In a dynamically changing environment and more connected world, where cybersecurity plays a critical role - it will not be easy to predict what will happen a week or two from now, let alone in several years. Cyberattacks have transformed the risk landscape and over last couple of years, we have seen a proliferation of adversaries in the cyber space and cyberattacks have evolved from being ‘just an attack’ to organized state sponsored attacks as the malicious hackers are constantly discovering and exploiting vulnerabilities. As per EY Global Information Security Survey (GISS) 2015, state sponsored attacks have grown up to 35 per cent in 2015 as compared to 27 per cent in 2014.
Cyber security has now undoubtedly become one of the top security agenda for all the countries around the globe; from SWIFT breach that led to Bangladesh Bank losing over $81 million, to the recent compromise of 3.2 million debit cards of top notch Indian banks, to warnings by CERT-In of a major cyber-attack from Pakistan. As the technology is growing, hackers are finding advanced loopholes, posing next level threats and cyber-attacks against financial service institutions are multiplying in frequency and volume and are becoming much more sophisticated.
Although most of the attacks against major banks and financial institutions occur from a whale of service disruptions but many of the financial services firms, payment card industries and banks have experienced numerous data breaches in recent years.
According to the 2016 Cost of Data Breach Study: India, the average size of a data breach has increased by 8.1 per cent while the average total cost of a data breach paid by Indian companies have grown by 9.5 per cent. Another survey conducted by Symantec revealed that more than 430 million new unique pieces of malware were detected in 2015, which was up by 36 per cent from the year before. Thereby implying that a huge number of potential new zero-day attacks have entered the field and have never been recognized in the past. With such enormous amount of new malwares popping up every day, 43 per cent of information security executives participating in EY’s Global Information Security Survey 2015 feel that they see malware as the top most threat today to their organizations.
In spite of having significant security focus on vulnerabilities associated with credit and debit cards usage by the financial institutions, with the growth in technology, emerging new trends and alternate payment methods, the number of attack surfaces have aggregated exponentially, giving the hackers a huge open field of targets for exploitation. With increased use of digital channels, the risk to banking organizations is rising and helping the attackers to attempt crimes anonymously and more acutely. Banks are enormously relying on mobile devices to provide services remotely and swiftly but these channels expose firms to higher level of cybercrime as the attackers now focus on fooling the customers for theft and pulling out sensitive data.
Cybercriminals are everyday transforming and developing refined attack methods that are uncommon to a bank’s security infrastructure like trojan installations, backdoor access, browser authorization systems, and balance loading functions, etc. The malware used in the Bangladesh Bank incident was also an unusual one. The malware crafted for conducting the theft was able to manipulate and read unique messages from SWIFT, adjust balances and send details to a remote control server. Information gathering and foot printing was skilfully conducted prior to launching the attack and it is also believed that the malware attack was coupled with an insider attack to fetch details on the operation of banking system including the supported software, databases, and printer.
All enterprises and organizations have become vulnerable to cyber-attacks and no security system is impeccable anymore. There is nothing as a “perfectly protected system’ in today’s world. Cybercrime is affecting everyone intensely and it is fair to say that this issue goes beyond immediate security threats. It is high time that organizations realize the need of cyber agenda as a business enabler, include it as a crucial part of decision making process and understand the fact that IT security needs to become a process and not an end-product.
Cyber security has become an indispensable economic issue and the need of the hour is to have a robust cyber defence strategy in addition to conventional defense measures. The strategy should be such through which organisations can take effective steps both before and after an attack. This calls for embedding cybersecurity considerations into the product life cycle i.e., from conceptualization to commercial launch and beyond. Special emphasis should be given on boosting digital channel and application security without compromising the user experience. Organizations should be covered and equipped enough for unexpected attacks, be able to monitor the attacks and protect themselves from its aftermaths in order to be cyber-attack ready and mitigate the adverse consequences which comes along it.
Guest Author
A practice leader who owns the P&L of Cyber Security, North India which includes leading the teams in both selling and then executing engagements in the areas on risk management, information technology governance and value with clients across industry verticals. Key areas of responsibilities include top line and bottom line growth, engagement and project management, team building, and practice management.