Podcast transcript: Episode 17- Trends transforming cybersecurity
Transcript
Host: Hi everyone, my name is Nkiruka Aimienoho and the Experience podcast is a one-on-one interview lead podcast that discusses the adoption and utilisation of relevant emerging technologies and trends. We give impact-oriented professionals, researchers, developers, and students realistic and thought-provoking perspectives on the opportunities and challenges presented by these phenomena in our unique environments. So according to research from cybersecurity ventures, global cybercrime is increasing on average by 15% year on year. By 2025, it is estimated that cybercrime will cost businesses worldwide $10.5 trillion.
With this influx of disruptive technologies, such as artificial intelligence, machine learning, IoT, and Cloud computing, cybersecurity is an even more important conversation, as we see that, you know, disruption presents major challenges, but also new opportunities. Today, cybersecurity is more than damage control, it has become a prioritised commercial investment for numerous businesses, especially in the financial services industry. So we have the pleasure of speaking with Adeoluwa Akomolafe, the Chief Information Security Officer of Wema bank. He's joining us today to talk about some of the disruptive trends we foresee, having a security impact, and what this means for the future of Nigeria's cybersecurity landscape. You're welcome, Ade.
Adeoluwa: Thank you.
Host: Okay, so I'll just jump into some questions. I'm sure a lot of our listeners are familiar with Wema bank, its flagship products, and all that. But for those who might not be familiar with cybersecurity practice, could you give us a quick overview of what being a chief information security officer means, and what kind of work it involves?
Adeoluwa: Okay, thanks Nkiruka. Well, in simple terms, the job of a chief information security officer is basically to drive the information security strategy of the bank, which means you're responsible for ensuring security in building all processes, ensuring that the customer information, data, funds, and whatever we hold there, for the customer is secure. So in simple terms, that's it and it sounds like it's an easy job. But it's not what it says on the cover.
And really, it sucks you in and it's something you do 24/7 It's like you're sleeping with one eye open. And you know what we say in the industry, the bad guys are always a step ahead, they are probably more fun than we are. It’s only to just ensure that you have the right infrastructure in place to secure the integrity of the information you hold for your customers, their funds, and whatever is critical to the organisation. Thank you.
Host: Thank you, Ade. Great. Okay. So over the past year, you know, we've spoken to clients, and we noted common behaviours in response to the COVID-19 pandemic. We saw an urgency in scaling up digital infrastructure to enable people to work from home, and a massive increase in the rate of organisations moving, you know, their IT infrastructure to the cloud. Can you tell us how the pandemic specifically affected your role with regard to general operations? Were there new security risks you were seeing? And how did you adapt?
Adeoluwa: Okay, for Wema bank, from an operational perspective. From the technology side, and I'm talking about the guys in Alat, in the tech space, it's a journey we've been on for a while. But though not out of the bank's policy for people to work remotely. But we've had cases where we have developers working remotely, and they had some form of access to the bank's infrastructure. But with COVID, we had to approach this differently.
Now, we had to get more people working remotely, we needed to ensure that the connection is secure. And luckily, we had organisations like Microsoft, and Cisco, providing some form of relief because of COVID. They add solutions they allowed us to sign up for and we sort of run a trial for 90 days before we make any payments. So that enabled us to set up VPN for access to the network first to deploy security also in that space, to ensure that the connection is secure.
Of course, there was still a policy around who has access to what and what sort of infrastructure we want people to access remotely. Are there certain applications within the bank that there's still some form of restraint when you say you want people to access this remotely, but that's changing? And we've seen it as something that has come to stay. I worked remotely for a long period pre-COVID. But now, come today, at Wema. We currently have a policy where people can work from home certain days of the week, and be in the office because we also need to control the number of people coming into the office, there still needs to be some social distancing, and all that because COVID is still out there.
So that's the case for COVID. From a digital journey or transformation side of things, we sort of started that in 2016, up to the point where we launched Alat in 2017. So that journey had started, of course, it also comes with its risk. And we needed to respond to that. For example, outside of the security rates, there was also an impact on infrastructure, we needed to add some infrastructure to be able to serve the number of customers that we were onboarding digitally, and the sort of activities they needed to perform on the application.
So that has led to some changes in the way we deploy solutions and the way we even try to secure the solution. So for example, DevOps is a thing for developers, but then, you know the way they respond to security. So we had to also build security into their development pipeline. Right? And of course, looking at what's available in the Azure marketplace. And looking at the sort of solutions and what we're looking for, from a security perspective, how do I automate the security reviews, so that these guys can do their job more effectively, without the constraints of oh, you develop a code, then you're handed over to security for review, the review is done, you come back with some exceptions, you need to go close those exceptions before you are allowed to push applications to store.
So we had to find a way to remove that bottleneck. And we looked at some tools, and deployed that and that sort of reduced us having to poke our eyes into everything they are doing at every minute. You know, we just receive alerts and reports on the integrity of the codes they're deploying to the store. And that enabled the business to do things faster. And really, over the years what we’ve done at Wema is to feel security is the best line for projects.
So if you're making any change, or you're deploying a new solution, there has to be some sort of project management around that includes some sign-up from certain parts of the business. And of course, security compliance, and other control functions need to have a say in bringing all that together. And also when we're going to the cloud, that experience enabled us to engage the cloud provider extensively to ensure that we also have those controls that the very people might feel it's not applicable in that environment. But we're able to build that into the engagements we had with them.
One thing I say that is lacking in this environment or a lot of people don't sort of take massive concentration for is the impact of clear documentation. You know, if you have clear documentation, then you can build the right processes for whatever it is you're doing. And one other journey we have been on as a bank is robotic process automation, that's also driven by all these changes. And of course, that is to serve customers better.
So we are automating some of our processes, we've looked at some critical processes, and we are about 80-something percent done. And the feedback from the business is that it made a lot of things faster. And the sort of data, because now you've moved it from someone manually doing things so we don’t get too technical, to some script or application running that process, so the error rate is lower and that has made the business more seamless.
Host: Interesting. That sounds really interesting, Ade. I'm particularly excited at what the bank is doing to adapt to the new realities that we see. It's interesting. Okay, so naturally, as more companies deepen their digitization efforts in cybercrime, it becomes a more daunting prospect. In May 2020, McAfee reported a 600% increase in the use of cooperation tools, such as zoom, Microsoft, 365, or WebEx, and a 630% increase in external attacks on cloud accounts. So this means that the risk of threat actors targeting the cloud far outweighs the risk brought on by changes in employee behaviour.
So new working requirements during the pandemic, push the uptake of new technologies and tools, however, unfamiliarity with the tools and lack of expertise creates potential areas of exploitation. So was this something that you were mindful of? And what would you say the biggest security lessons learned were for you over the past year?
Adeoluwa: For me, I won’t say a lot has changed. Because if you think about it, that you're delivering technology to your staff or customers to do their job or perform transactions, they don't know what's happening at the back end. So it's really on the tech guys and the security guys to ensure that security is inbuilt into fields when you're thinking about cloud migration. Right? And the beauty of it is, technology is moving at a pace where even the OEMs are providing solutions that ensure that you can secure your infrastructure to an extent that comes down to the knowledge of the people doing the job.
So there’s some assumption that, let's take Azure cloud, for example. So you go to Microsoft, and you say, I want some infrastructure in your space. Now Microsoft would secure that infrastructure to an extent. Now you need to also bring in your internal policies and security practices, to ensure that whatever infrastructure that you’ve been provisioned in the cloud, is also secure to your standards. And really, that's where the job is because the technologies are out there. Right? But you need to ensure that the integration that needs to be done is done.
One thing that is key, really with this cloud infrastructure is you having visibility, you know, because your attack surface is larger, and without visibility, then you are just pretending you're running security. You're not doing security so visibility is key. One challenge is over the years, we've deployed solutions that are purely for devices on-prem. You know, so some organisations would have to, for example, upgrade their sim to one that can pull logs from the cloud infrastructure. And you need to also know you need to do that.
There's some governance around that also because you don't just move everything to the cloud, you know, there are regulatory requirements. And because of the way some applications are, you need to also agree as an organisation. What part of your critical infrastructure do you want to move to the cloud? You also need to have your cloud strategy in place before that. Are you running a full cloud infrastructure or are you running on a hybrid format? Or how do you want to run it? So there's some governance work that needs to be done around all that migration before you start moving things to the cloud, because if you don't do that, then you're just running some haphazard approach that won't give you the right results.
The other challenge is, we need to get to a point where cybersecurity practices are now automated. You know, it's not about some guy coming into, oh, I'm coming to do a pen test, or I'm going to review this application. We need to have automation in our processes that ensure that we're continuously monitoring for threats, right, because it's outside of your perimeter now, you know. And to make it worse really, so it's not a case of, I have an infrastructure in the cloud, and I can say. I'll give you a typical example if you have an API to connect to some application or whatever on-prem.
Because the IP subnet you have in the cloud is a large subnet, because those IP addresses might change at any time, Microsoft might do something and move you to a different IP, whatever. You're creating permission from your firewall to a large subnet in the cloud. Right. Now, that expands your threat landscape immediately. So how do you ensure that outside of that, you're able to get down granular to say, okay, this particular API is only accessing this, this permission is granted for exactly this activity? You now need to understand exactly what the developers are building and what that application is meant to be doing to deploy the right security infrastructure for the particular solution.
The cloud also comes with its benefits, I feel personally that there is more threat intelligence sharing in that space than on-prem. Okay, so between Microsoft, Amazon, Google, or whoever, there’s some serious threat intelligence sharing going on. You know, if you've deployed Microsoft ATP, for example, for 0365. Yes, it requires a lot of configuring and ensuring you have stayed but the threat intelligence, it's quite robust, you know, that’s positive from the cloud. At the end of the day, it's what it is, that's where technology is going and we just need to ensure that we are ready for that challenge because we are fintech today fully running off cloud infrastructure. And you're interacting with this fintech in one form or the other. You know, yeah.
Host: Thank you Ade. Thank you. So are you saying based on your experience, you know, this is the way to go?
Adeoluwa: Well, that's where everyone is going to and if you're not going down that route, then you get left behind. And to be frank, if you look at the sort of technology solutions that OEMs are putting out there, these days, they're all cloud-centric. You know, and I don't serve, I know that as part of this question that is talking about predictions or whatever, I don't have any predictions, Physical infrastructure will still exist, but it's all gonna be hybrid and I see a 75% cloud and 25% on-prem. Yeah.
Host: Interesting. Okay. Experience at my bank. Are there any other critical security questions that every commercial bank or every organisation, in general, should ask and have answers to before using the cloud?
Adeoluwa: Well, my approach is whether cloud or you're dealing with a third party, you need to have some sense of the appreciation of the security. Right? So far, I think third parties generally, a simple question is, most of them are not bound by any regulations, what simple questions like Do you have an InfoSec? Policy? You know, how do you onboard your employees? If I see tech organisations saying,o, we don't have an InfoSec policy, then that's a red flag.
You know, so you can ask those simple questions for cloud infrastructure. You see, the thing about the cloud is that there are a few players in that market. And outside of Amazon, Microsoft, and Google, I don't think any serious organisation would go for anything outside of those three, right? Yes, you would expect that they do things the right way, but you still need to engage. And as I said, you need to define your security requirements for your dedicated space in that cloud infrastructure.
Microsoft is Microsoft, Amazon is Amazon. The argument is about which one is more secure. Amazon? Yes, people would say, because it's like the case of the Android and iPhone discussion, like Android, it encodes more open source, right? I’m just using the word open source because we understand that language, more than iPhone. So it’s the same thing with the way some people look at Amazon and Microsoft when it comes to cloud providers. So no one is more secure than the other. Every organisation can be breached. Microsoft tells you they have a massive budget for security. But we say breaches every day, they release better versions of an application before the full version is out.
So it's all about your specific requirements, and who you think meets those requirements best. And really, you have to define your own security requirements outside of the basics they would provide. And you need to ask them these questions. What I say is that assumption that oh, it's Microsoft, it's Amazon or it’s Google. You assume that they have these things, you need to ask questions and in some cases, request for evidence of whatever security processes they say they have in place, yeah.
Host: Okay, thank you very much. So, people, organisations need to be more strategic about these things. So I'll move over to emerging trends and just everything about IT service delivery has changed drastically. But to some extent, our security measures are still built around old practices of software and system design. Now, based on your experience, where does security need to catch up with the digital transformation, and how?
Adeoluwa: Where does security need to catch up? I think security is catching up already or maybe okay, that is to an extent. The biggest challenge with digital capabilities and the way technology is moving these days is the constant change. Right? Where I say security lacks is moving at the same speed changes, so rapidly. It's difficult for security processes to keep up with those rapid changes. Also, the type of attacks changing today you have the AI-enabled attacks and all that. But the beauty of it also is that the defenders are also coming up with tech to deal with these changing threats landscapes.
You know, you have more integrated security systems. For example, we're having some discussions recently around SD-WAN and SASE. And really, most of these things these days are frameworks where you now look at your different security solutions and you bring them all into that framework. We've moved from the days where you just have one security solution doing one particular thing, and it's not interacting with the other security solution.
Today, we have integrated security systems. And that improves the sort of visibility we are having to the network and enables us to manage these larger attack surfaces better. The other thing is to also ensure that security is inbuilt and not something you bolt on at the end of a process, a change, or application development. So I talked about fueling security in the development, say ICD pipeline. What that gives you is, in fact as soon as a developer is coding, you are reviewing the code, you know, dynamically and it’s able to correct gaps in that code, even before it goes to the next stage. And you define certain parameters if the code does not meet those parameters, it breaks the build, and it doesn't move on to the next stage.
And that needs to be a culture that is part of things that are done in any organisation. Changes should not just be implemented without the right stakeholders involved to ensure they define the right set of controls. One other massive issue for cybersecurity and I'm sure you guys are also in the same space is the skills gap. Right? There's this skills gap in digital technologies, and the sort of skills, so-called cybersecurity experts, we wouldn't even go into the brain drain that is happening.
Yeah. But you need to have regular training for both IT and cybersecurity personnel. Because really, one of the problems cybersecurity has is IT. Because sometimes they're like the business. They just want to deploy things and get the business running without getting security involved. So they need to be aware. When you're training your security staff, also be training your IT staff, so they have an appreciation of what security is about. And what else, there still needs to be regular testing, you can't run away from that point in time security assessment that we always do. Bring in the PwCs of this world to come to do a VAPT, that gives you some sense of how secure or not you are.
And you can, based on that report, improve things and improve your cyber security. As I said, threat intelligence is key. One thing I will say is missing in our environment today, and in my space, financial services are sharing threat intelligence, because one attack on one is an attack on all. Most of us have the same sort of infrastructure, we might be running different core banking applications while you're running the same sort of databases and all that. And if they’ve tried something at one bank, they'll definitely try that at some other bank.
If we share threat intelligence that is able to secure the ecosystem better. And I'm sure I've touched on automating cybersecurity practices. It's extremely important because of the speed at which tech is evolving, that you can't catch up trying to have manual interventions. You know, these things need to be automated. And luckily, solutions out there are offering such automation to make life easier for us. Thank you.
Host: Interesting. So you have been with Wema bank for the better part of a decade. And I'm sure you've seen the launch of several mobile applications like ALAT as well as an uptake in online banking services. Can you please speak about some of the digital transformations that have taken place at Wema bank in the past few years, and how has this shift from physical to internet-based or USSD-based service delivery impacted operations and security?
Adeoluwa: So everyone knows about ALAT and the first fully digital bank in Nigeria, and maybe in Africa, so that's one. And I think outside of Kenya before when we launched USSD in Nigeria. No one was using USSD for consummating transactions in any form, it was just for providing information. You know, send in some messages via SMS, dial this number to get some information. So that came with its challenge. You know, mobile, telcos, as they're called out because of the sort of business they did in the past, they don't think about security,
Because their business is you want to talk, you want to browse. And that's it. So you guys now invaded our infrastructure, and you say you want to use it for financial transactions. So you'd need to sort out the security bit of it. That was a bigger challenge than securing ALAT or any mobile application. Because of the way USSD is, and what you are selling with USSD is the simplicity of its usage. Right? And those sessions are very short. And to plug security into those sessions basically kills what USSD is all about. So if you can imagine saying, to consummate a transaction via USSD, you need to use a hard token, for example. And the session expires and I don't know 20 seconds, you know.
Before you pick a hard token, generate a pin and input the pin, the session has already ended. So USSD was a massive challenge to secure. And it still is, because one of the biggest trades in the industry today, well in Nigeria is this issue of Sim swap, you know, the minute your Sim has been swapped, and they have access to your Sim, they can start doing several things. You know, your BVN is easy to get, you just dial a code and you get someone's BVN.
It was now on the banks to now look at the onboarding process for different products. You know, how do we onboard people on USSDs, that even if you do a sim swap, it becomes difficult for you to register via USSD? Because I'm going to request some other information about this individual, from you before you can register. But it's a journey, and we'll just keep looking at the different feedback from customers, reviews, external issues, and all that to provide solutions that give the customer some comfort that this digital thing you’re giving me is secure enough. Today we've moved to agency banking.
Now well the banks are saying we also want the agents to do a lot more, you know, things like yes, you want to issue cards at agent locations, you want to activate those cards, that also comes with security challenges. Because the business will tell you oh, we can onboard more customers if we provide this extra service or we can increase the number of cards they issue to a certain number that equates to more income for the bank. Because then you're paying some charges and all the job is on you to ensure that those integrations are done in a secure manner.
I guess for me it's just about moving at the same pace as the changes the business is bringing to you. And maybe just trying to be a step ahead of them by understanding what's out there.
You know, so when they're coming to you, you're already aware, you've been thinking about what sort of solutions you can give them that enable us to do transactions in a secure manner. There's also the, you know, when we talk about digital transformation, we're keeping it to what's done within the bank. That's a wrong approach because there is the group of people that are fighting the banks for a large chunk of the pie, the fintech and they are way more nimble, mobile, and security to them is an afterthought.
We’ve engaged most of these guys, you know, while we are going through all those, so you need to do this, you need to do that, they are deploying just like that. I’m sure we’ve all seen the video about the stuff with OPay. You know, no one can come out to say what exactly the issue was. Was it a cyber breach or was it some insider stuff? But we'll get the full details of that. We will just wait and see. But those are the challenges we deal with. And all these guys integrate with banks. And you know, you really don't have visibility to what they're doing at their end, and third-party raises have become a bigger risk than inside issues.
You know, most banks, to a large extent, will say they've secured the perimeter. I know you do VAPTs for a lot of organisations and you may be able to attest to that fact, that external pen test, you don't really, except maybe you find something sitting on some BNZ space that no one is aware of. Maybe tech has deployed something, they didn't tell anyone or you have a third-party application sitting somewhere. So really, for me, that's somehow, the insider threat is big, but the threat from the third parties is even the bigger one and the one organisations need to focus on and have some form of governance around. Thank you.
Host: Thank you so much. Thank you. That was a great response, Ade. So I’ll move over to my next question because it's related to what you just talked about. So we've seen consumer data privacy and protection issues, it's become a more important conversation that is had, you know, across markets, especially with more and more high-profile data breaches or hacking scandals. I like that you choose some stats when you answer the previous question. The average Nigerian is constantly exchanging personal information for services.
Whether it's banking services, online purchases, want to buy, you know, card, credit cards, or you want to get access to WiFi. We are one of the most vulnerable countries among our peers when it comes to cyber threats, despite having relatively high spending. So what is the gap between our spending and its impact?
Adeoluwa: That's a tough question.
Host: Yeah
Adeoluwa: That's a tough question, yeah. Because now we need to look at the demography of the nation as a whole. If you think about it, let's face it, we're a poor country. Forget about the oil and all that, we are largely uneducated. So, for example, you've probably heard all these calls they make to people and you ask yourself, How did you fall for that? You know, why would you give your details out to this person? And the banks keep sending out information, awareness stuff about, no we won't call you to ask for these and that.
I think it's not an issue of spending on security. I think the spending on security is doing what it's meant to do. Right. But there's a lot of work to be done around awareness for the general public and I know CBN and the Committee of CISOs. We're working on some industry awareness. That has already started, really, yeah. We are trying to do that in all the different local languages and you know, just to create awareness about all these threats. And also internally, we try to drive awareness around, you'll be shocked that even bankers still fall prey to all these things.
So when you do your phishing test and all that the numbers sometimes are scary. And you wonder, didn’t you guys read the last awareness mail that was sent out or didn't you see the posters we put out there? Do not just click on links, you know, check email addresses to be sure it's from the right email address. In fact, we had a situation I can share because it was blocked. Some people set up a domain called wenabank.com, not Wema. So it was WENA. So it’s easy to miss, you know…
Host: That last letter?
Adeoluwa: If you just basically set up any email address and send @wena.com to someone, the guy won’t look at it and will just view it, whatever the content of the email is. I guess, for me, it's constant training, awareness internally, and also the work that CBN is doing externally. Because if you look at the fraud cases, only a few of those fraud cases, and I laugh when, you know, you see all these reports that the bank has been hacked and all whatnot. And if you go through the old stuff, it's about how some sim swap was done. By the time the investigation is done some guy at the telco was involved and all that.
A large chunk is down to how aware people, you know, I know people that will tell that driver, they gave that driver the debit card to go draw money from ATM and all that. Peradventure, you use the same pin from your debit card to lock your phone, and these things happen. And the guy just tries and it’s the same pin you used to lock your phone. He has access to your USSD, that’s the easy one to get to, then you're using the same pin on the USSD.
And we've seen cases like that where money is transferred, we start doing the investigation, or money is transferred, someone goes to an ATM to withdraw. By the time we get the footage of who has gone to the ATM, you realise it's someone that is known to the customer. So I think awareness for the general public is very key. And the work being done by the CBN and the CISO committee couldn't have come at a better time.
Host: Absolutely. That's a good response. Thank you for that. Let me move over to another one. So this is about cloud computing. So we know it's a form of shared resources. You talked about this, yeah. So this means that hardware operating systems and other IT infrastructure are not managed directly by firms moving their data to the cloud. We talked about this too. But they are outsourced and usually in a subscription-based model. So if organisations don't have 100% control of their infrastructure. Is 100% or even 99.9% security impossible with cloud computing?
Adeoluwa: It's not possible with any form of computing, even physical, the one you're seeing in front of you every day. Because you need to understand that there are always people, and process factors outside of technology. But like I said before, yes, you have cloud infrastructure, they've provisioned some servers, and they've installed applications and all that for you. You still need to do your due diligence, you know, so if you have a, I call it a bank dedicated space on Azure, for example.
So Microsoft provisions these things now. I'm saying Microsoft because we're on the Microsoft Cloud. Microsoft will only tell you through their securities and if you don't subscribe to Azure Security Center, then you don't have the visibility to or deep visibility to what's going on on that infrastructure. So they gave you the basic minimum. Now you need to subscribe to this and subscribe to that, you need to subscribe to their anti-DDoS. You need to subscribe to database vulnerability assessment and all that. So if you don't have solutions doing that and you feel, oh I've gone to the cloud and that’s it.
No, you still need to drill down to okay, what do I need to secure this particular infrastructure? Right? And if you're not asking the right questions, they're not going to tell you. Right, we've provisioned this for you. And that's it. But you need to ask the right questions. Right? You need to be the one to monitor your security centre. For example, what are the things it's flagging, and who is meant to deal with that? You know, we've talked about focusing on technology alone is not doing security rights, there has to be some process around how you do that security.
But you now talk about having the right people. Are they well trained, do they even understand how this cloud infrastructure works? You know, so people have to be trained, you have to have the right processes to drive the technology you have deployed, and maybe then reduce this your 99 and 100% to 95.
Host: Okay.
Adeoluwa: Yeah, and I get that question from executives. Look, can you assure me that? Sorry, I can't give that assurance. But I can tell you to a large extent, we say what we're meant to say and would react if there’s any issue. You know, people look at the benefits of the cloud infrastructure and say, oh we can quickly spin up another infrastructure. If we have a bridge, oh they’re backing up to some different data centres, our data is 100% available anytime. But you still need to sit down and define certain things. What is the recovery strategy, you know, all those times your RTOs, your RPOs? Because you can't build on the cloud providers' own, you need to use what speaks to your own business or infrastructure. So you don't just leave it to the cloud providers to do, you still need to do your due diligence.
Host: Yeah, interesting. Thank you. So one trend we have seen in order to combat cloud security challenges is zero trust. And that is security frameworks that require all users whether internal or external to be continuously authorised and authenticated, to assess any company resource or data. However, there's the challenge of including legacy systems and applications that are generally hard to redesign to fit zero trust requirements. Do you think zero trust is a necessary practice for large organisations using cloud solutions? And if yes, how should large firms utilise it well?
Adeoluwa: Well, zero trust, I love the sound of it and the sort of definitions that give what it means, you know. I was reading something the other day, and it says zero trust is eliminating the concept of trust in organisations and you know, you need to be scared a bit that, okay, you don't trust anyone. But really, we just give names to these things. So for example, if you deploy MFA, for example, and you've enabled the fingerprint log-on, and every time you want to access a service, you're using a fingerprint, that is not a password that someone needs to remember, that’s zero trust, right?
Host: Yeah.
Adeoluwa: Because it has to be you, and you need to authenticate every time. There is nothing like remembering these credentials for seven days. But it's also possible you deploy zero trust, and you leave the option to remember these credentials for seven days. And that again, speaks to your policy. You know, does your policy say do not remember, log on, but it requests you to authenticate and verify at every single point in time really, that's what it is. It offers that your question is about large organisations legacy applications. Yeah, there are legacy applications that will not, you would not be able to deploy the concept of zero trust.
Two questions you need to answer are, can this application be upgraded? More often than not, the answer is no. Is it very critical? Again, more often than not, the answer is yes, it's very critical. So then the question is, what do you do? Right? Can I segregate these applications from the larger infrastructure that needs access to it? Can I lock it down? Right? Can it be sandboxed in some form or the other? So those are the questions you need to answer. And this takes us back to a different discussion entirely, which is about asset management.
Do you even understand what assets you have to know what's critical to you, what you'd need to secure, and how you need to secure them? Okay, so for large organisations and the way technology has advanced and all that. You would be able to implement zero trust for newer things. But for your legacy systems, you would have to find a way to ensure that those systems are secure and it's just segregating them and putting them in some form of a sandbox, restricting access to just who needs access to them.
Even going down to the level of say if we take a typical example of an application that needs to talk to another, so maybe an application that needs to talk to your core banking application. Right, so legacy applications, you need to restrict it down to the level of what part it needs to communicate with the core banking application, and you ensure those are the only parts you have opened. You know, so you need to understand exactly what the application does, and how it interacts with whatever critical services it needs to interact with. With that knowledge, you can implement security that ensures that it only does what it’s meant to do, and it's not going to lead to a gap in your infrastructure. Hope that answers your question.
Host: Yes, it did. That was a great response. Thank you. I will move over to emerging technology. Right? We’ve touched a bit on some disruptive technologies before, but let's go a bit deeper. In recent years, we have definitely seen improvements in the management of cybersecurity threats in Nigeria, especially in the financial space around financial data. This unfolding relationship between new technologies and cybersecurity looks highly promising for the industry with unprecedented volumes of data being produced daily.
So banks need to scale up data protection efforts. And we've talked about that. Hadoop is a distributed system for storing and processing big data sets across thousands of nodes. It has been highlighted by many as the answer to the security challenges posed by big data and connected systems. So Ade, would you agree with this way of thinking? Do you think there are associated risks that we are not seeing?
Adeoluwa: Well, Hadoop is what it is. And the question is, is there a risk? Yes, there is. It's open source, right? And that comes with its madness and my knowledge of working in an environment that was large, massively using Hadoop at the early stages of its introduction, a few years ago. Security on Hadoop has moved since then. So in the past, it would be classified into three categories around software technologies. Now Hadoop has a framework, the right talks to, and interacts with different software and technologies. So that's caused a gap in that space, then that ties into the sort of interface you use for this interaction, how is it configured? Right?
And what sort of security policies do you have to drive that configuration? And Hadoop I believe is written in Java. Right? Correct me if I'm wrong, and we all know the security issues with the Java infrastructure, you know, and the sort of attacks that have been seen. So for me, without going into technical details, you know, it's all about ensuring the right authentication, authorization around access rights for users and all that, and massive amounts of data encryption. You know, how is the data stored? How is it transmitted, but more importantly, what level of encryption and how to convert the data to one that is readable from an encrypted one, considering the distributed file system structure of Hadoop?
You know, initially, there was a problem with the authentication protocol used on Hadoop initially when it was developed. Right. And, of course, that caused a lot of issues around authentication and how to secure the network or the protocol, and it's using this sort of client making the request, and you sending that back. How to secure that channel. Those are some of the challenges with Hadoop. But technology has also moved in a way that is not totally eliminated, because then like I said, it still comes down to your internal policies and what sort of controls you want to implement to secure your data. Right. So it's about how you authenticate, how you define who has access to what, what sort of authorization is in place for that particular access, and how you protect the data.
Right, now, will the data be protected within the Hadoop framework? Or is it some other add-on that will ensure you can implement the right level of encryption and all? That's one that you would need to look at. And more importantly, is having visibility around audits, you know, how are you able to update what's been done? And how do you have visibility to see what sort of activity has taken place on the data that is stored? I can't say categorically if we have the right skill sets for that move within our ecosystem I. know there probably is, but I think that there still needs to be some training and improvement of skills in that space. Yeah. Both from the security perspective and the application developer's perspective.
Host: Great. Okay, so to touch a bit more on the topic of connectivity. Is IoT, something you're actively looking into at Wema bank, and how well does the industry understand the Internet of Things and its security implications?
Adeoluwa: I guess the question I would ask is, what exactly is the Internet of Things? How do you interpret it within the financial ecosystem? Because really, it's in simple terms, you’re just saying, you're bringing several computing devices together. Right, and they're able to interact in a way where interaction with one gives you access to interact with others. I don’t think it’s big in the financial sector as we speak, but I know some banks today including ours are looking at, what we call them, is it Phygital or Phigital? That is a branch is physical and both digital.
Okay, so basically saying, if a customer walks into the bank, I can approach that customer with a device, right, and that device is one that connects to the core banking application, to USSD, or whatever. And I can deal with that customer on that device, is that an example of the Internet of Things? Maybe, maybe not. Or I have a standalone device in the branch where a customer can walk to or a self-service kiosk or something, that a customer can go to and consummate his transactions, even print statements, or whatever.
So in some form or the other, we're moving towards that. Right, and we'll have more devices connecting. Maybe you can be in a branch and be talking to one or two other branches away via some device or something, you know. But I guess that's where technology's moving towards, and it's not something that is driven by the banks, it's gonna be driven by the business, because the business would come and say, Oh, we want to implement this now. It's now like for security or technology to say, look, how do we ensure security for this implementation you're asking for?
And they will have a perfect business case for it. You know, it's going to make the bank so much money on board, so many customers, so you would have to build the necessary security for it to interact with the other systems or devices that it might need to interact with. So we're moving to have IoT things within the financial ecosystem.
Host: Okay, thank you. So, we have seen globally that security breaches are extremely costly. Yeah. So where from the loss of revenue fines or reputational loss, it's a loss. Recently, we saw in Nigeria, a hacker was arrested for assessing, you know, 1.7 billion in funds of banks via cyber attacks. And as this sophistication of attacks increases, investments must also increase to stay ahead of threat actors. So when you look at some of the most prominent issues, Nigeria faces from a security perspective, what's one key challenge within the industry that, you know, you're eager to solve? And if you can marry any new technology to enable that hypothetical solution, what will that be?
Adeoluwa: You're asking the wrong person. Because I don't think the challenge is one of technology. Okay, it's actually a people issue, you know. So even the one point, whatever billion fraud and whatever, its insider related. Yeah, so it's not like that organisation didn’t have the technologies in place too. But someone that is privileged manipulated the system and colluded with others to do things. But if you ask me, so in saner clients as they're called, why the rate of crime in whatever form is low is because people know they will get caught. Right? Because there's a database that if I take your fingerprint or whatever, I know it's you.
They have better forensic capabilities and all that. So I don't know if we have such capabilities in Nigeria. So for me, it's two things. One, this whole process around the National ID Card or using BVN or NIN, we need to deal with that and have a database that tells us, yeah, that is accurate. So you can say, okay, if I take this fingerprint from here, and I take it to the lab. I can tell you categorically that Adeoluwa was the one that did that. That would radically reduce crime, in whatever form.
Now for cyber security. For me, I think it's a people thing, people want to get paid. They don't get paid enough and they are influenced by some external factors. And they decide to go rogue. What do you do at that point? I'm sure you're aware of how much organisations have spent on technology. Seriously, a lot of investment has gone into securing bank infrastructure where the challenge is this issue of the insider, the rogue privileged user. You know, what do you do about that? You can only have visibility. So you can say, okay, this person did this after the fact.
You know, or if you're able to deploy solutions that give you a real-time view of what exactly that person is doing at that point. But you also need to understand that, when you have that view, it's possible the guy is doing what he would normally do. So it's not a strange pattern, you know.
Host: Yeah, true.
Adeoluwa: What it normally does is use it to do something fraudulent. So for me, that's what keeps me up really. Yeah, because of a rogue database administrator. What do you do? You know, it's a tough one. And yes we are trying to deploy solutions to give us visibility, we are monitoring, we're locking things down, restricting access, and restricting to set times of the day and all those other things you do to just reduce the threat landscape as they call it.
Host: Okay, thank you. We're rounding up now and to just close up this session, I would like us to look at a few things. We'd like to hear our guests talk about predictions. So speaking of predictions, what was the last prediction you got wrong?
Adeoluwa: Again, my prediction is wrong every year. Because I predicted Arsenal would win the Premier League.
Host: Why did I think that you would even say that? I knew you were going to talk about football, okay?
Adeoluwa: So I don't gamble. I just predict that I’ll wake up every morning and that works for me.
Host: Okay, nice. Okay, so what's one view you seem to find very few people agree on?
Adeoluwa: This is soft, right? We're not talking tech.
Host: Yeah soft, nothing tech.
Adeoluwa: I have a few but they're not for this sort of, they're quite morbid. So I'll pass on that.
Host: Okay, okay. Cool. Thank you. So, this last question is, you know, a question we usually ask. We’ll like the previous interviewee, or the person that we interviewed last will ask you a question and we will like you to also ask a question in turn. So disruption is interrelated in that respect, what's one perspective you'd like to get from our next interviewee?
Adeoluwa: Same space, right?
Host: Yes, same space.
Adeoluwa: Okay, one thing we didn’t touch on is crypto.
Host: Oh, yeah. Okay.
Adeoluwa: So I'll put the next person on the spot.
Host: Okay.
Adeoluwa: Yeah. So crypto, you know, a CBN is launching the digital coin in October, the eNaira they call it. So maybe the next interviewee can tell us where they see that going. In the very near future. Yeah.
Host: Wow. That's great. Thank you so much for coming to talk to us today. It has been a fantastic discussion, and we are so happy that you joined us.
Adeoluwa: Thanks for having me.
Host: It's been a pleasure. Thanks for listening today guys. Don't forget to subscribe so you don't miss out on our future episodes. Thank you so much. Have a great day.
