Jan 14, 2017, 10.23 AM IST | Source: Moneycontrol
Since there is no such thing as a futureproof security, protecting your organisation against cyber threats without disrupting business should be top priority.
Cinemas have more often than not portrayed hackers as shadowy figures who often penetrate firewalls by pounding keyboards in a matter of seconds. Hacking in real life is much more complicated, requires intricate knowledge of systems and much research. However, in February 2016, Bangladesh's Central Bank decided to make things a notch easier for hackers by using $10 switches (the one you might use at home) and no firewalls. To make matters worse, the SWIFT computers were on the same network as the bank's computers. According to news reports, hackers obtained credentials of three employees and siphoned off a cool sum of $81 million dollars- a heist that would make Daniel Ocean very proud.
The operation put the spotlight on SWIFT and how secure were money transfers between banks. As a system, it is regularly stress tested and updated to ensure the software can ward off threats. But SWIFT is only as strong as it's weakest link. And herein lies the problem.
With the Internet of Things, we have a growing number of devices that are interconnected. Networking giant Cisco said that there were around 8.7 billion devices connected by 2012 and the number will increase to 50 billion by 2020. Factories, offices, power plants, utility companies continue to be networked which increases the number of IoT endpoints. The world is moving towards smarter energy, smarter grids, and automation. Yet many of the legacy hardware and software have not been updated to withstand new threats.
Cyber attacks often manage to grab headlines and rightly so. From a hospital in California paying a hefty ransom of $17,000, a massive cyberwar disabling Estonia’s banks, broadcasters, police and the government, Stuxnet destroying nearly 1000 nuclear centrifuges in Iran, to the breach of Yahoo email accounts which has stalled the Verizon-yahoo deal, they are hardly industry-specific.
Companies like countries often under report cyber security incidents. Even by McAfee’s conservative estimates, cyber attacks globally cost around $375 billion in 2014. However, certain costs cannot be easily quantified like damage to intellectual property and opportunity costs, as both translates into less investment into R&D and builds up risk averse behaviour. Even back home, as the Indian population is increasingly going online, cases relating to cyber security have increased. According to data from National Crime Records Bureau (NCRB) cyber crimes have increased 20% compared to 2014 with the total number of cases at 11,529 in 2015. Even the country’s Computer Emergency Response Team handled nearly 50,000 incidents ranging from website intrusion, malware, phishing and denial of service attacks.
In light of these threats, organisations are increasing their security measures by implementing technologies and developing processes to counter such threats. Business leaders now view cyber security as a crucial component of the overall corporate strategy and the role of the Chief Information Security Officer has gained prominence among many multinationals. With the adoption of cloud-based storage and mobile applications, cybercriminals can breach office networks. Apart from financial information, customer data and intellectual property are considered top prizes. Companies while upgrading legacy infrastructure need to educate employees on security practices like use of encryption, security updates, and even password strength. Operational technology which controls physical devices requires routine logs which are to be monitored for security incidents. And in the case of an incident, procedures and protocols need to be followed to minimise risk.
However, addressing global cyber threats are beyond the scope of individual businesses. Small to medium businesses (SMB) are especially vulnerable as they might find implementing security measures expensive and time-consuming. While there is no excuse for leaving assets unsecured, there is a greater need for public and private sectors to collaborate on this issue. Both, governments and the industry have to develop better cybercrime prevention methods and establish norms. Cyber crime is not bound by borders and therefore, prevention should not be as well. Governments need to reach a consensus and have an international approach especially when it comes to enforcement and prosecution. This is in the best interest of business, and with the sheer amount of stakeholders involved, a joint action is the only recourse.
There is one undisputed fact- there is no such thing as future proofed security and following security protocols can go a long way in preventing such attacks. Failing to pay heed can prove very costly, as a recent senator turned presidential candidate found out.