Covid, a wake-up call for cyber security
By Nikhil Mahadeshwar
With critical data flowing out of secure networks, both organisations and individuals need to prepare for potential cyber attacks. Most people read about the recent Twitter hacks of the richest men in the world by bitcoin hackers. But what did not make news was the money lost by the common man. Let’s call him Mr Sharma who lives in India, his money was more valuable to him during this lockdown than it was for Bill Gates and Elon Musk, both billionaires with little to lose from their enormous wealth.
At the same time that the billionaires were facing their minor hacks, India was prey to a disproportionate amount of cyber attacks due to tensions between India and China. According to an advisory circulated by the Maharashtra Cyber Cell last month, more than 40,000 cyber attacks were attempted on India by China in the last few months, according to statistics available in the public domain. Predominantly, critical IT infrastructure and the banking industry were targeted in these attacks and most of these originated from Chengdu, China. Lately, we have even seen video streaming apps being used as a carrot on an unsuspecting population that was driven by the appetite of free access.
With the help of techniques such as the ‘threat intelligence data’ gathering, it has now become possible to predict future attacks and even stop some of them, with actionable intelligence. Also, threat intelligence data analysis can track and provide records about ‘region-to-region’ cyber attacks that were initiated. Indians remain soft targets due to our innate dissonance against paying for security. But, as a culture, we do not believe in paying for prevention services, we tend to prefer a cure or a solution. This will be an expensive habit in this particular threat to data security, as most of the Indian population is unaware of the myriad ways by which they can become victims.
It is human nature to ignore perceived risks until we face a life-changing incident. For example, when the Indian government launched Aarogya Setu, hackers all over the globe discovered critical vulnerabilities in the app. Some attackers hacked the data of Covid- positive patients in Karnataka and tweeted about them, hiding a few details. After this and few other similar attacks on the Aarogya Setu app, the Central government initiated a ‘bug bounty’ programme up to ₹3 lakh for reporting critical vulnerabilities in the Aarogya Setu app.
Similarly, most organisations were not prepared for a ‘work from home’ environment and employees were not trained on identifying such attacks. A major chunk of critical data, which was previously never permitted to be transferred home, is now being transferred out of the secure network due to the lockdown situation. Despite all this, the government has not mobilised any large-scale campaign to educate the masses on how their data is under threat.
Earlier, data security protocols were designed bearing in mind the office network infrastructure, not the home networks, so the data remains vulnerable as most WFH employees are on open networks. Data transmission, which was only allowed on office assets, is now being transmitted on employees’ personal phones and laptops. Be it a government or a private organisation, no one was fully prepared for facing such cyber-attacks and the financial loss as a result was unanticipated.
You cannot see this invisible threat coming in, but you can see the outcome in terms of data leaks and loss of funds. Work from home employees were targeted in this pandemic with fake e-mails from their superiors at work, soliciting confidential information and leading them to download malicious attachments for ransomware attacks, which result in encryption of their critical financial and personal data. This locked data will be decrypted only if you pay a ransom in bitcoins to the attacker, who cannot be traced.
Preparing for the next wave
The use of anti-phishing solutions and threat intelligence data analysis will minimise the risk of individuals and businesses becoming victims of cyber attacks. Imagine, what if we could scan a suspicious link before opening it? With such solutions, we may save our data from being hacked. Before responding to any e-mail from any known or unknown person or organisation, if we could verify the e-mail address, we may minimise the risk of being prey to phishing attacks. Deploying data leakage protection solutions on company assets that are provided to employees for work from home also minimise threats.
Establishing robust monitoring policies for threat intelligence and creating a reporting structure for documenting the threats can go a long way in helping companies secure their critical data. Large organisations may already be conducting some of these exercises, but in this situation, small- and medium-size businesses or individuals also need to work on the same, as they have more to lose and have limited resources to fight this threat. The risk is higher for organisations where business processes are outsourced, as one cannot be sure if they have any such solution in place or are prepared for a work from home infrastructure with adequate security protocols in place for data protection and cyber security threats. In most cases, human error is the biggest chink in information security, and this can only be minimised with awareness and training.
Individuals are at risk too
Organisations have deployed some basic data security for business assets, but the same vigilance is required on personal phones and laptops which employees are using to transmit critical data. We take our smartphones everywhere, from the bedroom to the boardroom. Adequate solutions should be deployed on all employees’ personal phones and laptops, too, as nobody is immune to this risk and the government itself is not setting up the necessary safeguards or creating awareness from an institutional standpoint to safeguard citizens from these threats.
Training should be given to employees on a regular basis on identifying potential attacks and reporting the same to the authorities concerned, which in this case is just the State Police’s Cyber Crimes Cell though it itself has very little manpower or technical support. As an individual or a small business, using free security apps for securing your data is sometimes more dangerous than not using any. With free solutions, you may get something malicious in the spyware bound within the app, and you may lose your personal or professional data, without ever knowing it existed.
More than ‘Digital India’, the Government should be pushing for a ‘Digitally Secure India’. As we start inculcating a culture where we value personal data and personal security as a precautionary step, and not as a cure, we must constantly prepare ourselves for asymmetric attacks from our neighbours and safeguard our data. As Clive Humby so eloquently put it a few years ago: “Ddata is the new oil”. Indeed, this holds true even for Mr Sharma, whose savings are being stolen using his own WhatsApp messages.