Firewalls up: Companies not prepared to tackle cyber attacks

Cybercrime is perhaps the only criminal activity that’s crazier in real life than in Hollywood. Tom Cruise stealing CIA secrets in Mission Impossible does not even come close to some of the biggest hacks in the world. In 2013, hackers stole $300 million from a hundred banks across 30 countries. Last year, Sony Pictures Entertainment, banking and financial services company JP Morgan Chase, investment firm Morgan Stanley and American retailers Home Depot and Target Corporation—all international giants—were hacked, leading to hundreds of millions of dollars in losses and costing several high-profile executives their jobs. Target spent $148 million in expenses relating to the breach, and CEO Gregg Steinhafel stepped down shortly after the incident.

India is not immune or exempt from such attacks. All the industry experts that Forbes India spoke to admitted that cyber criminals are already regularly breaching Indian companies. And data support these claims: A 2015 Assocham-Mahindra Special Services Group study reports that a little more than 71,000 cyber crimes were registered and 28,481 websites were hacked in 2013. It predicts that by the end of 2015, at least 85,000 Indian websites—this is a 198.4 percent increase in two years—will be hacked. (A cyber crime is a high degree of breach where data or money is stolen, unlike a regular hack where a person breaks into a security system without necessarily causing damage or stealing information or money.) Three years ago, cyber security labs would detect new malware—like viruses and adware—every minute, today they find three new bugs every second.

“The reason there hasn’t been a big story from India is because the rogue model hasn’t targeted the country yet,” says Steve Redman, vice-president (Asia Pacific) for enterprise security giant Palo Alto Networks. Cyber criminals, like any savvy business, look for the best trade-off between opportunity and cost—which is what a rogue model is—and this has saved India, so far. But with last year’s bloodbath in the US, India Inc has become acutely aware of the havoc cyber attacks can wreak and the fact that they are running on borrowed time.

According to senior cyber security executives, who did not want to be named, in the last three years, hackers have stolen customer data from a large Indian retailer; small defence contractors have tried to steal classified information from each other to win government bids; and two telecom companies have faced targeted attacks. Most of these issues were quietly and quickly handled, but the writing on the wall is clear for those willing to read: Global hackers have started targeting specific businesses in India. Experts say that financial services and telecom companies are especially at risk because they have the largest and most valuable databases of customer information.

Retailers with burgeoning customer-ID databases, information technology (IT) companies with access to clients across many sectors and healthcare companies (medical records are arguably the most robust kind available) are also increasingly at risk.

This reality set a sombre tone for the India Cyber Security Summit 2015, which was held in Mumbai this March. The summit was dominated by middle-aged men ready to share their battle stories with those willing to listen.

Meet the chief information security officer (CISO): The unlikely soldier on the frontlines of a war most Indians are oblivious to. A few years ago, theirs was a low-level IT function. Now, they report to risk committees or directly to a company’s chief information officer (CIO).

Burgess Cooper, partner-information and cyber security at Ernst & Young, who has worked as a CISO with HSBC and Vodafone, recalls alerting his chief information officers at odd hours—at times even at 4am—to inform them of an attempted hacking attack, which was detected and successfully mitigated in time. “When a CISO is going through a cyber attack, he will lose five years of his life in those 24 hours. When you detect and prevent an attack, all the investments you have done over the years, are deemed repaid in that one day,” says Cooper. CISOs don’t have it easy: It doesn’t make the news when they do their jobs right. There is no shame in being attacked, credit is given to detecting and successfully thwarting one. The consensus is that if a hacker wants to get you, he or she will.

Most attacks in India come in the form of ransomware, says Jagdish Mahapatra, managing director for India and SAARC operations, Intel Security (formerly McAfee India). As the name suggests, ransomware is a form of malware, where an attacker demands money in return for not wiping out a company’s entire data system.

The second most common attack is through auto-run worms. These are viruses targeted at out-of-date software. If companies don’t instal the latest updates or applications on all their systems, they become automatically vulnerable.

One positive sign in this never-ending war is that an increasing number of Indian chief executive officers (CEOs) are correctly viewing cyber security not as a technical problem for the IT department alone, but as one that concerns the board of directors. Cyber security has moved from the server room to the boardroom.

The government, too, is getting into the act. “RBI [Reserve Bank of India] and DoT [Department of Telecommunications] regulations mandate that every bank and telecom company should have a CISO, of a certain level of seniority, who may be asked to give presentations to the board,” says Cooper.

Indian banks have made significant progress in terms of implementing international security standards such as ISO 27001 and Payment Cards Industry-Data Security Standards (PCI-DSS), measures that have strengthened data security controls in India.

Government regulation on compliance (especially in sectors like banking and telecom) is also strong. “All banks in India are now regularly mandated to constitute IT strategy committees at the board level. There is a sharp focus on information security as an integral part of our IT strategy in alignment with the business strategy,” says ICICI Bank CISO, Subhash Subramaniam. The CISO community, he tells Forbes India, is very well networked: Those employed by leading banks, telecom and IT and ITeS companies are on a first-name basis with each other.

That many Indian CISOs across companies and sectors are collaborating with each other to fight this common enemy is another step in the right direction. “Leading CISOs now engage in cyber security war-games where they simulate a real-life attack,” explains EY’s Cooper. “You hire three cloud providers, attack yourself at different times (1am, 2am and 7am when the shift changes) and see how strong your response is.”

The more you sweat in peace, the less you bleed in war, goes the saying. In scenarios similar to army war-games, cyber security experts take part in capture-the-flag contests on platforms such as Nullcon, which holds annual national conferences.

But businesses do not work in isolation and are digitally connected to suppliers and vendors, and therein lies the possibility of a weak link. A determined hacker can use a less-protected partner organisation to breach a well-funded security system. When hackers stole credit card details of 40 million Target customers, they got into the company’s highly protected network through a third party—its air-conditioner vendor. “The real issue for India is that hackers follow the weakest point globally. If they can’t break into a well-protected Australian bank, they find a less secure Indian subsidiary or vendor that serves as their gateway,” says Redman.

Ways and means to shore up these weak links is what vendors like Intel Security and Palo Alto Networks are selling. For Mahapatra, the goal is not to prevent a hundred percent of attacks outright—which is impossible—but to detect and fix the one percent of attacks that get through. “The first question I ask a CEO is: You will get hacked, so who will you call? Your end-point vendor? Your network security guy? You can’t be making a hundred calls,” he says. He believes that companies have a better chance of minimising damage if they can detect and fix a breach within the first hour, similar to the ‘Golden Hour’ in medicine. (The chances of survival for seriously wounded patients fall drastically if they don’t receive treatment within the first hour of injury.) It is a similar situation when a company’s security is being breached.

Currently, most large companies have a whole host of security firms, protecting different parts of their IT infrastructure. There’s one for the data centre, one for the cloud, one for the network, and so on. Mahapatra, through Intel Security, is trying to sell a service that allows each of these different security systems to talk to (and warn) each other. “Hackers work on a random basis. If the door doesn’t open, they will go to the window. We want to get the door and the window to talk to each other,” he says.

Companies can also buy cyber security insurance to mitigate losses, but that doesn’t address the threat. One long-term solution, suggests Uniken Systems CEO and chief innovation officer Sanjay Deshpande, is to make it expensive or unprofitable for hackers to attack your company. “If a hacker needs $300,000 instead of $300 to breach a company, he may move on to another, cheaper target,” says Deshpande. To do this, Uniken, a cyber security provider, is trying to create a private network between companies and users to make it more difficult and expensive for intruders to get inside a company. Only a company and its vendors or partners are connected in a private network. This is one way to keep hackers out.

So what makes the best hackers so tough to thwart? “The more sophisticated hackers are the ones who are also writing their own code and scripts to look for new vulnerabilities that have not been discovered yet,” says author and ‘ethical hacker’ Ankit Fadia. “The number of hackers in India, both white hat (ethical) and black hat (malicious) have been steadily increasing year on year.” Such cyber criminals sell their bounty on the Darknet, a private network on the internet where members can interact and exchange goods and services anonymously. On the Silk Road, (the Darknet’s black market, which has been shut down) one could trade digital currencies like Bitcoins for drugs, guns, hacking equipment and other illegal activities. Rescator is another website where cybercriminals can sell credit card data.

It is important to note, though, that money alone cannot guarantee safety. Neither can following a set of rules. When Sony Entertainment was threatened by North Korean state-sponsored hackers in 2014, it brought to the fore the grey area between a nation’s and a corporate entity’s security. “The attack by North Korea on Sony was an attack on the USA through Sony. But nobody knows what the relationship between private sector and homeland security should look like,” Menny Barzilay, chief security evangelist at Uniken tells Forbes India. “We can’t practise current politics in the virtual world like we do in the physical world because there’s no concept of a state. Everyone and everything is connected.”

In April this year, US President Barack Obama announced strong sanctions against foreign cyber attackers who target US companies or institutions. “Israeli Prime Minister Benjamin Netanyahu created a national cyber bureau which does a great job in trying to figure out the relationship between the private sector and the government,” says Barzilay, who suggests that every country should create a body that fosters cross-sectional discussion.

India still has a long way to go. Some analysts and experts feel that the measures undertaken by Indian companies, let alone the government, are simply not enough. One such critic is Arun Gupta, managing partner and director of consultancy firm Ingenium Advisory. He has 30 years of experience in business technology and has worked with companies across pharmaceuticals, retail and financial services sectors. “In the IT departments of most organisations, security accounts for about 5 percent of the total budget. Internationally, it would be 10 to 12 percent,” he says.

The intensity of a company’s response to these threats varies. While some have embraced this new world, others do not really walk the talk. For a safer world, everyone has to be on guard.