Cyber security for a hyper-connected world

Sanjay Deshpande   2014 ended on the heels of the infiltration of Sony Pictures’ corporate network. The media has been inundated with an alarming number of reports of global businesses being compromised, and in some cases large chunks of confidential data was released online by the intruders. We can only speculate about the actual extent of financial losses incurred through these attacks. Consider this: Bitstamp, a European bitcoin exchange and the world’s third largest, recently went dark after it was attacked by hackers and bitcoin currency worth approximately $5mn was reportedly stolen. Bitcoins, as we know, are a globally accepted virtual currency and can also be traded for actual money. But, it’s also high time to consider the potentially crippling impact of a similar attack on a stock market. [caption id=“attachment_1546227” align=“alignleft” width=“380”]  Representational Image. Reuters[/caption] Following such fiascos, cyber-security has finally gained recognition as a top agenda for business leaders in 2015. A recent report by FTI Consulting, as a part of its Law in the Boardroom Study, had found that Data Security was a top concern for the top echelons of the management team, even outranking concerns over succession and leadership transition. But the impact of large scale cyber-attacks is not limited to their business or political impact, as in Sony’s case, and extends to larger concerns including public and national security. As businesses make the shift online in order to be closer to their customers, protection of personal and sensitive data has assumed paramount importance. For instance, if financial data belonging to employees or customers is stolen and sold on the cyber-crime black market that is thriving on the World Wide Web, it would worsen the sting of the cyber-attack. The virtual black market happens to be far more organised and concerted today, as is evident from recent attack vectors, giving rise to Cyber-crime-as-a-Service. All a hacker needs to access and steal sensitive data such as bank account details or customer databases, is a point of access into an enterprise’s systems, also called a ‘blind spot.’ With the rapid evolution of new-age technology and hyper-connectedness, comes the emergence of new security blind-spots, particularly in the way data and services are accessed. For instance, employees who access work-related applications through the enterprise intranet or via unmanaged personal devices, or partners, vendors, and customers, who are provided access to the services or their data over the Internet via their personal devices, are all potential security blind spots. The rule of thumb in the cyber security field is “more functionality = more vulnerabilities”. Technologies such as cloud and mobile, which have seen an increasing rate of adoption among enterprises, will also give rise to newer ‘blind spots’, making critical infrastructure belonging to businesses and the government equally susceptible. Mobile apps, e-commerce and online banking having opened up quicker and more accessible routes for hackers to break-in to the service provider-customer nexus. Nascent technologies, too, present new security risks for both personal and organizational usage. One such emerging technology is the Internet of Things. With the Internet of Things (IoT) and wearable technology becoming a commercial reality, the implications of blind spots in the infrastructure are chilling. Picture this scenario - while you are riding in your driverless car on your way to work, the GPS navigator identifies that due to a traffic jam, you will be late for your next meeting, and automatically notifies your organizational calendar to reschedule the meeting. Now if a hacker is able to gain access to your company’s or GPS service provider’s systems via a potential blind spot in the transmission, they could control your car! This scenario is no longer relegated to science fiction but is fast emerging as a real life possibility to be considered in cyber security, national defence matters, and even public awareness. In the enterprise space, IoT, could open up security loopholes, which could allow hackers to listen in on commands or data transmission, transmit inaccurate data or send false commands. Trends indicate that these weak-links will continue to be exploited to give rise to a new gene of cyber-security threats, which makes data – our private, confidential, critical data – extremely vulnerable. According to the Centre of Excellence for Cyber Security Research and Development in India (CECSRDI), India might be vulnerable to a range of threats from state sponsored cyber-attacks, to malware and even cyber espionage in 2015. The BFSI sector is one of the most attacked sectors in the world. The potential “promise” of gaining real money gives attackers a huge motivation to invest real efforts in the attacks and become more innovative. On one hand, customers continue to demand easy-to-use solutions and permanent access while on the other hand attackers are becoming smarter and more effective, heightening the risks as well. Banks are at the epicentre of increasing financial cyber fraud cases which are likely to double to 3 lakh in 2015 in India, according to an ASSOCHAM study. It is obvious that banks are required to stay in line with the most updated and innovative technologies that will allow customers to access their data in a secure way and mitigate the risks involved. Cyber-threats, at the same time, are no longer restricted to fragments of malicious code, aimed to exasperate, incite or stall. Today’s threats are strategic, targeted, organised and relentless. Such targeted attacks, like we have recently seen, can cause significant financial losses as well as deep-seated damage to an organisation’s reputation and leave an abysmal dent in organisational resources. According to a PwC study, there was a 20% increase in average losses as a consequence of security breaches for Indian companies in 2014. Cyber-criminals are becoming more proficient at sharing information, tactics and intelligence amongst themselves. There is a rich criminal-eco-system that contains marketplaces for selling stolen goods including credit cards information, bank account usernames and passwords) and that allows hiring professional hackers and criminals for a specific job. Criminals and hackers work together, many times without even knowing each other, in order to facilitate sophisticated and attacks. Existing security systems are not adequate to deal with the new rising threats and modus operandi such as Advanced Persistent Threats (APTs), in which attackers are increasingly investing real efforts and resources to hack a specific target. Recent incidents have shown that many times the weakest links that are being exploited by the attackers, are remote access solutions. And it is not only new channels such as mobile payments that will come under the scanner. Existing physical infrastructure and systems will also have to be relooked at to protect against newer attack vectors. Given the loopholes being discovered in SSL, there is a growing need to relook at the fundamentals of these security technologies which were designed for a different era and not this digital age. The hyper-connected economy requires implementing a platform that will allow secure connectivity between those devices and other sensitive organizational assets. Cyber-crime, as is evident from recent attack vectors, is a far more organised and concerted activity today. Over the last few years, we have seen the global rise of the Cyber-crime-As-A-Service model. The model effectively enables easy access to malicious software, supporting infrastructure, stolen personal and financial data and the means to monetize this. A couple of years ago, industry reports suggested that the total average organizational cost of a data breach was close to Rs 60 million. It is safe to assume that with the rise in targeted, persistent attempts at data breaches, the total financial losses could cost as much as billions of rupees. And, this is just the estimated financial loss. The loss of trust and credibility that can negatively affect the brand and reputation of an organization is immeasurable and far more lasting. We expect that the cyber-crime industry will only become more professional and efficient, which could lead to mounting losses globally. Businesses, governments and individuals have to be proactive in handling emerging threats and to invest today in preparing for the problems of tomorrow. The author is co-founder and CEO at Uniken.