From the other side: Lessons of WannaCry

73: The percentage of the respondents in India who estimated their organization’s losses due to economic crime to be up to USD 1 million in 2016, according to PwC’s Global Economic Crime Survey 2016.

Note that  “economic crime” is the keyword here. In the past, information security officers have rated identity breaches and insider threats greater than crimes due to ransomware or IoT. Some CISOs have told us that "People are (still) the weakest links". But with the growing cyber security threat, this belief is slowly diminishing.

In India, the PwC report revealed that 61% of respondents have experienced an increased risk of cybercrime while 31% of the respondents in India have experienced economic crime in the last two years.

The PwC report also indicated that while 65% of the respondents in India and 59% of the global respondents encountered less than 10 separate incidents of economic crime, it is pertinent to take into account that a quarter of the Indian respondents who experienced economic crime (compared to more than a fifth of the global respondents) encountered between 11 and 100 separate incidents of economic crime.  A further 6% of the Indian and 9% of the global respondents encountered more than 100 separate economic crime incidents in the last 24 months.

While India didn’t make to cyber crime related headlines until the SBI security breach in December of 2016, the recent WannaCry attack garnered the attention of over a 100 countries that were attacked, including India.

"Across the globe, countries have woken up to the lingering threats of massive cyber attacks that cybercriminals propose to unleash in the near future, and India too seems to be on their radar. India has emerged as one of the top targeted nations by cyber criminals. The inventive tools used by cyber criminals to hijack business dealings and steal valuable customer information are leading to business destruction in both small and medium enterprises,” said Sharda Tickoo, Technical Head at Trend Micro, India.

“With WannaCry bringing many nations to a standstill, and even as several new attacks are predicted in the immediate future, the country cannot afford to have a reactive approach to cyber security, and rather have well defined strategy in place for any future eventualities," she added.

The implications of a cyber attack are harsh and multiple. “It is estimated that 130,000 systems in more than 100 countries had been affected. Russia and India were hit particularly hard, largely because Microsoft's Windows XP - one of the operating systems most at risk - is still widely used in the countries,” said Amit Nath, Head of Asia Pacific - Corporate Business at F-Secure Corporation.

However, many times these cyber attacks go unreported.

According to a KPMG Cybercrime Survey Report 2015, 49% of security professionals reported that they fear damage to a company’s brand that can have a very real impact on financial performance.

Sunil Gupta, President and Chief Operating officer at Paladion Networks said, “Many businesses have resolved incidents internally given that their admission would reflect badly on their cyber security preparedness.”

“This approach serves as the biggest hurdle in enhancing the security infrastructure amongst business enterprises,” he added.

WannaCry in Digital India

“With campaigns, such as Digital India, and concepts, such as Aadhaar, UID, and digital money gaining immense popularity, India is in the midst of a major digital revolution. However, as India steadily moves towards a digital future, we must be wary of the potential security risks which digitalization brings,” said Tickoo.

One of the biggest security risks is the presence of legacy IT systems.

According to Gupta, “today, an organization has to deal with issues that were not known or heard of a few years, months or even weeks before. Consider WannaCry as an example; the ransomware enters a system through network infection vector EternalBlue and then installs DoublePulsar, a system backdoor which downloads and installs the WannaCry package. Neither the system vulnerability nor the backdoor implant was known till barely a month ago.”

“This fact itself questions the viability of a legacy cyber security system in the long haul,” he added.

And this underlines the importance of the CISO in the organization.

“A CISO’s role in the future is going to be more and more important and pertinent. With data and information being the most valuable possession of any organisation, it is paramount that proper security measures/checks - balances are in place,” said Tickoo.

“First and foremost, it is important that a CISO is honest with the board, other stakeholders and external customers. It is also important to discuss with the board the associated risks and the acceptable risks. When the board is aware of the risks, it should be documented and signed off to rule out future failures,” she added.

Secondly, Tickoo added that a proper risk management should be adopted.

Finally, she said that a transparent communication should be maintained with the external customers to retain their trust and confidence.

 “It is better to issue a statement in case of any breach, informing the customers that steps have been taken by the firm to mitigate the risks. This will help in assuring the transparency and credibility of the firm,” she said.

What Next?

“Employ basic security checks,” said Nath. “Take regular backups of your data; keep the software on all your devices up to date to prevent exploits; be extra careful with email attachments; limit the use of browser plug-ins. Surprisingly, many enterprises overlook basic security hygiene and controls such as multi-factor authentication, complex passwords, VPN,” he added.

However, basics should be more than that.

The next step is also to ensure that you have a robust cyber security framework in place. “Security leaders must ensure basic hygiene practices are adopted like backups, cyber awareness sessions and regular patching, virtual patching etc.,” said Tickoo.

According to Rajnish Gupta, Sales Director - India & SAARC at RSA Security, "today’s security organizations need to ruthlessly prioritize and be able to engage in a business discussion with IT and broader business stakeholders. WannaCry was undoubtedly a cautionary tale. We believe that organizations that adopt a business-driven security approach can prevent WannaCry from being yet another recurring cyber security motif.”

“Security risks that do not make the boardroom discussions do not receive the visibility they need to be properly addressed. Luckily, cyber risk has been recognized at the executive level,” he added.

And it must continue to remain so. 

The Way Forward

The need for security industry collaboration

It is important that the security industry collaborates and works together, to avert any major catastrophe in the near future.  This will not only help mitigate the risks but also send a message to the cyber criminals, that they wouldn’t be able to succeed in the long term against a more powerful and united resistance from the industry. When various products and techniques devised by different firms are used in collaboration, the mitigation plan can be prepared and executed easily,” said Tickoo.

The need for an effective Indian cyber security law

In 2016, Suckfly, a cyber espionage group, was revealed to have breached several Indian financial institutions, including systems of central government, and even a vendor of the National Stock Exchange and an e-commerce company. The surveillance activity – which aimed to take stock of Indian finances – began in April 2014 and continued till 2015. Later, Danti, another such group, was unveiled to have penetrated the government systems through diplomatic bodies. In both the cases, the breach was disclosed by two private cyber security vendors.

The above example, cited by Gupta, underscored the role of security vendors in strengthening the cyber security law in India.

“Government agencies have a lot to learn considering factors pertaining to cyber security. Their collaboration with cyber security vendors will enable them to draft a more enhanced cyber security policy and strengthen the cyber security law through the latter’s acquired knowledge in the broader cyber security landscape,” said Gupta.

 “There is urgent need for vendors to raise awareness on the subject and strengthen the critical infrastructure protection in India. This can be done only when there is cyber security skills development in India,” said Tickoo. 

nike