Justice Anyai, Country Manager for Nigeria at Check Point Software Technologies.

Worldwide, the number of attacks experienced per business each week is 870 on average - in Nigeria, this weekly figure is 2 308 across all industry sectors collectively. The more-granular per-industry analysis reveals this figure is higher still for businesses in the finance and banking sector.

This is according to cyber security solutions provider Check Point which this month released the findings of its Research Threat Intelligence Report for Nigeria.

According to the report, of all Nigerian businesses across sectors from health to education, the most targeted is finance and banking.

“Over the last six months, the number of attacks against these institutions in Nigeria was 3 682 per week, while globally, this figure is far lower at 774,” says Pankaj Bhula, Check Point Software Technology Regional Director for Africa. “To protect this booming industry, more must be done to drive awareness around cybersecurity.”

The report also revealed that, over the past six months, 62% of Nigeria’s businesses fell victim to Remote Code Execution (RCE) attacks, making this the top class of vulnerability exploits.

A cybercriminal can gain remote control to a device and the private data stored on it in an RCE attack. Considering the most targeted sector is finance, which holds a wealth of sensitive user data, the rise of RCE attacks is concerning, Check Point adds.

Social engineering and deepfakes

Check Point Software Technologies forecast several alarming cyber-threat trends for 2022, including the weaponisation of deepfake technologies by cybercriminals to create fake news campaigns as part of elaborate phishing attacks, predominantly carried out over email. In fact, in Nigeria, email was recorded as the origin point for 60% of cyberattacks over the last month, according to the report. As it’s the prevailing vector for delivery of malicious files, awareness around social engineering attacks like these must be bolstered.

On the topic of deepfake technologies, Remi Afon, president of the Cyber Security Experts Association of Nigeria, reiterated that it’s a huge area of concern in 2022.

While the technology can be leveraged by criminals to scam and dupe victims, a more insidious purpose is using deepfakes to create political instability and scandal. For Afon, this technology and the resulting spread of misinformation could have far-reaching ramifications for Nigeria’s 2023 General Election, to be held next February.

Justice Anyai, Country Manager for Nigeria at Check Point Software Technologies, told ITWeb Africa that two stats took him by surprise. “The fact that Nigerian companies deal with a weekly average of 2308 attacks (where the global average is only 870) should make us question why they are being targeted so often. The truth is that cybercriminals usually focus on the areas of least resistance – one explanation might be that more of our nation’s companies pay ransoms once they’ve fallen victim to ransomware attacks; another might be that Nigerian companies are easy targets considering the lack of budgeting for cybersecurity. 62% of Nigeria’s businesses fell victim to Remote Code Execution (RCE); this means that organisations are not putting the right technical controls in place to prevent RCE attacks, which is concerning.”

Anyai explained that in order to get a holistic understanding of the global cyber-threat landscape in 2021, Check Point Research looked at the average number of weekly attacks an organisation in each country experienced.

He said that globally, 112 countries were included in this overview; of those, fourteen were across Africa: Angola, Botswana, Cote d’Ivoire, Egypt, Ethiopia, Ghana, Kenya, Mauritius, Morocco, Namibia, Nigeria, South Africa, Uganda, and Zambia.

Of the 14 African countries, Nigeria recorded the fourth highest number of weekly cyber-attacks per organisation (2358 attacks), with Ethiopia topping the list (7518 attacks), followed by Mauritius (2748 attacks), and Angola (2586 attacks). Egypt had the lowest number of weekly cyber-attacks per organisation in the African group (92 attacks).

“In a wider context of comparison, across the EMEA region, the average number of weekly cyber-attacks per organisation is 777; globally, this number is 870 – both are far lower than Nigeria’s number of 2378.”

No-one is immune

According to Anyai, cybercriminals use the same vectors and attack surfaces to access online assets, no matter where these assets are physically based.

“No individual or organisation is immune … there are no unique features/tactics that Nigeria’s businesses have at their disposal to address cybercrime. Conversely, as highlighted in the release, a growing challenge for Nigeria relates to its rapidly growing mobile payments sector. Cybercriminals are taking notice of the country’s increasing reliance on mobile devices, exploiting the rapidly expanding industry where cybersecurity measures aren’t being adopted as quickly as the mobile technology itself is being taken up. This issue underpins a greater problem within many of Nigeria’s business sectors: inadequate budgets for investing in cybersecurity solutions. Added to this is the global issue of the digital skills shortage, which also applies to the field of cybersecurity.”

Anyai also references Nigeria’s Cybercrime Advisory Council which was set up in 2016 to act under the "Cybercrimes (Prohibition and Prevention) Act, 2015".

“The purpose of the Act, as explained in this article, is to “create a comprehensive legal, regulatory, and institutional framework in Nigeria to prohibit, prevent, detect, prosecute, and punish cybercrime. In the context of cybercrime, prevention and not simply detection is the best form of management, and this approach should be followed by all public- and private-sector organisations, including governments, to reduce the number of attacks.”

Check Point says that it’s crucial that budgets are earmarked for effective IT security infrastructure that will enable a proactive rather than reactive approach to cybercrime. Proactive businesses are more resilient, have backups, and can protect sensitive data in stronger or more innovative ways.

These companies also run the latest updates of their security software, web browsers, and operating systems to ensure any new vulnerabilities are patched to protect against attacks, the company states.

It also underlines that people are a large part of the cybersecurity equation. As such, businesses must equip staff with information on best practices for staying safe online when working in the office or remotely. Such information would promote vigilance around phishing emails and encourage the use of password managers and trusted Wi-Fi networks, while highlighting the dangers of accessing unsecured websites.

Check Point Software Technologies advises that businesses apply security patches, segment networks, educate employees on cybersecurity

Anyai concludes: “I think Nigeria needs to look at the current lack of cybersecurity- skilled professionals, and focus on solutions to change this so the country can future-proof itself as a strong player in the global digital economy. I feel that grass-root investment would help in building the next generation of cybersecurity experts.”