Digital crime is on the rise. Today, everyone, including individuals and smaller organizations, need to face up to cybercrime risks. Most Indian organizations are ill-equipped to handle this situation, despite having security policies and a variety of technical and non-technical controls in place.
Cybercrime risks and threats
Today’s new currency is information, and information security compromises can translate into reputational as well as financial losses. Moreover, they could lead to customers losing confidence in an organization’s ability to protect their information, in turn causing a rapid decline in the business’s ability to compete.
Indian organizations are now susceptible to a variety of threats ranging from spear phishing to advanced persistent threats. There are no silver bullets to stop these threats, but a series of integrated measures can help counter them and thwart cybercrime. While many organizations have strong controls against external attackers, the same need not be true for advanced persistent threats, insider fraud and social engineering, all of which remain rampant in India.
Here are some common misconceptions about cybercrime risks from an Indian perspective:
- It will not happen to me: This belief is prevalent for any adverse event, leading to a stalemate, which in turns leads to lack of preparation.
- I am a small company, so I am invisible: This is no longer true. If you are in the market, you are visible.
- Uneducated people (for example, the cleaning staff) are harmless: India is unique in that any staff member could be at any point on the education curve. Hence even the lowest level blue collar employee is a potential attack agent.
Countering cybercrime risks
Here are some key measures to help counter cybercrime risks:
- Classify data at various levels of importance, to enable the security team as well as everyone else to focus on the key information that has to be protected.
- Deploy controls such as the content management system and enterprise document flow system across the organization, encompassing all trainees, secretaries, one-room branch offices, and so on.
- Apolicy-based infrastructure is important. The deployment of security controls and policies help guide the change to a culture of security.
- Studies show that almost three-fourths of information theft takes place via hard copy. This is where procedural and technical controls come in handy. For instance, for network printers, biometric authorization could be implemented, whereby an employee has to be physically present at the printer before the print job is initiated.
- When travelling, all sensitive data should be scrubbed for all portable devices. This is because encryption is no longer a viable defence, as many governments require decryption of data at Customs.
- Implement strong controls on portable devices and storage media and instruct executives never to leave them unattended in hotel rooms while travelling, to counter cybercrime risks.
- Conduct enterprise wide risk assessments to optimize the security spend and effort.
- Set up secure connectivity such that executives not on the network can access company resources without compromising sensitive information.
- Note that anti-malware applications do not protect from all attacks. Frameworks such as Graviton and the Zeus toolkit allow attackers to make small variations to malware, effectively defeating signature-based detection. An attacker need not have any technical expertise, as some expert could be commissioned to develop specific malware.
- Institute intense awareness campaigns relating to social networks. Policies must tackle sensitive issues such as the ownership of social media audiences, blogging about work, and so on.
- Review developed software for security at each stage.
- It is crucial that IT departments go beyond firewalls and intrusion prevention systems, and instead examine traffic flow for tracking of malware, to mitigate cybercrime risks.
- Deploy measures such as network access control at all ingress points of company networks.
- When moving to the cloud, craft all service level agreements carefully. Clarify areas such as the ownership of data, geographical location of the servers, digital forensics opportunities and audit rights.
- Strengthen media disposal processes across the board. Conduct forensic erasure of data, via overwriting the drive by zeros, or, in extreme cases, physically destroying the drives, to minimize cybercrime risks.
- Be aware that 2-factor authentication can be compromised by infected end-points.
- Update all device firmware frequently.
- IPv4 needs to be phased out and replaced with IPv6, which offers IPSec for securing communications across the Internet. To this end, a suitable public key infrastructure needs to be established.
About the author: Dinesh Pillai is the CEO of Mahindra Special Services Group (Mahindra SSG). Mahindra SSG, part of the Mahindra Group, is a leading corporate risk management consulting firm. As the CEO, Pillai defines the road map for all business risk security assessments and innovation.