Staveley: SMEs are more vulnerable to cyber attacks

Cybersecurity professional and Executive Director, Cybersafe Foundation, Confidence Staveley, in this interview speaks on the growing trend of cyber-attacks and the implications for small businesses. Emma Okonji presents the excerpts:

Cybersecurity has become a very big issue for businesses, but how serious is this with reference to small businesses?

All businesses that leverage the internet are at risk of experiencing a successful cyber-attack, whether they are a small, medium or big business. We have in recent times seen this to be particularly very true as small businesses increasingly had their social media/online store accounts hacked, customers data stolen, and financial losses incurred. From a global perspective, before we commenced this project, The UK NCSC, DHS and CISA, in a joint advisory warned about an increasing number of malicious cyber actors exploiting the current COVID-19 pandemic, targeting, small and medium enterprises (SMEs) with COVID-19 related scams and phishing emails, including essential services like healthcare organisations. During the same period, the Cybersafe Foundation intelligence team also reported a spike in phishing attacks, Malspams and ransomware attacks as attackers were and are still using COVID-19 as bait. Unfortunately, while cyber risks cut across board, SMEs are usually the worst prepared and worst hit by successful cyber-attacks, particularly because many SMEs do not have the technology, people, or processes in place to detect or defend against cyber attacks. More than ever before, it became pressing during this pandemic, to provide essential cyber security support, to small businesses like small and medium enterprises (SMEs) in order to curtail the cyber risks associated with the COVID-19 pandemic by strengthening these businesses with a priceless defense and knowledge.

As at November 2020, Nigeria’s internet subscription stood at 154.9 million. That is huge compared to some African countries. Now, what are the basic skills expected of these internet users to stay safe online?

It is exciting to watch internet usage grow in Nigeria but here are my top three basic skills I believe all internet users must have to stay safe online: The ability to decipher legitimate/safe links from harmful and fake emails/links/websites and news; the ability to choose, securely store and manage passwords; Understand how to use multi-factor authentication for reinforced security on all important online platforms

Cybersafe Foundation recently embarked on an awareness project in partnership with the UK government. Can you share your findings during that project regarding the state of cybersecurity awareness among individuals, SMEs?

This project was indeed an eye-opener for us and we are glad to have the opportunity to work with the UK government on this project. At the start of the project, we conducted a baseline survey and discovered that over 57 per cent of the employees of the beneficiary SMEs faired very poorly at identifying phishing emails from legitimate ones. Phishing is the fraudulent attempt to obtain sensitive information or data, by a impersonating trustworthy entity in a digital communication. To put this finding in perspective, phishing is a top attack vector used by cybercriminals world over. We also found out that over 76 per cent of the beneficiaries that passed through this programme did not have basic security controls implemented and over 83 per cent were not aware of or understand prevalent attack vectors or their preventive measures. To put this in literal terms, our baseline analysis showed that a majority of the businesses that benefitted were ticking time bombs and low hanging fruits waiting for cybercriminals to attack.

For individuals, our biggest discovery was that there is still so much work to be done as cybercriminals continue to change tactics and evolve to commit cybercrimes. We found that while people in the urban areas are generally more alert to the usual phone call scam, a good chunk in semi-urban areas are still getting scammed. We also found that a lot of people do not understand basic cyber hygiene best practices and this lack of understanding is leading to people behaving in ways that put them at even greater risks of being victims of cybercrime. To tackle this, we launched an afrobeat’s radio jingle and shot a music video for it. This jingle is arguably Africa’s first entertaining cybersecurity awareness song, created by Africans for Africans. We used the radio jingle to target vulnerable people in underserved communities and combined this with highly educative and entertaining cybersecurity content we shared and promoted on social media. We teamed up with Nigeria’s best comedians to also create skits and other short educative content. Combining both radio and social media, we were able to reach over 20 million people across Nigeria at different points in our campaign. To ensure the work we were doing was very inclusive we did other things like: Translation of the project jingle in Nigerian languages including pidgin English and Hausa; virtual location of the training, ensuring distance was not a challenge; optimised training content for poor internet connection speed; created targeted messaging on social media using demographics like location, age, gender, among others; maximised radio as a channel of dissemination of cybersecurity mass messaging, given its huge low-income and digitally marginalized audience; and partnered with SMEDAN to ensure SME beneficiaries are a wide sample from across Nigeria including those operating from Northern Nigeria.

I personally believe that until we can fix cybersecurity education in the average person’s lifestyle channels, we will be unable to stay ahead of the attackers. Cybersafe Foundation has demonstrated itself as the pioneer and leader in delivery of cybersecurity awareness edutainment.

Is the Foundation considering plans to follow-up with the SMEs that benefitted from the project?

We have set these organisations on a path to continuous improvement because asides the increased consciousness about cybersecurity, which this training has given them, we now have them as part of our community and will keep sharing cybersecurity tips and best practices with them. The education and awareness has to be continuous and we have trained our beneficiaries to become cybersecurity ambassadors within their organisations. We are also very pleased to see that over 76 per cent of our beneficiaries reported that shortly after the training, they implemented one or more security measures in their businesses; this is a very good start, and we are excited about the progress and improvements our beneficiaries are making.

Are you not worried that the number of skilled experts in Nigeria expected to guide companies is nothing to write home about?

It is a thing of concern for everyone in the cybersecurity ecosystem that it is becoming increasingly difficult to find qualified cybersecurity professionals to take up cybersecurity roles. I, however don’t believe there is a cybersecurity talent shortage in Nigeria. We have abundant cybersecurity raw talents in Nigeria that although skilled or self-taught, do not have the pre-requisite certifications to show competence just because they cannot afford these certifications. Considering that the hackers who are taking down corporations and businesses do not necessarily have fancy degrees and certifications, there should be another way for new entrants to show competence and skill. I am more inclined to say that skills gap in cybersecurity is self-imposed and until we recognise that this is a chicken and egg situation, that the workforce qualification needs to evolve to feed the cybersecurity industry pipeline, we might not be able to defend and promote cyber resiliency. I’ll suggest that organisations use other qualitative mechanisms to quantify their existing skills, Ingest the rough ‘diamonds’, and polish them.

Let us look at the issue of free antivirus that people usually download from the internet for usage. How secure are these solutions?

Generally speaking, anything free online always gives me jitters, and free antivirus is definitely one of those. First, it’s important to note that free antiviruses are often used as bait to get unsuspecting internet users to click, download and install harmful code. So in reality a bunch of the free download buttons people click to download antiviruses are a camouflage for what they are actually downloading. Except for the antiviruses that provide free trial options, I will not advise anyone to download any anti-virus that you are told it’s totally free. This is because even if the antivirus is legitimate, it might not give you sufficient protection like the top shelve antivirus; or you may be getting a cracked version of antivirus, which is even worse because you will not receive updates for that antivirus and will not be protected from evolving cyber threats. Getting a licensed top shelve antivirus is really key to staying protected online, it is like buying and using a good face mask.

How did the Foreign and Commonwealth Development Office (FCDO) partnership impact on the programme?

The partnership with UK government through its Foreign and Commonwealth Development Office (FCDO), provided us with the funding required to execute such a transformative and impactful cybersecurity campaign. The backing of the UK government also helped us secure very important partnerships that were instrumental to the success of the project.

What are the other things the foundation is doing to achieve its mission?

In the past, we have launched Africa’s first fully storified cybersecurity awareness handbook. For 2021 we are increasing our programmes with the goal of doing more to protect the most vulnerable people in our community. We recently teamed up with partner organisations to host Family Safety in our Digital World, an event we created in commemoration of Safer Internet Day.

This event had specially curated sessions for children, teenagers and parents to drive awareness on salient online safety issues and risks children face, given their increased exposure to technology and remediation/protective measures. As always, we achieved this through novel strategies like storytelling and insightful talks that had attendees engaged and enlightened at the end of the session. Elder/Senior citizens will also not be left out in 2021, as we are launching a platform to cater to and educate people that are 50 years and above, about cyber safety and provide them immense support. Unlike Generation ‘Y’ and ‘Z’, this generation are mostly technology immigrants , still grappling with understanding technology and most of them do not understand the basic cyber hygiene.