The Country Manager for Microsoft Nigeria, Akin Banuso, speaks with IFE OGUNFUWA on cybersecurity trends in Nigeria and globally, among other issues
What is the difference between 2017 and 2018 with regards to information or data management in Nigeria?
The difference between 2017 and 2018, and the difference between 2018 and every year that would come after it is that there is more information available and as the Internet has become a very democratic forum, there are a lot more voices being heard. More things are happening and as they are happening, we have citizen reporters who are taking cellphone imagery and reporting online immediately. Sometimes, we have the authentic bad actors themselves posting their own messages online.
Along the line, there are some misinformation, but the level of activity is a bit more, which means that you have a much more informed citizenry which is not such a bad thing. I believe that the government doesn’t have to manage or regulate or own it all, but needs to partner with organisations, civil societies, private companies, and the general populace, so that we can have a way of filtering the information since it is all about the data now. As a corporate organisation today, we would tell you that information or data is the new oil, we have a lot of data but what does it tell us.
In fact, a large majority of systems in Nigeria are not plugged to the Internet, people are just using them somewhere. Even if they were, our privacy guidelines tell us we can’t access anybody’s data. We take this seriously and the point is that we need to treat people’s privacy and their information very carefully. It is an area where the government needs to sit-up which is why there is the GDPR (General Data Protection Regulations) which states how data should be collected and utilised. What we need in Nigeria is to build upon those guidelines; working in partnership with civil organisations, private companies and the government to see how that relates to us and what we want to do that is uniquely suitable for our environment.
What advice do you have for the government and private sector on the protection of their technology infrastructure and information from cyberattacks?
When we advise organisations and the government, what we say is ‘focus on where your top value is.’ What is your value or core competence? You’re using digital tools but if your core competence is not technology, partner with the professionals and, as much as possible, let them handle those things.
Also make sure that you are covered to the extent that you don’t just buy something which becomes obsolete tomorrow, buy something that its service is ongoing. In terms of security, when you look at Windows Defender which comes with Windows 10, it isn’t like buying just any antivirus software, it is a service just as you have Windows 10. Anytime you detect a new thing, it is automatically updated for you.
If you look at a ransomware attack that happened last year, the bulk of the people who were affected were those who didn’t have updated machines. They were running outdated software that didn’t have the latest patches or updates. Therefore, all the risks that had already been seen around the world affected them.
The moment we detect or contain or nullify a risk/threat, the program gets updated globally.
So, if you do not have a good patch management practice or up-to-date software, you may be affected. Sometimes, there is a good reason for you not to update the program automatically because you have changed control practices in place but you still need to have a very fast response time nowadays. If you don’t have that, you may see these types of attacks. Nowadays, we have seen these targeted attack trends: some, financial institutions where a large amount of money is moved are getting targeted. It is like a chain. You’re only as strong as your weakest link and all they have to do is to find the weakest link.
How susceptible are advanced technologies like Internet of Things to cyberattacks?
Don’t forget that the world is interconnected. Today, we have about 8.4 billion interconnected devices in the world and by 2020, it is expected to be 20 billion. We talked about the Internet of Things now, where people are able to send a message to their refrigerator to check what is in there and what is going bad. People are able to turn the heat on remotely because they would be at home in 30 minutes and they don’t want to get home to a cold house. All these are done using technologies like Internet of Things.
In Nigeria, this technology can be used to address pipeline vandalisation. If there is a burst pipe somewhere, it takes about two weeks to fix it. Why? First, they have to find out where the damage is by going into the bush to locate it. With the Internet of Things now, there are sensors along the pipeline so you can actually detect immediately where the pipeline was damaged. Also, there are drones you can send out that transmit information all the time. When we talk about the Internet of Things and interconnected devices, we also need to secure the network because they are interconnected networks. We have what is called the outer-ring, the inner-ring and the trusted core. The idea is that at every stage, at every point, there needs to be levels of security.
What advice do you have for entrepreneurs and the prospective ones on what to do regarding their security architecture?
Our strategy for Microsoft is that when you work with a large organisation, the Central Bank of Nigeria for example, they have a team of architects, they have a security team dedicated to the company. For a small enterprise, say a bakery shop, the owner would not be able to afford all of that. What we do is that we are democratising Information Technology as well as security. Based on the solutions that we provide, we advise Small and Medium Enterprises, basically, to go into the cloud for their solutions because they cannot afford to buy servers, equipment and also hire IT experts. We can work through our partners; we have other businesses and small IT experts who would advise them on the best bundles to buy, which have security built into them.
Office 365, which is a suite of products which allows you not only to do email but also build workflows, managements and digital signature. You can publish your documents online and you could also use share point online and things like this to build your website. All these are secured for you by Microsoft rather than you trying to buy separate security products. The simplest way that I see is to go with the simpler bundles, where we or other people have democratised IT, so you are not trying to spend a lot of your time on technology when what you really want to do is bake bread and sell.
How does Microsoft transfer some of these knowledge and information on cybersecurity to the young ones in secondary schools and tertiary institutions?
Education makes a difference to me because when people take time to spend time with you, and figure out how you learn. Educating our young ones is a core priority for us. Last year, we had a hackathon with 30 girls. For a week, we did a lot of mentoring and coding through an initiative called LEAP. We mentored and helped them to come up with real life solutions to problems. For this round, we focused on agriculture. We are working with various institutions and we are going to partner with Lagos State government to help with education and any other state that is interested.
We have been working with Edo State, Akwa Ibom and Kaduna State and the Federal Government. We have realised that knowledge is power and we want people to really learn and grow in this space. We recently launched our Africa development centre where we are going to be hiring engineers that work for Microsoft. Part of that initiative is that we realised that we have a lot talents in Nigeria but what we are lacking are the skills. We are working closely with the universities to see how we can contribute to what they do.
We are also working with the government to see what we can do with the curriculum because at the moment, the programme is fixed, new subjects are regarded as electives or extra courses. We should start thinking about technical colleges that offer the kind of skills we want for the future.
Is Microsoft involved in endpoint cybersecurity solution, because we know that most people access the Internet with their mobile phones?
Regarding mobile phone security, you are correct. A lot more people are defaulting to their mobile phones for access. There are two primary phone platforms nowadays: Apple and Android, which are the major operating systems. Considering how these operating systems treat security, for Apple it has decided to locked down its platform, taking control of the security by not allowing applications that has not been verified.They deal with security within their OS. We, of course, collaborate with Apple, Google and everybody else.
Android, on the other hand is a bit more open, of course they have the lion’s share of the market space and with Android, what you see is that there are products that you can actually buy to protect on the device itself because there are some applications that are sometimes compromising Androids more than the Apple. From the Microsoft standpoint, we protect our systems that are accessed through those devices.
The impact is hard to say. I remember reading a statement which says that the smartphone market is increasing not just in Nigeria but across the sub-Saharan African region, pretty much Africa really and one would expect that as that increases, the challenges that come with smartphone adoption would also increase.
I can’t say one could predict what the impact is going to be, but with the protection that comes with those devices and as the vendor continues to upgrade the OS, the system gets better at making sure that these devices are automatically updated.