The Information Systems Audit and Control Association (ISACA) has warned Nigerians, the government and companies to protect their systems from potential cyberattacks amid the COVID-19 crisis.
Ime Udoko, Director, Research and Marketing of ISACA, Abuja Chapter, told NAN on Wednesday that there was increasing threats on computers and phones with the Remote Work Model (RWM).
He said: “The RWM model mandates organizations’ personnel to connect remotely and access business emails and applications using home devices. Most often, home devices are not protected by the corporate firewalls and anti-phishing security controls.
“Most times, connections are made using home routers which are ungoverned, browsers on many computers provided by companies hold sensitive information like User IDs and passwords.
“Already, attackers find these as easy targets to gain remote credentials and perform malicious logins to corporate networks. With the low level of security awareness, phishing campaigns through email makes employees at home a soft and easy target,” Udoko said.
The expert debunked the belief that connections to corporate networks in the Work From Home model were done through Virtual Private Network (VPN) and could be secured.
The Director recalled that prior to the COVID-19 outbreak, statistics about Nigerian internet space by the Threat Intelligence Reports of Checkpoint, an institution monitoring cyber threats globally, were disturbing.
“Organizations in Nigeria with internet presence have been attacked 1,292 times per week in the last six months compared to 411 attacks per organization globally.
“88 per cent of the malicious files targeting institutions in Nigeria were delivered through emails, compared to 66 per cent of malicious files globally. The most common vulnerability exploit type in Nigeria is Remote Code Execution (RCE) which is impacting 70 per cent of organizations in the country,” he recalled.
Udoko charged the government and private institutions to consider setting up a Cyber Risk Management team to evaluate all possible risk scenarios, ensure adequate IT resources to support staff.
He called on companies to invest more on creating awareness and ensure employees’ devices comply with organizations’ internal policy, have up-to-date security software and security patch levels.
“Ensure all the corporate business applications are accessible only via encrypted communication channels, ensure Data at Rest (DAR) on employee laptops are encrypted to protect against unauthorized disclosure in the case of theft or devise loss.
“Where possible, get full protection from credential theft through phishing or social engineering as well as malware, exploits, ransom ware, and other email-delivered threats, by investing in relevant services.
“Safeguard access to application portals through the use of multi-factor authentication mechanisms, vet Bring-your-own-device (BYOD) such as personal laptops or mobile devices from the security standpoint,” he said.
Udoko added that the processing of personal data by the employer in the context of remote working should be in compliance with the local legal framework on data protection such as Nigeria Data Protection Regulations (NDPR).
The ISACA director advised that employees should be discouraged from sharing the virtual meeting URLs on social media or other public channels, adding that unauthorized third parties could access private meetings and breach business confidentiality.
“Where possible, get full protection from credential theft through phishing or social engineering as well as malware, exploits, ransom ware, and other email-delivered threats, by investing in relevant services.
“Safeguard access to application portals through the use of multi-factor authentication mechanisms, vet Bring-your-own-device (BYOD) such as personal laptops or mobile devices from the security standpoint,” he said.
Udoko added that the processing of personal data by the employer in the context of remote working should be in compliance with the local legal framework on data protection such as Nigeria Data Protection Regulations (NDPR).
The ISACA Director advised that employees should be discouraged from sharing the virtual meeting URLs on social media or other public channels, adding that unauthorized third parties could access private meetings and breach business confidentiality.