Information security is not a new topic – it is something that companies and individuals alike have been well aware of for ages. Be it the fight against viruses or ransomware, the threats and the defences have evolved side-by-side. What hasn’t changed is the steadily growing need for security. It wouldn’t be your fault if you assumed that there isn’t any exceptional need for security professionals in the industry right now. Everything is hunky-dory and nobody is going to need even more people to keep their data (and assets) safe. So people might as well leave everything to the firewalls, VPNs and antiviruses of the world, and you most certainly don’t want to be another information security analyst in an already ‘overcrowded’ market. Are we getting it right so far?
Take a look at last year’s attacks, which ranged from the Dyn DDoS attack that brought down half the internet or the multiple data breaches announced by Yahoo. But like many others last year and the years before them, all of these are routine far off events that haven’t really boiled down to actual consequences in your life, right? Unless….
It’s happening – now and here
In October 2016, Indian banks suffered their worst data breach yet when almost 3.2 million debit cards were compromised. Quite a few major banks like Axis Bank, HDFC Bank, SBI, ICICI and Yes Bank were some of the worst affected. The effect was industry wide because of the target chosen by the attackers – the interoperable payment system. Banks operate their ATM and payment networks in such a way that any network bank’s cards will work with any bank’s machine. Hence, when Yes Bank’s ATM network was compromised due to a malware injection into the payment gateway of Hitachi network systems, the effect gradually spread to multiple banks and their account holders. Interestingly, the breaches happened somewhere between May and July, yet it was not until two months later in September that it was even identified. Hitachi wasn’t even able to identify the amount of data breached. And that’s a banking network.
Many of you might have heard of the Cloudflare data breach – infamously titled Cloudbleed due to the data leaking behaviour in the breach. Quite a few popular websites, even India based, were using Cloudflare as their storage provider and as a consequence, were affected by it. Some of them were HDFC Bank, Citibank, Infibeam, Uber, Zoho and Lenskart. If you had an account on these websites before the breach, it is highly likely that the data was leaked to any random requester who hit the correct server or even used the correct search term on Google.
Overall, according to a report from Gemalto, last year saw a staggering 1.3billion records breached by hackers – that is 44 people losing their information every second, throughout the year. And this doesn’t include the 52% breaches where the number of records lost was unknown. Compare that to the fact that the total number of breach instances actually went down by 4% – indicating that the breaches are going wider and deeper in terms of effectiveness. Specifically, India was one of the worst performers. According to the 2016 Cost of Data Breach Study from IBM, India had the highest average number of breached records at 31,225 per breach. Interestingly, the same report goes on to point out that India is the global leader when it comes to percentage of breaches caused by system glitches. That does tell you something about the way the technology behind security is being handled currently in India.
It’s a pain
The data you lose to breaches may or may not be vital to you – depending on the severity of the breach. Enterprises, on the other hand, have a higher price to pay. Indian organisations experienced an average loss of $1.6 million per organisational breach, bringing the cost of each lost record to about $60. Apart from the economic losses, a data breach or hack also affects the goodwill of a brand with its customers – and we all know how important that is in the Indian context.
Average perception towards improving enterprise level security is spending more money on it. According to Gartner, organisations spend an average of 5.6 percent of their overall IT budget on IT security and risk management but actual security levels are far below what is indicated by this share. “Clients want to know if what they are spending on information security is equivalent to others in their industry, geography, and size of business in order to evaluate whether they are practicing due diligence in security and related programs,” said Rob McMillan, research director at Gartner. “But general comparisons to generic industry averages don’t tell you much about your state of security. You could be spending at the same level as your peer group, but you could be spending on the wrong things and be extremely vulnerable. Alternatively, you may be spending appropriately but have a different risk appetite from your peers,” he said. And because of these incorrect assumptions, increased security budgets haven’t resulted in greater security levels – a situation that has prompted many companies to sit up and take stock of their information security infrastructure.
This perception is gradually changing. Some clearly defined factors are emerging in the industry that have shown direct cost and effect benefits towards security:
- Establishing a workforce trained in the latest vulnerabilities and new threat avenues.
- Ensuring company-wide usage of encryption on each and every platform.
- Forming an incident response team that is well prepared to deal with a live breach.
- Cooperative participation in threat sharing with other companies.
New entry points
It has been a long-standing practice to secure a computer with an antivirus and a firewall. That practice has trickled down to a small portion of the smartphone community, with similar awareness regarding threats. Now, if you think that an individual smartphone is at risk, you couldn’t be further from the truth. That level of targeting is quite rare and is mostly left to espionage novels and movies. What attackers do go after is your data, stored at server level. And in the case of smartphones, a small margin of users actually check the permissions asked for by each app they install – thus the others grant access to their data even if it is not relevant to their use case.
On the other hand, newer data endpoints are emerging everyday. According to Gartner, Smart machines will enter mainstream adoption by 2021, with 30 percent adoption by large companies. These are machines that will make many decisions for themselves mostly while connected to networks. Even if they are not entirely autonomous, security for these has to be implemented differently.
Last year, the Mirai botnet attack demonstrated the potential of IoT security breaches. IoT indeed is something that has been discussed a lot from a security standpoint, but then again, it is the Internet of ‘things’ – anything new that is connected to the internet falls under IoT. And anything connected to the internet is vulnerable. Cars have been hacked, a popular U.S. smart home alarm system was hacked, implantable medical devices like pacemakers have been hacked, plane systems have been hacked, critical infrastructures like a power grid and a dam were hacked, mobile banking apps have been hacked, smart city technology has been hacked, and even a traffic management system has been hacked in Washington, D.C.
By nature, the IoT market is fragmented in terms of design and security. What does that mean? It means that there is no single security approach that applies to the entire connected devices market. Because of that reason, there is a high demand for cybersecurity professionals who can analyse and deal with cases specific to a certain company. And as the expenditure areas in the previous section showed, there is active effort to reduce the level of human error and system glitches possible, making CyberSecurity a lucrative career opportunity right now.
What can you do
It is true that cybersecurity, as a career choice, has always had a steady demand – till now. In the coming few years, as factors above indicate, the demand is not only going to grow – it is going to widen as well. According to Glassdoor, an entry level Information Security Analyst can make up to 8lpa, and it only goes higher from there.
Building expertise in new and emerging platforms, which have their own vulnerabilities, is a good first step towards a career in this growing market. Also, developing practical experience alongside that can never be a bad thing. For anything beyond that, stay tuned to this space for part II of this article on building a career in cyber-security next month.
This article was first published in May 2017 issue of Digit magazine. To read Digit’s articles first, subscribe here or download the Digit app for Android and iOS. You could also buy Digit’s previous issues here.