Cybercrime: the invisible threat
Partner and National Leader, Risk Advisory Practice, EY India
Criminals and rogue nations are increasingly attacking the technology assets of individuals, organizations and governments.
As disruptive innovations in technology and new business models transform organizations and communities around the world, they are also engendering a dangerous invisible threat—cybercrime.
Indeed, criminals and rogue nations are increasingly attacking the technology assets of individuals, organizations and governments, stealing and selling valuable information, and in an alarming trend, holding data for ransom.
The cyber-attack on a prominent California hospital earlier this year is a case in point. The hackers exploited vulnerabilities in the hospital’s technology systems and encrypted patient-care data, making it difficult for doctors to continue treating their patients for over a week. The attack was accompanied by a ransom demand of 9,000 bitcoins—over $5.5 million.
A leading e-commerce company recently discovered that by writing an algorithm to exploit a loophole in its payment gateway, hackers procured free goods—using 100% discount coupons—for almost six months. Another fraudulent tactic has involved the hacker sending a spurious email from the CEO’s mailbox to the finance department asking it to transfer funds to a fictitious vendor’s bank account.
With governments and enterprises increasingly leveraging the Internet for mission-critical applications—from operating power grids and smart cities to conducting banking transactions and manufacturing connected cars—such incidents have yet again brought cybersecurity concerns to the forefront.
Unfortunately, India Inc.’s response to cyber risks has not been robust. India ranks third globally as a source of malicious activities and its enterprises are the sixth-most targeted by cybercriminals. Despite investments in high-end security products, cyber-breach detection capabilities of most large organizations remain largely ineffective.
Indian companies’ crisis-response strategies appear to be inadequate as well. Earlier this year, EY conducted a cyber-attack simulation for 79 CEOs. The executives were asked how they would react when informed that their customer data had been compromised. The responses ranged from contacting the chief information security officer to the chief marketing officer to the corporate communications officer. When asked how they would respond to situations involving ransom demands, most executives did not have a concrete plan.
The key challenge for Indian companies is that most view cybersecurity as an “IT issue”. Consequently, cyber risks do not get appropriate top management attention. This needs to change.
Cyber resilience is a critical boardroom imperative. The likelihood of operational, financial and reputational damage is growing as criminals exploit organizations’ enhanced “attack-surface”, including online presence, use of social media, adoption of mobile and wearable devices, and the usage of cloud services. In many cases, the enemy lies within the organization’s perimeter.
Indeed, research indicates that malicious or negligent insiders, including employees and business partners, are responsible for over half of the cyber-breaches. At risk are intellectual property, customer, vendor and employee data, strategic plans, financial statements, legal positions and in some cases, business continuity itself.
What can organizations do to enhance their cyber resilience? They need to address the following questions: First, do we have the right security governance and architecture to protect our “crown jewels”? How often do we test their robustness with the best-in-class attack-and-penetration tests? Do we get timely threat intelligence? How effective is the security posture of companies in our partner eco-system? Are our workers and contractors aware of their responsibilities for managing security risks? Do we conduct periodic checks to ensure that users’ access to privileged data is tightly controlled? Are some users misusing access-privileges? How is access granted and revoked?
Second, do we deploy a state-of-the-art Security Operations Center (SOC) for monitoring threats to our software applications and hardware infrastructure? Do we leverage data analytics and machine learning to uncover suspicious data and user-behaviour patterns and develop predictive cyber-attack models? SOC effectiveness is critical, especially since organizations can take 180-270 days (sometimes even years) to detect cyber breaches.
Third, how robust is our incident-response strategy? If our critical assets are corrupted or paralyzed, how would we ensure business continuity? How would we respond to ransom demands? How would we communicate with our stakeholders and minimize reputational damage?
Cyber attacks are not a matter of “if” but “when”. In fact, it is likely that many companies may already have been breached, but not all of them may be aware. With the digital age and the increasing connectivity of people, devices and enterprises presenting new playing fields of vulnerabilities, fortifying the enterprise for cyber resilience is an urgent imperative for organizations.