pwc nigeria - iod nigeria cybersecurity live webinar
TRANSCRIPT
Session starts 3:00pm
Cyber Risks in Governance;The Imperatives
Theme:
PwC Nigeria - IoD Nigeria Cybersecurity Live Webinar
Thanks for joining:
Thursday 13 August 2020
Agenda
Time Activity Duration Facilitator/Anchor
3.00 – 3.05pm Welcome and Introduction 5 mins Nkiruka Aimienoho
(Senior Manager, Cybersecurity Resilience & Privacy, PwC Nigeria)
3.05 – 3.10pm Opening Remarks 5 mins Chief Chris Okunowo
(President, IoD Nigeria)
3.10 – 3.30pm Keynote Presentation 20 mins Wunmi Adetokunbo-Ajayi
(Partner, Cybersecurity & Privacy PwC Nigeria)
3.30 – 4.25pm Panel Discussion (Q&A) 55 mins Mr Austin Okere F.IoD - Panel Moderator
(Founder/Chairman CWG Plc & Ausso Leadership Academy)
Mr Kashifu Inuwa Abdullahi
(DG/CEO, National Information Technology Development Agency (NITDA))
Dr. Victoria Enape
(Principal Partner, Enape Victoria & Co.)
Wunmi Adetokunbo-Ajayi
(Partner, Digital Risk, Cybersecurity & Privacy PwC Nigeria)
4.25 – 4.30pm Wrap up and Closing 5 mins Chief Chris Okunowo
(President, IoD Nigeria)
Welcome
Nkiruka Aimienoho Senior Manager,
PwC Nigeria
Opening Remarks
Chief Chris
Okunowo President, IoD Nigeria
Keynote Presentation
Wunmi
Adetokunbo-AjayiPartner, PwC Nigeria
Cyber Risk in
Governance –
The Imperatives
Why is Cyber risk important?
Cyber crime is all over the news
SMEDAN Website Hacked
13 September 2018
The website of the Small and Medium Enterprises Development Agency (SMEDAN)
was hacked and defaced by a certain Ismael Chriki
INEC website hacked
Vanguard, 28 March 2015
The website of the Independent National Electoral Commission
was hacked by a group that parade itself as Nigeria Cyber Army.
The hack was confirmed by INEC on its Twitter handle,
@inecnigeria
South Africa’s Liberty Holdings suffers cyber attack
17 June 2018
Criminals gained access to the company’s data and
demanded payment from the firm for its return. The
reputational damage was considerable and the company’s
share price fell 5% on the heels of the attack.
Criminal gangs scoring points across Africa
(Privileged access )
The World Economic Forum says so
PwC
Source: World Economic Forum Global Risks Perception Survey (2019-2020)
Worsened by COVID-19
CURRENT STATE OF CYBER SECURITY
Percentage of INTERPOL survey respondent that
experienced cyber attack as a result of COVID 19
“According to one of INTERPOL’s private sector partners, 907,000 spam messages, 737 incidents related to malware and 48,000 malicious
URLs — all related to COVID-19 were detected between January and 24 April, 2020.”
Distribution of the key COVID-19 inflicted
cyberthreats based on INTERPOL report.
Donation
scams
Phishing
/Spear-Phishing/
Vishing
Online
EducationMobile Apps
Charity scams
Fake government instructionsTesting
scams
DDoS
Ransomware
Malicious
Website
Covid-19 Cyber attacks
…...the reason that matters
It’s a Business Risk
Cyber attacks can have significant business impact
Lost funds
Theft of intellectual property
Disruption to the normal course of business/trading
Loss productivity
Damage to reputational harm-loss of consumer trust, loss of current & future customers to competitors
Regulatory fines
Negative media coverage and associated public relations/damage control costs
Cost of recovering affected systems and data
Investigation costs
Litigation/settlement costs
Bankruptcy
Source: NetDiligence Cyber Claims 2019 Report
Cyber Claims in 2019
Business Impact- examples
YAHOO Equifax Adobe Nedbank
Facebook Capital One Nigeria
Loss of up to
$350m in share
value
Accrued up to
$1.35Billion as
breach costs
Settlement up to
the tune of $1
million
Reputational
damage
Drop in share
prices, regulatory
fine of up to
$1.63billion
Rapid drop in
stock price,
financial loss to the
tune of $150 million
Regulatory fine
Investigation cost
Increased cost of
compliance
Settlement cost
Maersk
$200m-$300m
PwC’s 2020 Global Economic Crime & Fraud Survey
PwC’s 2020 Global Economic Crime & Fraud Survey
Most disruptive fraud events – by industry(PwC’s 2020 Global Economic Crime and Fraud Survey)
As a Board Member, you are a Target
Primary
Target
Account
Hack
Mike
Bloomberg
Kanye West
Bill Gates
Joe Biden
Elon Musk
UberApple
Jeff Bezos
Will this trend continue?
First, what are some of the
reasons for current status/trend?
Some reasons for current status
Increased use of
public cloud
Attacker’s risk/reward
imbalanceEase of attacks
Increasing reliance
on technology
Extension of the
corporation
Attacks-as-a
-service
Increased digitisation
-now fuelled by the
pandemic
Long-Term Risk Outlook
Source: World Economic Forum Global Risks Perception Survey (2019-2020)
Projections by the INTERPOL Cybercrime Directorate
❖ A further increase in cybercrime is highly likely in the near
future.
❖ Vulnerabilities will most likely be further exploited by
cybercriminals targeting employees’ credentials through essential
office tools and software.
❖ Coronavirus-related lockdowns will result in criminals searching for
alternative revenue streams.
❖ BEC schemes will likely surge due to the economic downturn
and shift in the business landscape.
❖ Ransomware attacks targeting the healthcare sector and
associated supply chains are likely to increase.
❖ Threat actors are expected to target the Personal Identifiable
Information of individuals.
❖ Cybercriminals will most certainly adapt their fraud schemes
to exploit the post-pandemic situation.
Will this trend continue?
❏ The rise of artificial intelligence (AI)
❏ 5G development and adoption of IoT devices increase vulnerability
❏ Globalisation of cybercrime
❏ Increased competition
❏ The cybersecurity skills gap continues to grow
❏ All other points raised before
❏ ++Increased skill levels of attackers
Nigeria’s SilverTerrier and SilentStarling Cyber groups
Tools were obtained from
free educational and
research-intended online
tutorials.
Sophisticated tools were
obtained by purchasing
them from the dark web*.
These tools were
developed by malicious
actors who put them up
for sale on the dark web*
at exorbitant prices.
Tools employed were
developed by these
group of hackers while
also re-engineering
existing tools to serve
their malicious intents.
2014 2017 2019
*Dark Web: Illegal websites where confidential information, malicious softwares, arms and ammunitions etc. are being traded by anonymous persons.
Sources: PaloAlto Network Unit42 Security Analysts and Researchers
Some recent BEC attacks in the news
New York-based Law Firm
approximately $922,857.76
“ Attempt to steal £100 million
(approximately $124 million)
from an English Premier
League soccer club. Fraudulent wire transfers from
a foreign financial institution
(Bank of Valleta, Malta)
approximately €13 million
(approximately USD $14.7
million),
sent to bank accounts around
the world.
Some recent BEC attacks in the news2
FBI- beginning no later than January 2019 and continuing until at least September
2019, actual losses caused by a particular team totalled $18,103,000 while attempted
losses were over $30,000,000.
A Chicago-based company was defrauded into sending wire transfers totaling
$15,268,000.00.
More BEC Scams...
Victim Company in Iowa.
Approximately $188,000 to a bank account in the name of the
Victim Company’s supplier.
Attempt targeted at a Michigan-based company was
thwarted by personnel at the company who noticed that it
was a fraudulent request.
This could have resulted in the loss of $1,206,418.76.
“ Victim Company in Chicago
Approximately $2,300,000 to a bank account in the name of the Victim Company’s subsidiary
opened by a money mule. Unauthorized access was gained to the company-issued email
account of the Chief Accounting Officer of a subsidiary of the victim’s company.
A good time to talk about some of the threats exploited
Denial of
service
Account
takeover
Social
Engineering
BEC Scam
The Covid-19
Effect
Data breachIdentity theft
Ransomware
Privileged
access
management
Business Risk
Privilege
escalation
Malware
How are organisations responding?
Training, awareness and regulation
Compliance with regulation
Certification to standards
Appointments of CISO
Technology implementations
Periodic vulnerability assessments
Current Approaches - Mind the Gap
Ineffective
reporting
Compliance
focused
Skills gap
Technology-
centric
Demonising
staff
Generic
approaches
Oversight
gaps
Silos
31
Strategic Considerations for Boards & Top Executives- to build a Cyber Resilient Organisation
PwC
Building a Cyber Resilient Organisation
1Address cyber as an
enterprise-wide business
issue, not an IT issue
2Have an oversight
approach with access to
cyber expertise
3Understand legal
and regulatory
requirements
5Engage in discussions with
management about cyber
risk appetite
6Get the right information
to monitor the cyber
and privacy program
7Monitor cyber resilience
4Discuss the adequacy
of the cyber strategy
and plan
7 key areas of focus
Pertinent Questions Board Members Should Ask...
❏ How could a cyber incident impact my business?
❏ How much risk are we willing to take?
❏ How resilient is my business to a cyber-attack?
❏ Which threats should we be most concerned about?
❏ Are we spending in the right areas?
❏ What actions are we taking to educate employees (the first
line of defense) about how to identify and react to the cyber
attack schemes?
❏ Are there gaps in our cybersecurity capabilities?
❏ How is the IT function changing its strategic priorities in the
short-, mid- and long-term and are resources sufficient to
achieve these priorities?
❏ Has the incident response plan been updated for leadership
and employees in a remote working environment?
❏ How are increased third-party and fourth-party security risks
due to COVID-19 & other related matters being managed?
34
Next Steps for Business Leaders
Leading from the front
Dear Sir/Ma
To Board Member
1. Determine your Cyber risk profile- your company does not have the resources
to address all cyber security problems
2. Focus on Resilience
3. Attacks are not always sophisticated
Good luck!
Yours sincerely
www.pwc.com
Contact Details
Wunmi Adetokunbo-Ajayi
Partner, Digital Risk and Cybersecurity
E mail: [email protected]
Cell: +234 (0) 705 126 5583
Tel: +234 (01) 2711700 Ext 38001
Nkiruka Aimienoho
Senior Manager, Digital Risk, Privacy & Cybersecurity
E mail: [email protected]
Cell: +234 (0) 703 657 5637
Tel: +234 (01) 2711700
Oluwatoyin Oni
Digital Risk, Privacy & Cybersecurity
E mail: [email protected]
Cell: +234 (0) 803 654 4588
Tel: +234 (01) 2711700 Ext 22009
© 2020 PwC. All rights reserved. Not for further distribution without the permission of PwC. “PwC”
refers to the network of member firms of PricewaterhouseCoopers International Limited (PwCIL), or,
as the context requires, individual member firms of the PwC network. Each member firm is a separate
legal entity and does not act as agent of PwCIL or any other member firm.
PwCIL does not provide any services to clients. PwCIL is not responsible or liable for the acts or
omissions of any of its member firms nor can it control the exercise of their professional judgment or
bind them in any way. No member firm is responsible or liable for the acts or omissions of any other
member firm nor can it control the exercise of another member firm’s professional judgment or bind
another member firm or PwCIL in any way.
Thank you
Panel Moderator
Mr Austin OkereFounder/Chairman,
CWG Plc & Ausso Leadership
Academy
Panel Discussion
Dr. Victoria Enape Principal Partner,
Enape Victoria & Co.
Mr Kashifu Inuwa
Adbullahi DG/CEO
National Information
Technology Development
Agency (NITDA)
Wunmi
Adetokunbo-AjayiPartner
Digital Risk, Cybersecurity
& Privacy, PwC Nigeria
Mr Austin OkereFounder/Chairman
CWG Plc & Ausso
Leadership Academy
All
Questions
Answers&
Comments to questions asked
Questions (un-edited) Comments
What pertinent questions should board members ask
technical teams and security leaders within the
organisation.
❏ How could a cyber incident impact the business?
❏ How much risk are we willing to take?
❏ How resilient is the business to a cyber-attack?
❏ Which threats should we be most concerned about?
❏ Are we spending in the right areas?
❏ What actions are we taking to educate employees (the first line of defense) about how to identify and react to the
cyber attack schemes?
❏ Are there gaps in our cybersecurity capabilities?
❏ How is the IT function changing its strategic priorities in the short-, mid- and long-term and are resources sufficient
to achieve these priorities?
❏ Has the incident response plan been updated for leadership and employees in a remote working environment?
❏ How are increased third-party and fourth-party security risks due to COVID-19 & other related matters being
managed?
When we talk about hacking and putting around a
SOC, NITDA promised they would establish a national
cybersecurity research center and would go into
partnership with the Government of Malaysia and
Canada and that it would have a cyber incident
response centre. How far is that project with NITDA?
The project was muted in 2017. NITDA has changed it’s approach to research because NITDA does not only deal with
cybersecurity all IT areas. Now, NITDA is taking a different approach through creating centers of excellence in tertiary
institutions where we think it is better and more appropriate to have people carry out this type of research.
A Computer Emergency Response and Readiness Team was setup which currently resides in NITDA for the federal
government and the team is connected with the National Computer Emergency Response and Readiness Team housed
with the office of the national security adviser. Because the establishment of a center would be a lot of financial investment
for NITDA, hence this approach of getting the same objective but using a distributed method.Cybersecurity has to involve
as may stakeholders as possible to avoid a single point of failure in terms of policy development.
Comments to questions asked
Questions (un-edited) Comments
Give an overview of the provisions of the cybercrime
Act in dealing with cyber criminals and getting justice
for cyber victims
The Cybercrime Act was signed into law in 2015. It criminalizes certain actions using the internet or any other electronic
means for the purpose of committing crimes. The provisions of the act are designed in such a manner that it gives law
enforcement the ability to prosecute people for committing certain crimes. The presidency has the power to designate
certain computers and networks as critical and vital to national security. Also, the presidency is to provide guidelines on
how those networks are actually managed. If hackers are found guilty, they are liable to pay up to 10 million naira or
imprisonment for 5 years depending on the purpose of the hack and results they get from the hack.
The Act makes identity theft a crime; it makes child pornography a crime; cyber stalking and cyber bullying are also crimes
under this act; it forbids the distribution of racist and xenophobic materials; it requires that service providers should retain
traffic and subscriber information for a certain period as may be regulated by the telecoms regulator in order to assist law
enforcement to gather information for the purpose of prosecution; it allows for the interception of electronic communication
based on court order. This is an overview of the legal aspect of the cybercrime act.
Per the institutional framework of the Cybercrime Act, there is an office for the procession of cybercrime in the attorney
general’s office where they deal with any cybercrime activity that has been reported to them and they will prosecute
anybody that is responsible for that crime.
The Cybercrime act also makes provision for a Cybersecurity Advisory Council. This council is made up of all stakeholders
within and outside of government, ministers and private sector participants including non-governmental organizations who
would meet at least quarterly to discuss and advise government on issues to be addressed as far as cybercrime and
cybersecurity is involved.
There have been some issues raised around the conditions of the act, which tends to be more commercially inclined, those
issues are being addressed as the Act is being reviewed.
Comments to questions asked
Questions (un-edited) Comments
Should we be worried about the new “arms race” in
the form of quantum computing with the potential to
compromise all existing security measures? Should
we wait or proactively and strategically ACT NOW?
We still have some ways to go before the risks with quantum computing start to crystallise. The most part of this technology
is still in the Research and Development stage (with less than 15 currently in the world) and may take years before it
becomes commercially available. However, as quantum computing advances in technology, we believe that security and
best practices will also be developed alongside Yes, they can significantly reduce the processing time traditional computers
need to complete processes and the real concern is using this to break existing cryptographic algorithms. So, it's still early
to be "worried" but it's something we should all keep our eyes on. To add to this, it is not only attackers that can use this
technology, “good guys can”. Therefore it also has the potential to increase security.
Should we be stressing cyber security or cyber
resilience?
Both Cyber security and Cyber resilience are important.
Cyber security deals with the measures put in place to prevent security breaches of any kind while cyber resilience deals
with the quality of your response to any cyber attack when it occurs. Hence, both cyber security and cyber resilience are
both important.
Based on the Cybersecurity Framework - Identify, Protect, Detect, Respond and Recover; Respond and Recover cover
cyber resilience.
Cyber attacks may be inevitable. We must secure our most priced assets to reduce the level of exposure and loss.
Likewise we must also be prepared to immediately detect and respond to cyber attack when it occurs.
Recent Twitter Hack. What could they have done
differently to prevent it?
Twitter says the main vector used for hack was spear phishing. Spear phishing is about targeting the specific
individuals.Continued education, training and awareness is very important because people are usually the weakest link
regards of technology implemented.
A way to prevent such an attack from recurring is to continuously train and re-train their staff members and keep them up
to date on latest cyber trends and attack techniques. Prominent organisations should expect to be hacked and be able to
respond efficiently and quickly as possible. Key thing is about how responsive we are to a cyber attack
Comments to questions asked
Questions (un-edited) Comments
Should all categories of employees of an organization
be trained in cybersecurity issues.
Yes, all employees should be aware of the current cyber security landscape and should be adequately trained in
recognizing and avoiding the tactics employed by malicious users in compromising security systems.
More specifically, an employee risk assessment should be carried out by organizations to determine the impact on their
business if any employee is compromised. This may lead to different levels of cyber security trainings for employees
based on the risk assessment.
In addition, based on the polls conducted when the webinar began, we that majority of the participants on this webinar
agree that people are the weakest link for a cyber attack. If all staff are adequately trained to identify possible cyber
threats, it reduces the possibility of a successful social engineering, phishing and/or other types of cyber attacks.
What can persons do as regards connection to public
(hotel, cafe etc) WiFi, in order to do office work? Best practise is to avoid connection to untrusted networks like public wifi to avoid Man-in-the-middle attack.
But if you have to, ensure to use your VPN and be very cautious of the type of activities done during the period.
How would you rate the global collaboration towards
arresting BEC and hacking?
As organizations all around the globe are now becoming more cyber aware and taking more steps in ensuring that cyber
threats and attacks are reduced to the barest minimum. It’s also important for organisations to organise regular
cybersecurity training and awareness programs for all staff (board members, technical and non-technical staff inclusive).
People are the weakest link. Those within or outside
or both? What could we do different to curtail it.?
In addition to hardening security systems within an organization, adequate awareness and training programs should be
organized for all stakeholders.
Comments to questions asked
Questions (un-edited) Comments
How can you control information already in the open
space?
This depends on the information and the platform in use.
For things like brand abuse and trademark infringement, it can be pursued legally. In the event that the actors are unknown,
there are organisations that offer takedown services to expunge the information and/or where they are hosted.
Information on social media can also be handled by the platforms by reaching out to the providers. They also offer a
number of features to report abuse that can be explored by the public.
In most cases, you would still need to provide evidence of abuse. If the information isn't found to violate any policy, it may
be significantly more challenging because "freedom of speech" (for instance, imagine a company trying to remove a
customer's complaint. This scenario, the complaint is likely not violating any policy or infringing on the brand/trademark so it
will be almost impossible to remove/control this)
Is there any insurance policy as regards hacking,
especially when the client has full compliance from
the antivirus software ?
Insurance policy should be discussed by Anti-virus providers.
What does BEC mean? Business Email Compromise (BEC). It is a tactic employed by malicious users where a business email is obtained and used
to imitate the owner in performing fraudulent activities.
How are social medias still hacked after a two-factor
authentication has been activated?
Two-factor authentication provides an extra layer of security to user accounts and confidential resources. However, if the
two-factor authentication medium is also compromised, then personal accounts or corporate accounts is prone to being
hacked.
Comments to questions asked
Questions (un-edited) Comments
Should the Board get some punitive measures where
there are cyber attack incidents in organisations?
Considering that at times, the CIO, CISO who often get
fired typically recommended tools to
address....PROTECTION, DETECTION and RESPONSE
strategies.
Before any punitive measure is taken in response to a cyber attack, organizations need to engage cybersecurity specialists
to carry out a thorough investigation to determine the cause of the compromise.
Malicious exploits in security systems could be result of several factors such as:
● ignorant employees falling victims of social engineering attacks
● Poorly configured infrastructure and outdated server applications
● Lack of state-of-the-art security systems
Most cases of data breaches result in significant financial loss to affected organizations and in situations where the breach
was a result of negligence of duty, organizations should take effective measures to prevent a repeat of such compromise.
Returning to the workplace after Covid-19, what
should boards be thinking about?
- Safety of staff. This is key and should be uppermost in the mind of board members.
- Mechanisms in place to identify if someone is infected with Covid-19 as well as response plan should that happen.
- How do you continue to operate your business with all the limitations at hand
- In terms of services, identify critical services and ensure resilience is built around them
- Continued education of staff
Wrap-up & Closing
Dele AlimiDG, IoD Nigeria
Thank you
This webinar has ended.