Inside Nigeria’s Cybersecurity Battle: Chris Norton on Phishing, AI Threats and the Road Ahead
Nigeria’s digital transformation is happening at full speed, and so is the attention of those who would exploit it. At GITEX Nigeria, we sat down with Chris Norton, Kaspersky’s General Manager for Sub-Saharan Africa to cut through the noise and get a clear-eyed read on what’s really threatening Nigerian organisations today, what practical defence looks like for African enterprises, and how a global cyber-security vendor is reshaping its regional playbook to meet local realities.
In this conversation Norton moves beyond headlines to explain the simple but often-missed controls that stop most breaches, and why threat intelligence, talent development, and public–private collaboration must sit at the heart of every response. Whether you lead security for a fast-growing fintech, run tech for a government agency, or are building security into a startup, you’ll find actionable guidance and a frank assessment of the gaps that matter.
What two cyber threat trends are uniquely Nigerian right now, different from what is obtainable in Sub-Saharan Africa?
I don’t think there’s anything unique about the threats faced by Nigeria. The whole of Africa faces common threats, predominantly focused on three key areas. The first one is the public sector. The government is being attacked by the global threat actors quite pervasively. Finance is another one. The telecoms are the third industry that’s being attacked quite significantly, if you look at the advanced persistent threat actors around the world.
The syndicates that are currently misbehaving in terms of the biggest exposures, Nigeria is no different to the rest of Africa. The biggest exposure comes from phishing attacks. It’s normally a user understanding, knowledge, or awareness campaign that needs to be in place in order to defend and protect against that. That is what you’ve been seeing us doing a lot of work with some of the government agencies in Nigeria. You’ve seen MoU being signed around awareness and skills development.
Kaspersky signed an MoU with SMEDAN recently. What concrete offerings will SMEs in Nigeria see within the next 12 to 18 months?
I personally believe in the work that they are doing in SMEDAN. The CEO/DG is a very capable and competent individual. We only signed the MOU a week ago. The basis of that is enablement and awareness. Those are the first two things that we’re looking to do from that perspective.
There are a lot of other things that we could potentially add to the MoU, like building capacity within SMEDAN to deliver enablements, awareness campaigns, and training. That work will start once we finish our engagements at GITEX Nigeria. We will get down to the task of how do we actually deliver and execute on the MoU.
What is the one single biggest misconception the Nigerian government has about cyber risk in Nigeria?
I had the privilege of meeting with the CEO of NITDA, and he’s also the chief IT officer for Nigeria. I don’t think that the government is under any misconception about the threat that is posed to the Nigerian people by cybersecurity or cybercrime. The impression I got from that meeting was that technology is in really good hands in Nigeria. The country is very clear on the mandates that they’ve been given, and cybersecurity and awareness is something that is foremost in their minds, and at the top of all of their agendas. It’s something that we are very privileged and honored to be in a position to support.
If an African CIO gives you extra to spend on security, where would you put it first and why?
I think the one place that people underestimate estimates in terms of technology is mobile. We all secure the endpoints. We secure the data centers. We secure all of that, but our phones are ultimately connected in so many ways to our lives and to our organizations. I would start by putting some form of Kaspersky technology on the mobile devices. People keep the passwords on their phones – the passwords to their corporate networks, passwords to their cryptocurrency, and passwords to all sorts of things, and the mobiles are very easy devices to hack from a cybersecurity perspective. So, I’d spend it on securing everything all the way to the edge, not just stopping at the edge of the network, but all the way to the edge of the employees’ ability to connect.
How will Kaspersky leverage local partners to close skill gap in Africa while addressing data residency and transparency?
There are a few very interesting points there. Firstly, let’s talk about data residency. A lot of technologies are cloud-based, and the data is processed outside of the borders of most countries where they work. Nigeria is no different. I don’t see many organizations making massive infrastructure investments on a cybersecurity, which means that organization data sovereignty in respect of the data that gets processed around use a cloud-based solution. Kaspersky has a technology to do a hybrid model where we can do cloud, or on-prem, or we can just sell on-prem, and all of our solutions can be delivered as on-premise solutions. So, that protects the data sovereignty of the solution.
In terms of partner enablement, we have focused on end-user awareness campaigns. Moving into the next financial year, as our budgets start to free up, we’re going to start focusing our efforts and energies on partner and customer enablement in terms of hands-on real-world experience with Kaspersky technologies so that people can be comfortable with it, and how it works. We are able to facilitate and deliver skills and support at least at a first level and sometimes at a second level, if they’re a deploy partner to the customers in Nigeria and the West Africa region.
From a transparency perspective, Kaspersky was the first cybersecurity company in the world to make its source code available to customers on demand for review. Subsequent to that, a few other companies started doing it because they realized it was a good thing to do. We have 13 transparency centers around the world. The African Transparency Center is based in Kigali, Rwanda. at the moment. With that, any customer at any point in time can request to seek a first source code and that can be at a high level, at a medium level. Even at a tech support or a developer assisted deep level of our technology, we ensure that there’s complete transparency in the technology and how we use the technology in customers’ environments and what we do with the data.
What guard measures do you recommend to prevent AI-driven misconfiguration or alert fatigue?
AI is a massive threat in as much as it’s a very beneficial tool in so many sectors and industries. AI and machine learning can be used for a lot of good, but they can also be used by bad actors like the advanced persistent threat groups. There are over 200 of such in the world, who are using AI to accelerate the time for them to infiltrate organizations using AI generative to create deep fakes. There have been cases of CFOs giving instructions on Teams calls to junior clerks to transfer millions of dollars into disparate accounts. And that CFO’s image and the voice and everything was a deep fake. It’s terrifying.
These are starting to accelerate, and AI is accelerating that. The only way you can defend against AI in the industry today is with AI. You won’t be able to mitigate against these attacks unless you have some form of AI capability in the tools that you’re using, so that you can catch the majority of the AI attacks at the speed at which they’re being thrown at the organizations and remediate them automatically and deal with them.
No company in the world can employ the number of people that would be required to defend against an AI onslaught from an AP threat actor. We integrate and use a lot of AI in our tools. The reason we use AI is to limit the amount of human capital required in order to defend in these environments. So, we use AI to determine what’s a real threat or a false positive. And we only pass the real threats through to an agent, and we deal with the false positives or we remediate what we can.
