Mr. PETER EJIOFOR, the Chief Executive Officer of Ethnos IT Solutions, a security outfit in Lagos, talks with IT Edge News, ABUBAKAR MOSHOOD on financial regulation, e-fraud, cyber breach and why SMEs should leverage on security tools to evade cyber breaches
What is EthnosIT Solutions Limited into?
EthnosIT Solution Limited is security focused company. Everything we do revolves around security. Like securing infrastructure, securing assets that are driven through infrastructure. Securing transactions and securing the platform with which we drive the transactions from the service providers to the customers. Our focus is on the different levels of security. First is the perimeter for the database. We have the technology that drives every aspect of security. Currently in Nigeria, we have a couple of companies who are basically just delivering foreign products in various aspects of IT but we are different because we are security focused. We don’t do anything but security which includes the products and services itself and knowledge transfer. We are a young company. We are probably one of the few IT security companies that have the largest number of foreign partners that are willing to collaborate with us to deliver security locally.
A recent report shows that Nigeria IT Security industry is growing at 39 per cent, what do you think is responsible for this growth?
Nigeria has huge appetite to consume technology driven services, it makes the transaction relationship a lot easier. A lot of foreigners believe that Nigeria has a huge population, so we are very likely to consume a lot of technology products. We are catching up with the rest of the world. It’s not a surprise that we are technology hungry. Telecom is expanding; so Nigeria has big appetite for technology in different sectors.
Do you think we are doing enough to reduce e-fraud in Nigeria in terms of sensitization and regulations?
Some of the fraud is perpetrated in-house in the banks. We have seen people who breach the bank infrastructure to gain access in collaboration with some in-house staff, who understand how the software works. We have not seen a large percentage of hacking from outside of the country. In terms of sensitization, there’s not too much that the customer has to do. The customer is told to preserve his or her login credentials. A lot of the huge fraud don’t happen from the customers’ end, even though, we have a lot of people that have fallen prey to phishing programme, where you are either re-directed into the criminal website or you are instructed to update your account only to discover you are popping your information into the wrong site. The huge amount of fraud happens within the bank staff, people who understand how the systems work. But in terms of whether the service providers are doing enough is another issue. All over the world, what drives security is the seriousness of regulation which is why the CBN [Central Bank of Nigeria] is coming out with different levels of standard that you must comply to. If the regulation is not strong people won’t do much. Nigeria as at today is grossly under-regulated in every sector of the economy. The CBN and any other regulatory agencies that regulate the financial sector would need to improve their act of regulation. It is not enough to say go and implement ISO27001, they need to make sure people are doing the right thing. A lot of banks have presented certification to the CBN and CBN seem to be satisfied with that paper certificate but are they compliant? You can go to school to obtain certificates, it does not mean you have obtained effective knowledge to deliver what you have studied in school. The CBN is not there to kill the banks. The banks are not there to kill the customers, it is a relationship. Effective regulation is not about punishment, it is about following through different lines of responsibilities and controls.
How can we set our regulations right to check e-fraud in Nigeria?
Remember, there are things like data breach, data theft, identity fraud, espionage, state sponsored information theft et al. The financial regulators are not looking at critical infrastructure. From a security point of view, I am convinced that many times when we have dropped calls, a lot of them don’t arise from typical malfunctioning of the telecom infrastructure, some of them are proven cyber threat, but because the government has no way of determining exactly the causes of this downtime, they can call it anything, because the systems are designed to give you a generic error, if communication cannot be completed. But if you look at it critically, it could be that some people are trying to shut down our systems or trying to hack into our cyber environment without us knowing it. The e-fraud is just about 20 per cent of cyber security or cyber attack. What if a criminal decided to shut down the entire banking system and customers cannot access their account from one branch to another. We know that if a hacker comes into a bank, it takes minimum of about 150 days to detect it. Currently, we are dealing with the banks and payment processing companies; nobody is talking about the merchants. It is either on the merchant’s website, I will go type in my bank information or the merchants PoS, I will swipe my cards. Nobody is looking at that angle. Regulators need to be much more equipped, proactive, and that way, it can help operators to up their game and ensure that they protect themselves and their customers. Regulators will also have to ensure that law-makers, put in place effective laws and policies that will enhance regulations to safeguard customers and service providers. So no matter the awareness that they try to create among customers there is not much the customers can do. The security is not within the customers. The bulk of the security is between the service providers, the merchants and the processors. Those are the people that get breached not the customers.
How can we develop local IT security solutions in Nigeria?
It must be driven by the public sector. They have the money and the power. When we begin to have people who are great thinkers in the government, then they can sit down and say we need to develop our technology. Again, it comes to making the right laws. The laws will drive start-ups like in the Silicon Valley in the United States of America. Our educational system also needs to be strengthened, let people come up with researched result that can translate into development. If I want to set up a new business today and I want to develop security solutions, First, I have to invest money for like two to three years I will not think of selling to anybody. Because I don’t know who is going to buy a local product, knowing that it is locally developed and for me to be able to compete with any existing foreign products, I have to put in so much R and D into it and with the high cost of running a business in Nigeria, it will take you two to three years before you can commercialise it or get people to buy from you. So it is capital intensive for private companies to develop new products. The commitment of the public sector drives the private sector.
How can SMEs in Nigeria leverage on your security solutions to combat cyber breach or cyber attack?
When we are talking on SMEs leveraging on our solutions, because public sector that should drive the use of technology is not driving it, the SMEs who are already struggling with how to pay their bills are not going to listen to you when you tell them about security. There is a minimum standard in terms of security. The minimum they can do is Anti-Virus which we will provide them. Then the next level is those who want to do traffic monitoring, we can provide them with traffic monitoring solutions. Those who want to ensure their data leaves the right place and go to the right person and he is able to read the information, we can provide them with encryption. We provide solutions depending on the needs of our customers. Our job is to see who you are and what kind of security you need. We can then show you your risk exposure and your risk treatment which automatically becomes your risk solutions.