Mr. Peter Ejiofor the Chief Executive Officer of Ethnos IT an IT security firm talks with IT EDGE News Anthony Nwosu on the importance of IT security and lack of robust cybercrime bill in Nigeria and Nigeria approach to security issues.
Ethnos IT is an ICT security firm, what area of security are you into?
Ethnos is an information and system security company and we provide security compliance advisory services to firms and we help organizations to meet the globallyrequired security standards. We work with global brands in terms of security. At EthnosIT, we strive to first understand the specific security requirements of our clients; assess their risks and unique security and compliance needs and identify the gaps between current and desired security postures. We then apply the proper security controls to deliver custom solutions optimized for cost, efficiency and performance. This approach enables us to provide assistance in specialized fields with highly experienced and extensively trained information security professionals. Based on our clients’ unique requirements, we assess, architect and implement the policies, procedures and technologies that most efficiently and effectively protect valuable information assets.Today, Information system security can be broken down in many parts such as infrastructure security, online security, database security and network security. These are the various type of security that we have solutions in place for. In a nutshell, we deliver solutions that address the requirements of PCI-DSS, ISO 27001, and the overall security needs of any organisation regardless of size and complexity.
What are challenges of managing this kind of business in Nigeria?
The biggest problem we have is not the skill set or people but the consumption of IT security solutions in the country. There is a need for people to appreciate the importance of IT security and the damaging effect of any threat or breach in an organization. This is what drives security. A lot of people are not concerned about security here in Nigeria. This is one problem that we face. Here in Nigeria, crimes are committed and people get away without anybody challenging them, but with proper IT security in place crimes and hacking incidence can be curtailed to some limit. Also, many firms and individuals install minimal security which most of the times are mostly fakes and due to this situation quacks are so much in the industry. Regulatory bodies such as Central Bank of Nigeria has come up with laid down rules and compliance especially in the area of digital and online transactions. This compliance has thrown up minimum security requirement in the banking sector as PCI-DSS, ISO 27001, etc. Today, the public sector should have been the security driver in Nigeria, but the fact is that there is no unified regulatory body that is in charge of public sector security requirement in their various operations, most organizations get away with security complacency. Another challenge seems to be lack of local security regulatory body in Nigeria.
What is your position about the lack of unified security regulation in Nigeria? Don’t you think that NCC and NITDA can fill in this vacuum?
The NCC is more into telecoms and CBN is in charge of the financial space and I think NITDA is basically an ICT clearing house for IT products in Nigeria and their scopes are limited. If I may say and I think, for instance, NCC is bedevilled by the regulation of quality of service in telecommunication space and they have not even started talking about security of data and voice services, they are inundated with low call quality. I don’t think that most of these organizations have the skills to manage security regulations. IT security as it now boils down to organizations and how proactive they are toward IT security; or how committed they are to securing their individual platforms. I don’t think that NITDA, NCC or CBN is empowered or can regulate IT Security standards in the government ministries, defence or schools. This is in respect to the minimum requirements of security: regulate private data, regulate the security standard of bureaus and privacy of information of staff and information they collate from the public. This is one thing we should know that regulation of security isn’t yet formalized in Nigeria. Even the power infrastructure today will be powered by one form of computer or another and in this case who regulates the security in the power sector as critical as it is? This is the situation we have found ourselves today. If the government has come to realize the threat that has come to us in terms of IT security then our government will sit up. Today we are virtually doing everything online from government delivery system, online payment, and even online education. Different sectors of the economy are virtually going online and this has made us vulnerable to hackers and criminals. I think the earlier government sits up on this security issue the better for us. The government should look at increasing the capacity of most of the existing regulators to bring them up to speed with global requirements or create new agency that will be empowered to deal with this threat.
The NiRA has assured that domains such as .ng, .gov.ng, .edu.ng are more secured. What is your take on this statement by NiRA?
I think that NIRA isn’t doing enough in the domain names and also educating Nigerians on how important these domains are in terms of security and availability. The lawmakers should be responsible in providing policies that can drive these concepts in Nigeria. The lawmakers will be able to increase the capacity of existing agencies, but it’s unfortunate that our lawmakers are not thinking in this direction. I was aware that government introduced these domains and I wonder why government is using yahoo address as an email. To me it shouldn’t be. How can you transact a government affair using a free domain like yahoo.com or gmail.com? How can a government agency still be using yahoo mail as an official email? I just can’t see and I am yet to see any government that has IT security policy in their ministry. We are still struggling with passing cybercrime bill. At this stage we are trying to develop a bill that will control cyber environment when could have borrowed from other developed countries and how their cybercrime bills are made in order to make our own bill more robust. But unfortunately the Nigeria’scybercrime bill is just shallow and has nothing.
From your statement, your take is that IT security experts are not being consulted in on Nigeria’s IT security space?
What happened over the year is that a few people have cornered the government and they have not improved their skills. These set of people were IT experts in the 1970s but till today they are still working for and advising government. This is pathetic. Hardware, software have been conquered even networking; today, the revolution is security. Today, there is seamless connection via many devices and considering the high-level of mobility today, IT security is the next frontier and we have to be serious about it. In government circle, what they do is to employ somebody that has worked in Oracle or maybe Microsoft or Google and employ him to man strategic ICT bureau without asking what he did in these internationally renowned organizations. To me, it is pathetic. This awareness should start from the public sector then to private sector. The government or public services have to enforce certain security standard and force or compel the private sector to come behind them, but private sector is the one enforcing security. I think government has to sit up.
We have data centres and collocation centres now in Nigeria, what is the best approach to ensure that our data centres comply with global best practise?
Again, we can look at them from two angles. One is regulating the practice of data centres and another is monitoring the threat. People build data centres to help their businesses. In terms of threat I think that most countries that is security conscious, the monitoring falls into the hands of law enforcement agents. This is where we have the challenge in Nigeria. The question is how is our law enforcement equipped to track ordinary crimes not to talk of cybercrimes. There should be a law that will make organizations to make their breaches and security threat public. It takes between 70-150 days for an organization to know when they are hacked or breached, so it is imperative to make these breaches public. When you hear a “network is down” be it in bank or telecoms the next question should have been what caused it? It is important to make these things to be known so that other organizations can learn from their mistakes. But they do not let the public to know what caused the network failure.
It has been rumoured that the federal government had purchased email monitoring equipment – Is government not encroaching into privacy of the individual?
I don’t think so. Usually these systems are designed for surveillance; they are searching for certain information that could be of intelligence interest and they decode it. It is not a breach of individual privacy and it is used for national security. If you are to monitor an email, you must have an agreement with telecom providers and maybe email providers. I feel what the government wanted to do was surveillance and this system could be to gather some security information. It is not supposed to be a breach of individuals’ privacy. Even when you scan emails, what they do is that they don’t monitor the contents of the email they only filter the packets and scrutinize it for malware or security threat information. It is legal surveillance. I think that the country is not yet wired for such surveillance. We in this country do not ask question especially the media. The question we should be asking is how will it be possible to monitor these emails? I believe that some guy must have sold them a surveillance system and it is called lawful interception, network forensic system detection technology, but these things are looking for key words not to read through a whole email and mind you; the Nigerian government will not be reading every citizen’s email. I think it will be focusing on those that pose a national security threat. I don’t think that Nigeria has the capacity to monitor all emails emanating from or coming into the country. For this to be possible, they must install systems at central station of all telecos and ISPs. We don’t even have functional national database that has record of everybody in this country. NCC, NIMC, INEC have collected biometric information of people in this country, where are those records stored and can you access them? But one thing you should know is that even if the government doesn’t monitor citizens’ emails, some other person is monitoring the emails; be it the criminals, the email provider or operator.
Is security awareness growing in Nigeria?
The awareness has grown, but we are yet to take security precautions very serious. It depends on how we look at it and what are we doing with that awareness. Before now, companies consider security as extra cost when deploying equipment, they focus only on the business applications and how they work, their scalability and features but not security. Today, security conscious governments globally require that all organizations must have a security policy while developing their IT policy. This is a global norm so that security will not be an after thought, but part of planning processes. It is required that security should be dealt from the board level.
What are the basic IT security measure or steps an organization should take?
Security awareness program must be embedded in HR policy and it should be done quarterly and these policies should be defined based on how critical or level of importance of the services they provide. An airport security assessment will not be the same with school or a financial centre, but there should be a robust security policy in place. Every organization must have a functional and licensed antivirus. A company should never run a free antivirus.
Any plans for expansion to African countries?
Looking at business expansion is based on how much we can invest in development. We want to have an indigenous security system that can bear Nigerian signature and can compete globally. In terms of expansion to other African countries that is not yet in our view, but once in a while we get request from Senegal, Zimbabwe, Ghana and Kenya – we do businesses with them. That doesn’t mean we have to open shop there. We are not thinking of rapid expansion in other African countries. We are looking at satisfying local market and bringing viable security solutions in Nigeria. This will be how we want to measure our growth.