By Adedapo Adesanya
The Information Systems Audit and Control Association (ISACA) has warned Nigerians working from the comfort of their homes to be wary of possible cyberattacks, which are rampant at vulnerable periods.
According to Director, Research and Marketing of ISACA, Abuja Chapter, Mr Ime Udoko, there are increased threats of attacks to people who have adopted the Remote Work Model (RWM)
Mr Udoko said on Wednesday that the COVID-19 pandemic has encouraged the use of RWM by businesses and institutions, but warned that if precautionary measures were not taken, they can be easily attacked by cyber criminals.
“The RWM model mandates organisations’ personnel to connect remotely to their respective offices to do their work and access business emails and applications using home devices.
“Unfortunately, most often, home devices are not protected by the corporate firewalls and anti-phishing security controls.
“Most times, connections are made using home routers which are ungoverned, browsers on many computers provided by companies hold sensitive information like User identities and passwords.
“Already, attackers find these as easy targets to gain remote credentials and perform malicious logins to corporate network.
“With the low level of security awareness, phishing campaigns through email makes employees at home a soft and easy target,” Mr Udoko said.
He further said that many believed that connections to corporate networks in the Work From Home model were done through Virtual Private Network (VPN) and were secured but said private networks could be manipulated and could be damaging.
He recalled that even by the disruption of COVID-19 era, there were already some disturbing statistics about Nigerian internet space by the Threat Intelligence Reports of CheckPoints, an institution monitoring cyber threats globally.
“Typical organisations in Nigeria with internet presence is being attacked 1,292 times per week in the last six months compared to 411 attacks per organisation globally.
“88 percent of the malicious files targeting institutions in Nigeria were delivered through emails, compared to 66 percent of malicious files globally.
“The most common vulnerability exploit type in Nigeria is Remote Code Execution (RCE) which is impacting 70 percent of organisations in the country,” he recalled.
The ISACA Research Director said that COVID-19 had changed business model and this had made it susceptible to a double rate of attacks which could be blamed on low cyber risks awareness level.
He added that the attacks stated by CheckPoints were being launched on organisations operating 90 percent physical model and less than 10 percent cyber dependence.
He advised that government, private institutions should consider setting up a Cyber Risk Management team to evaluate all possible risk scenarios, ensure adequate Information Technology resources to support staff.
“Companies should invest more on creating awareness on the do’s and don’ts while working from home, ensure employees’ devices comply with organisations’ internal policy, have up-to-date security software and security patch levels.
“Ensure all the corporate business applications are accessible only via encrypted communication channels, ensure Data at Rest (DAR) on employee laptops are encrypted to protect against unauthorised disclosure in the case of theft or devise loss.
“Where possible, get full protection from credential theft through phishing or social engineering as well as malware, exploits, ransom ware, and other email-delivered threats, by investing in relevant services.
“Safeguard access to application portals through the use of multi-factor authentication mechanisms, vet Bring-your-own-device (BYOD) such as personal laptops or mobile devises from the security standpoint,” Mr Udoko stated.
He also advised institutions to ensure policies for responding to security incidents and personal data breaches were in place to the knowledge of the staff.
According to him, the processing of personal data by the employer in the context of remote working should be in compliance with the local legal framework on data protection such as Nigeria Data Protection Regulations (NDPR).
Mr Udoko said that employees should be discouraged from sharing the virtual meeting URLs on social media or other public channels, adding that unauthorised third parties could access private meetings and breach business confidentiality.