are short of staff, if you are short of manpower, try to invest in building the manpower you need, then absorb them into the system, then let them do the job.
Nairametrics: The CBN recently mandated banks to deploy an automated anti-money laundering system. How effective do you think these tools are if you compare them to the traditional monitoring method?
Adedoyin Adedeji: I would say we should find a balance between the two. I’m not against it or for it, because when you hear automated, it means that it’s just for somebody, it’s just to get somebody that’s smart enough to figure out how to trigger automation; there would always be people who are smarter. People would always find loopholes in everything, so if something is automated, meaning that people know it’s automated, they would always find where the loopholes are in that automation and bypass it.
What I would suggest is rather than finding a fully automated system, they should do more of an automated reporting system, then you have the traditional systems to do a review of whatever is happening.
But if you want a full-fledged automated end-to-end process to review and flag money laundering, I feel that one way or the other, some people would always be smart enough to bypass it in the long run. But we can find the balance between the two, meaning that let the automated process be the first line of defence to do reporting, then we have a traditional process to do a review of whatever reports they get.
Nairametrics: In the next five years, what do you see as the biggest cyber security threat in Nigeria?
Adedoyin Adedeji: I think it is artificial intelligence. So AI is still probably one of the biggest threats we should be concerned about, and we’re not doing enough, because we are not even at that stage yet of securing ourselves. Now, the threats are increasing because it is easier to hack, it’s easier to find vulnerabilities than it was before.
All I have to do is point AI agents to a particular government platform and tell them to look for vulnerabilities or how to get into it. I don’t even need to lift a finger. I just tell the AI agent to look for vulnerabilities and report to me.
So if it can find a vulnerability and report to me, then I take it up from there. Before, hackers spend two, three months trying to find vulnerabilities. Today, you just need to send AI agents to the platform; within an hour or two, they will report back and tell you they found a vulnerability. So AI is one of the biggest threats we have today. And even globally, it’s not just Nigeria.
Today, we are having AIs that can clone your face, clone your voice, and so if I’m having a conversation with you now, once I have an idea of what your voice sounds like and what your face looks like, I can use AI to generate your face and your voice and then create a talking avatar of you, then we can have a video call, and I would think I’m speaking to you, but I’m speaking with an AI bot.
So it’s going to create a whole lot of vulnerabilities, and the world is not yet prepared for the issues we might have in the next five years.
