Digit Geek
Cybersecurity
Digit Geek > Recent Articles > Technology > Cyber-security is everyone’s problem

Cyber-security is everyone’s problem

No, this isn’t another article telling you about the ten different things you need to right now to get secure online. Neither is information security a new topic – it is something that companies and individuals alike have been well aware of for ages. Be it the fight against viruses or ransomware, the threats and the defences have evolved side-by-side, but what hasn’t changed is the growing need for security. Take a look at last year’s attacks, which ranged from the Dyn DDoS attack that brought down half the internet or the multiple data breaches announced by Yahoo. But like many others last year and the years before them, all of these are far-off events that haven’t really boiled down to actual consequences in your life, right?

Why you should care about cyber security

In October 2016, Indian banks suffered their worst data breach yet when almost 3.2 million debit cards were compromised. Quite a few major banks such as Axis Bank, HDFC Bank, SBI, ICICI and Yes Bank were some of the worst affected. The effect was industry-wide because of the target chosen by the attackers – the interoperable payment system. Banks operate their ATM and payment networks in such a way that any network bank’s cards will work with any bank’s machine. Hence, when Yes Bank’s ATM network was compromised due to a malware injection into the payment gateway of Hitachi network systems, the effect gradually spread to multiple banks and their account holders. Interestingly, the breaches happened somewhere between May and July, yet it was not until two months later in September that it was even identified. Hitachi wasn’t even able to identify the amount of data breached. And that’s on a banking network!

SBI

SBI had to carry out one of the largest debit card replacement drives in India

Many of you might have heard of the CloudFlare data breach – infamously titled Cloudbleed due to the data leaking behaviour in the breach. Quite a few popular websites, even India based, were using Cloudflare as their storage provider and as a consequence, were affected by it. Some of them were HDFC Bank, Citibank, Infibeam, Uber.com, Zoho and Lenskart. If you had an account on these websites before the breach, it is highly likely that the data was leaked to any random requester who hit the correct server or even used the correct search term on Google.

Gemalto Breach Level Index

Overall, according to a report from Gemalto, last year saw a staggering 1.3 billion records breached by hackers – that is 44 people losing their information every second of the year. And this doesn’t include the 52% breaches where the number of records lost was unknown. Compare that to the fact that the total number of breach instances actually went down by 4% – indicating that the breaches are going wider and deeper in terms of effectiveness. Specifically, India was one of the worst performers. According to the 2016 Cost of Data Breach Study from IBM, India had the highest average number of breached records at 31,225 per breach. Interestingly, the same report goes on to point out that India is the global leader when it comes to the percentage of breaches caused by system glitches. That does tell you something about the way data security is being handled currently in India.

The cost of data breaches

The data you lose to breaches may or may not be vital to you – depending on the severity of the breach. Enterprises, on the other hand, have a higher price to pay. Indian organisations experienced an average loss of $1.6 million per organisational breach, bringing the cost of each lost record to about $60. And apart from the economic losses, a data breach or hack also affects the goodwill of a brand with its customers – and we all know how important that is in the Indian context. Average perception towards improving enterprise level security is spending more money on it. According to Gartner, organisations spend an average of 5.6 percent of the overall IT budget on IT security and risk management but actual security levels are far below what is indicated by this share. “Clients want to know if what they are spending on information security is equivalent to others in their industry, geography and size of business in order to evaluate whether they are practising due diligence in security and related programs,” said Rob McMillan, research director at Gartner. “But general comparisons to generic industry averages don’t tell you much about your state of security. You could be spending at the same level as your peer group, but you could be spending on the wrong things and be extremely vulnerable. Alternatively, you may be spending appropriately but have a different risk appetite from your peers,” he said.

This perception is gradually changing. Some clearly defined factors are emerging in the industry that has shown direct cost and effect benefits towards security:

  • Establishing a workforce trained in the latest vulnerabilities and new threat avenues
  • Ensuring company-wide usage of encryption on each and every platform
  • Forming an incident response team that is well prepared to deal with a live breach
  • Cooperative participation in threat sharing with other companies

New entry points

It has been a long-standing practice to secure a computer with an antivirus and a firewall. That practice has trickled down to a small portion of the smartphone community, with similar awareness regarding threats. Now, if you think that an individual smartphone is at risk, you couldn’t be further from the truth. That level of targeting is quite rare and is mostly left to espionage novels and movies. What attackers do go after is your data, stored at the server level. And in the case of smartphones, a small margin of users actually check the permissions asked for by each app they install – thus the others grant access to their data even if it is not relevant to their use case.On the other hand, newer data endpoints are emerging every day. According to Gartner, Smart machines will enter mainstream adoption by 2021, with 30 percent adoption by large companies. These are machines that will make many decisions for themselves mostly while connected to networks. Even if they are not entirely autonomous, security for these has to be implemented differently.

Wearables are also a possible vulnerability when it comes to data leaks
Wearables are also a possible vulnerability when it comes to data leaks

On the other hand, newer data endpoints are emerging every day. According to Gartner, Smart machines will enter mainstream adoption by 2021, with 30 percent adoption by large companies. These are machines that will make many decisions for themselves mostly while connected to networks. Even if they are not entirely autonomous, security for these has to be implemented differently. Last year, the Mirai botnet attack demonstrated the potential of IoT security breaches. IoT indeed is something that has been discussed a lot from a security standpoint, but then again, it is the Internet of ‘things’ – anything new that is connected to the internet falls under IoT. And anything connected to the internet is vulnerable. Cars have been hacked, a popular U.S. smart home alarm system was hacked, implantable medical devices like pacemakers have been hacked, plane systems have been hacked, critical infrastructure like a power grid and a dam were hacked, mobile banking apps have been hacked, smart city technology has been hacked, and even a traffic management system has been hacked in Washington, D.C.

Last year, the Mirai botnet attack demonstrated the potential of IoT security breaches. IoT indeed is something that has been discussed a lot from a security standpoint, but then again, it is the Internet of ‘things’ – anything new that is connected to the internet falls under IoT. And anything connected to the internet is vulnerable. Cars have been hacked, a popular U.S. smart home alarm system was hacked, implantable medical devices like pacemakers have been hacked, plane systems have been hacked, critical infrastructure like a power grid and a dam were hacked, mobile banking apps have been hacked, smart city technology has been hacked, and even a traffic management system has been hacked in Washington, D.C.

By nature, the IoT market is fragmented in terms of design and security. What does that mean? That there is no one such security approach that applies to the entire connected devices market. And because of that reason, there is a high demand for cybersecurity professionals who can analyse and deal with cases specific to a certain company. And as the expenditure areas in the previous section showed, there is active effort to reduce the level of human error and system glitches possible, making investing in cyber security a good decision right now – whether you’re an enterprise at risk or a student wondering which career path to choose.

Sources: Gemalto, IBM

Arnab Mukherjee

Arnab Mukherjee

A former tech-support desk jockey, you can find this individual delving deep into all things tech, fiction and food. Calling his sense of humour merely terrible would be a much better joke than what he usually makes.