The National Cyber Safety and Security Standards has announced that it will release a comprehensive set of guidelines for companies, private and public, to secure their online data.
By Mritunjay Kapur
Though these will just be a set of guidelines—not be confused with rules—the move is expected to go a long way towards spreading awareness on the importance of cyber security and the prevention of cyber crime.
The problem is not unique to India. While the country may have witnessed some grave incidents of cyber breach—in March 2010, breaches were reported into the PMO—other countries are equally victimised. Recently, a British government-commissioned survey revealed that the financial damage due to cyber security breaches to the country’s companies doubled in just one year.
Another report revealed that the total average organisational cost of a security breach increased to R60.4 million in 2012—this is alarming, to say the least.
The good news is that companies and governments globally have started regarding cyber crimes as one of their priority challenges—according to KPMG’s 2014 Global Audit Committee Survey, 40% of audit companies have primary oversight responsibility for cyber security risks. The not-so-good news, however, is they still seem to lack concrete measures to curb this menace—and they cannot be blamed. Technology is evolving and, unfortunately, for now, criminals are a step ahead.
With business being primarily transacted through online data exchange, the quantum of financial and reputational exposure on cyber security is multiplying rapidly.
That’s why cyber security can no longer be regarded as just a technical issue; it demands an integrated approach by companies who wish to protect, detect and respond to cyber incidents that can potentially impact their financial systems and assets (through fraud, theft and extortion), IP and trade secrets (through espionage), brand and online presence (through public censure, defamation, liability and embarrassment) and business continuity (through sabotage or disruption of operations).
While organised online crime is on the rise, the profile, motive and location of cyber criminals is extremely diverse and online corporate espionage by firms is becoming commonplace. The gravity of this type of attack can be deduced from the assertion of Sir Iain Lobban, director, UK Government Communications Headquarters, that business secrets are being stolen on an “industrial scale” with 70 sophisticated cyber espionage operations a month against government and industry networks.
Activism in cyberspace is another area of concern. Sabotage and denial of service attacks are becoming frequent. In the past they would have been attributed to ‘hacktivist’ groups such as Anonymous, but now they seem to have multiple motivations including political motivation.
With technology and internet becoming seamless, technology specialists and hackers are now better networked. A clear formalisation of such networking among hackers are platforms such as darknets that serve as information-sharing forums on various technology aspects such as how payment gateways, ERPs work; how operating systems, software, ERPs and social networking and communication platforms can be exploited to override the latest security patches; latest attack vectors and methodologies for a host of devices; latest trojans, worms and malware used for activities such as data stealing, site takedowns, data wipes and distributed denial-of-service (DDoS) attacks.
Darknets also have a stash of valuable reconnaissance information about technology infrastructure of government and large public companies that hackers can leverage to launch stronger and undetectable attacks. Further, darknets have message postings and classifieds that provide services such as ‘hackers for hire’, which help hackers supplement their missing capabilities.
It is very difficult for law enforcement agencies to detect darknets; they are not viewable in the searchable internet through standard search engines as they exist in a hidden manner. Darknets can only be accessed using special software with high levels of encryption by the people who know of their existence. Darknets protect themselves by shifting their content frequently. Directories, URLs that are available on one day may not be available on the next. Due to existence of such clandestine networks that promote malicious and criminal information sharing, the chances of cyber threats materialising are high and real.
To deal with such a mammoth and multi-faceted challenge, it would be prudent for organisations to include cyber safety in their risk management and governance frameworks, with risk registers reflecting the potential threat of cyber-attacks on key corporate assets or business processes. This should be the responsibility of the board of a company or a board risk committee—about 38% respondents in the 2014 KPMG Global Audit Committee Survey agree to this. It is also important to remember that effective cyber security depends as much on technology as on the end-user’s knowledge and awareness.
So, investing in software or technical tools alone is not enough; organisations must also invest in the continuous training of manpower ‘making them cyber aware’. Every organisation should employ superior threat detection techniques, technical security measures—anti-virus software or firewalls—to protect company networks, establish a cyber-incident management policy and a broad user education and awareness campaign. Moreover, one cannot undermine the role of a process to monitor the effectiveness of cyber security controls. Collectively, these steps cannot stop every single attack, but they would go a long way towards blocking many.
The author is partner and head of Risk Consulting, KPMG in India. Views are personal