The biggest nightmare security agencies face across the world is not just organised terrorism as we know it as in a cell of bad actors but the lone terrorist is one who is greatly feared in the security world. The lone terrorist is scarier because he/she probably would go the same religious institution as you, use the same public facilities as you without raising any eyebrows the whole time. What do you do when that’s the kind of enemy you now face?
What is true for terrorism and crime fighting is true sometimes for IT breaches as well. A new Verizon report tagged 2015 Data Breach Investigations Report put this in focus once more. When you have a breach of data, it likely up to 50 percent of the time that it could be an inside job. The report noted that 30 percent of such cases could largely be attributed to negligence on the part of the worker. An example of this could be sending information to the wrong hands and while that is common these days considering the amount of data workers are exposed to these days. Another 20 percent of the 50 percent is most likely to be deliberate as in the case of Edward Snowden for various reasons. The most likely reason being that a worker could act alone to steal company information for profit by selling them to third party or direct competitors.
But in reality, a bigger danger to many companies and to customers’ sensitive data comes from seemingly benign faces inside the same companies that are trying to keep hackers out: a loan officer tasked with handling customers’ e-mail, an attendant at a nursing home, a unit coordinator for the main operating room at a well-regarded city hospital.
Often, that translates to employees on the front lines stealing patient medical data or client social security numbers, which can then be sold on the black market or used to commit fraud like collecting someone else’s social security benefits, opening new credit card accounts in another’s name, or applying for health insurance by assuming the identity of someone else. In Nigeria for example, it’s quite common to see someone advertising emails and telephone numbers for sale to businesses who might need such data for marketing but imagine what this kind of data could be used for in the wrong hands. From annoying bulk messages to other possible criminal acts, this data is often used in the wrong way. Usually in an election year, you begin to see millions of people who wish to vote turn out to register to vote and this information is expected to be stored in a secure location with access to authorised personnel only. This process is repeated for national ID card, drivers licence, SIM card registration, bank verification number and international passport. This is a huge pool of data that contains personal information of ordinary Nigerians and not once have we heard that someone was prosecuted for data breaches. Come to think of it, how easy is it for a private individual to obtain such an organised database without inside help? How structured/accurate are these information out there you may ask; there are databases out there that are being sold at give away costs. They are so organised that you see millions of records of peoples’ names and surnames, telephone numbers, states of residence/origin, age, residential address. Now that’s a massive set of data right there and in the wrong hands you can imagine the scale of damage that can be done to individuals or a group.
This brings to mind what the national ICT policy is and how much of that policy is enforced. Has there ever been an organised investigation into how data of this magnitude was ever leaked in the first place and after such investigation, how many people were prosecuted for this. In addition, what’s the national policy for public sector data storage? With every incoming administration comes policies that remain largely unimplemented in the ICT sector. You still have public sector information lying in foreign and local privately controlled servers and this ought not to be and that’s not to say the government shouldn’t at any time patronise the private sector in data storage management but what’s the policy regarding this. In 2013, the NSA (the American National Security Agency) contractor Edward Snowden was able to copy a ton of data to an external drive without immediate detection and that’s the kind of threat we face in today’s world. It’s not just cyber wars, it could be the quiet and loving staff who has other intentions other than discharging their primary duties.
The difference between Africa and the western world when it comes such breaches is that while organisations (public or private) are constantly looking for new ways to guard against such breaches, in Nigeria for example there’s no formal investigation into how employees could make away with such information and begin to sell them to the highest bidder. This is not limited to government agencies alone. When I go to register my SIM card at the store of a local representative of one of the big telecom companies, how safe is the data I give them which is eventually copied to NCC (Nigerian Communications Commission) servers. How’s the data being managed and who has access? These are questions we ought to answer honestly so that we can at least reduce the flow of public data on the streets. The Verizon report believes most of these breaches come from the public sector and it looks as if the private sector is doing a better job of managing data probably because the government has more employees and handles more data than the private sector.
The report also highlighted the effects of phishing (the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers, online), malware and other vulnerabilities as well as other big causes of data breach in institutions.
Verizon is an American company and is the second biggest telecom company in the world after China mobile with market value of $202.5b/40.3tr Naira, revenue of $127.1b/25.2tr Naira and profit $9.6b/2tr Naira in 2015.
Read/Download the Verizon document below;