Cybercrime is perhaps the only criminal activity that’s crazier in real life than in Hollywood. Tom Cruise stealing CIA secrets in Mission Impossible does not even come close to some of the biggest hacks in the world. In 2013, hackers stole $300 million from a hundred banks across 30 countries. Last year, Sony Pictures Entertainment, banking and financial services company JP Morgan Chase, investment firm Morgan Stanley and American retailers Home Depot and Target Corporation—all international giants—were hacked, leading to hundreds of millions of dollars in losses and costing several high-profile executives their jobs. Target spent $148 million in expenses relating to the breach, and CEO Gregg Steinhafel stepped down shortly after the incident.
India is not immune or exempt from such attacks. All the industry experts that Forbes India spoke to admitted that cyber criminals are already regularly breaching Indian companies. And data support these claims: A 2015 Assocham-Mahindra Special Services Group study reports that a little more than 71,000 cyber crimes were registered and 28,481 websites were hacked in 2013. It predicts that by the end of 2015, at least 85,000 Indian websites—this is a 198.4 percent increase in two years—will be hacked. (A cyber crime is a high degree of breach where data or money is stolen, unlike a regular hack where a person breaks into a security system without necessarily causing damage or stealing information or money.) Three years ago, cyber security labs would detect new malware—like viruses and adware—every minute, today they find three new bugs every second.
“The reason there hasn’t been a big story from India is because the rogue model hasn’t targeted the country yet,” says Steve Redman, vice-president (Asia Pacific) for enterprise security giant Palo Alto Networks. Cyber criminals, like any savvy business, look for the best trade-off between opportunity and cost—which is what a rogue model is—and this has saved India, so far. But with last year’s bloodbath in the US, India Inc has become acutely aware of the havoc cyber attacks can wreak and the fact that they are running on borrowed time.
According to senior cyber security executives, who did not want to be named, in the last three years, hackers have stolen customer data from a large Indian retailer; small defence contractors have tried to steal classified information from each other to win government bids; and two telecom companies have faced targeted attacks. Most of these issues were quietly and quickly handled, but the writing on the wall is clear for those willing to read: Global hackers have started targeting specific businesses in India. Experts say that financial services and telecom companies are especially at risk because they have the largest and most valuable databases of customer information.
Retailers with burgeoning customer-ID databases, information technology (IT) companies with access to clients across many sectors and healthcare companies (medical records are arguably the most robust kind available) are also increasingly at risk.
This reality set a sombre tone for the India Cyber Security Summit 2015, which was held in Mumbai this March. The summit was dominated by middle-aged men ready to share their battle stories with those willing to listen.
Meet the chief information security officer (CISO): The unlikely soldier on the frontlines of a war most Indians are oblivious to. A few years ago, theirs was a low-level IT function. Now, they report to risk committees or directly to a company’s chief information officer (CIO).
Burgess Cooper, partner-information and cyber security at Ernst & Young, who has worked as a CISO with HSBC and Vodafone, recalls alerting his chief information officers at odd hours—at times even at 4am—to inform them of an attempted hacking attack, which was detected and successfully mitigated in time. “When a CISO is going through a cyber attack, he will lose five years of his life in those 24 hours. When you detect and prevent an attack, all the investments you have done over the years, are deemed repaid in that one day,” says Cooper. CISOs don’t have it easy: It doesn’t make the news when they do their jobs right. There is no shame in being attacked, credit is given to detecting and successfully thwarting one. The consensus is that if a hacker wants to get you, he or she will.
Currently, most large companies have a whole host of security firms, protecting different parts of their IT infrastructure. There’s one for the data centre, one for the cloud, one for the network, and so on. Mahapatra, through Intel Security, is trying to sell a service that allows each of these different security systems to talk to (and warn) each other. “Hackers work on a random basis. If the door doesn’t open, they will go to the window. We want to get the door and the window to talk to each other,” he says.
Companies can also buy cyber security insurance to mitigate losses, but that doesn’t address the threat. One long-term solution, suggests Uniken Systems CEO and chief innovation officer Sanjay Deshpande, is to make it expensive or unprofitable for hackers to attack your company. “If a hacker needs $300,000 instead of $300 to breach a company, he may move on to another, cheaper target,” says Deshpande. To do this, Uniken, a cyber security provider, is trying to create a private network between companies and users to make it more difficult and expensive for intruders to get inside a company. Only a company and its vendors or partners are connected in a private network. This is one way to keep hackers out.
So what makes the best hackers so tough to thwart? “The more sophisticated hackers are the ones who are also writing their own code and scripts to look for new vulnerabilities that have not been discovered yet,” says author and ‘ethical hacker’ Ankit Fadia. “The number of hackers in India, both white hat (ethical) and black hat (malicious) have been steadily increasing year on year.” Such cyber criminals sell their bounty on the Darknet, a private network on the internet where members can interact and exchange goods and services anonymously. On the Silk Road, (the Darknet’s black market, which has been shut down) one could trade digital currencies like Bitcoins for drugs, guns, hacking equipment and other illegal activities. Rescator is another website where cybercriminals can sell credit card data.
It is important to note, though, that money alone cannot guarantee safety. Neither can following a set of rules. When Sony Entertainment was threatened by North Korean state-sponsored hackers in 2014, it brought to the fore the grey area between a nation’s and a corporate entity’s security. “The attack by North Korea on Sony was an attack on the USA through Sony. But nobody knows what the relationship between private sector and homeland security should look like,” Menny Barzilay, chief security evangelist at Uniken tells Forbes India. “We can’t practise current politics in the virtual world like we do in the physical world because there’s no concept of a state. Everyone and everything is connected.”
In April this year, US President Barack Obama announced strong sanctions against foreign cyber attackers who target US companies or institutions. “Israeli Prime Minister Benjamin Netanyahu created a national cyber bureau which does a great job in trying to figure out the relationship between the private sector and the government,” says Barzilay, who suggests that every country should create a body that fosters cross-sectional discussion.
India still has a long way to go. Some analysts and experts feel that the measures undertaken by Indian companies, let alone the government, are simply not enough. One such critic is Arun Gupta, managing partner and director of consultancy firm Ingenium Advisory. He has 30 years of experience in business technology and has worked with companies across pharmaceuticals, retail and financial services sectors. “In the IT departments of most organisations, security accounts for about 5 percent of the total budget. Internationally, it would be 10 to 12 percent,” he says.
The intensity of a company’s response to these threats varies. While some have embraced this new world, others do not really walk the talk. For a safer world, everyone has to be on guard.