Bolakale Mallick is the principal consultant at Regcompass, a consulting firm co-founded by him. An innovative lawyer with combined experience in Law and Information and Communications Technology (ICT), Mallick blends his computer engineering skills with his experience as a legal practitioner to build LegalTech solutions and also provide bespoke legal advice to his slew of technology clients. He specialises in Fintech, Artificial intelligence, Cybersecurity, Data protection, Intellectual property, and Technology law in general. He studied law at the University of Ilorin, Kwara State and holds an LL.M in Cyber-law. Mallick offers advisory services to his clients on both legal and technical issues revolving around the deployment of their various technology businesses. In this interview with JOY NGWOLO, he explains the risks that companies may face in the cyber-space while working remotely and proffers solutions.
With the outbreak of the Covid-19 pandemic, what is your assessment of the role of technology in the sustenance of businesses and organisations?
I see technology as a catalyst for the growth and survival of any business. Prior to Covid-19, there was a need to leverage on one form of technology or the other but the pandemic has come to show us that more than ever before, technology is very pivotal to the sustenance of any business or organisation. Even when things return to normal, things will not return to normal as we know. So for companies who have failed to leverage technology for their businesses, they will find themselves lagging behind in terms of sustenance. So technology is not just an avenue for you to make money but is a pipeline for you to be able to reach a wider audience and aid your marketing strategy. For businesses to survive in this current dispensation, they need to leverage some form of technology even if it is not very advanced.
A report by Deloitte Company says that SMEs will experience more of cyber-attacks in 2020, do you agree with this?
Yes, I totally agree with the report. The number of cyber-attacks will sky-rocket this year for many reasons. The first is that a lot of people are at home unengaged with so much time in their hands and without money in their pockets. So they will look for ways by which they can get money, either by trying to steal money from people or trying to use subtle means to obtain vital information. Next comes the temptation to learn how to hack people’s Wi-Fi password, when such a person sees that it works, he tries to do something bigger like hacking someone’s credit card and that is how it starts. The fact that such information is available on the internet, makes it easier and seamless for people to attack others these days so we should expect that the rate of cyber-attacks are going to sky-rocket and companies need to prepare themselves. It may be totally impossible to avoid cyber-attacks but what is possible is to build resilience so that when the attack happens, you are able to quickly find a way to control the whole situation. So if your system gets attacked, you will be able to move from one system to another seamlessly. So resilience means the ability to migrate easily from one server to the other. But note that resilience does not work for every case of cyber-attack or incident. However, there is a need to report cases to your IT expert, so that he can advise you on the right step to take.
With a lot of company staff working remotely nowadays, are there implications such as exposure to cyber-attacks?
With a lot of companies working remotely, we should expect more exposure to cyber-attacks than normal. One of the reasons is most communication goes on online and sometimes you don’t see who you are communicating with physically, communication is now via skype, zoom and other video conferencing apps. And because these apps come with their security flaws, it is very easy for other people to listen to your conversations, to study your work model, to understand how you people communicate and be able to give you instructions that may mislead you if you are not very careful
The case is different in face-to-face interactions. If somebody walks into your office physically, you can tell that such a person is not a member of your office and you would ask questions. But in a situation whereby you are working remotely and someone and you don’t know is present, you spill out confidential information. The person uses some social engineering tactics to manipulate you like saying that your boss asked you to transfer money to another account and when you check the person behind the email, you find out that it is not your boss’ email but the person sounds like your boss, writes the instruction like your boss and this is a transaction you are working on presently. Another thing they do is to try to get hold of vital information and begin to threaten you that they will release the confidential data if you don’t give them money. And at that point, you have no option but to give them money. I think that companies need to do a lot in terms of creating awareness for their staff to some of these tactics and risks they may be exposed to as a result of working from home this period. Security measures to take such as changing your password periodically, trying to look through your emails to ensure that it is the person you intend to communicate with, asking IT department to enforce some kind of notification mechanisms that will prompt or notify you when you are trying to communicate with someone that is outside your organisation so you don’t make the mistake of sending information to the wrong persons. Also, people need to know what links to avoid clicking like suspicious emails. Because when you click a malicious link, you might think that all you need to do is close your browser but there is some malware that is capable of installing themselves on the browser, sometimes they download Spywares, which continue to track activities and details on your computer.
Also, another challenge is that people download videos on their laptops, some from pirate sites. They don’t come for free, some of them come with malware that can damage your computer. Office computer contains very vital client information and when people gain access to such information and the computer becomes infected with a virus, everyone has to run helter-skelter to secure information as a result of employee’s carelessness.
What forms of cyber-attacks do you think will be more common this year?
One of them is the phishing attack. They are messages masqueraded as legitimate coming from a known or trusted source, whereas, it is actually coming from an attacker. The challenge is that people receive so many emails that they may not have the time to review every email before responding but if you find a suspicious mail, try to find out who is behind it.
Also, people should try to resist the urge to click on webinars, because there is a lot coming up now. When an attacker profiles a person and knows the things the person is interested in, the person would go try to lure the person with the area of interest, and a person will unsuspectedly click on the link hoping that it is a webinar but later find out that there is nothing there. At that point, he might have mistakenly installed malware on his computer. Before clicking on webinar links, try to verify that it is coming from a trusted and known source.
Another form of cyber- attack that will be experienced this year is ransomware and it is for two major reasons. It is linked to the phishing attack because the whole essence of a phishing attack is to be able to get vital information from you and one of the ways to get vital information from you is to get your email address and password. Do not enter your personal details into any random website. There is always a padlock symbol on trusted websites, if a site doesn’t have it, do not enter your details in such sites as they can install ransomware on your system and remotely lock it.
Can cases of cyber-crime be taken up legally?
On whether or not cyber-security break is actionable, the answer is yes. There are two ways you can look at this, as the owner of the data if you keep your data with a service provider say Facebook, Instagram or even your bank or a payment gateway, and they fail to protect that data with adequate security and there is a data breach as a result of which you lost your data, they didn’t inform you, they were negligent about it, yes you can sue them and claim damages for breach of your contract with them because they have an obligation under relevant laws to make sure that they secure your data. An example of this is the Nigeria Data Protection Regulation which we call the NDPR which was issued last year. So, that law has provisions where you can report a data breach to a committee that will investigate and look into it and is able to award damages in your favour when that happens. Also, there are instances where your data is being misused, it might not be a breach but then there was a misuse of your personally identifiable information. For instance, if you give your information to Facebook and Facebook decides to trade that personal data for their own gains, yes it is actionable.
