Cyber Security: A Continuous Battle

By Somak Shome, Group CISO and VP, Srei Infrastructure Finance

There are a few common elements in the threats and the defences employed by FIs and merchants, however the threats are escalating more quickly than banks or businesses can deploy defences against them. With new malware being deployed constantly, it's very difficult for the good guys to keep pace. The username/password combination as an authenticator is officially broken and nobody is 100 percent secure. The threat environment is simply moving too fast. Rather than bulletproof security, organizations need to focus on ways to make the cost of breaching their security more troublesome than the data that could be obtained is worth, using a layered, risk-based approach to maintain the balance between security and customer experience.

Challenges

One of the challenges in defending against the onslaught of attacks is the many different players and attack vectors. International organized crime rings seek financial gain; nation-states, individuals, and crime rings are engaged in espionage against governments and businesses; and hacktivists hope to make headlines. There are no clear dividing lines between players' causes, either; many times, the place where hacktivists leave off and fraudsters begin is none too clear.

The perpetrators are varied: Organized crime rings are responsible for more than half of the attacks; State-affiliated entities are responsible for some attacks. Lone hackers, who are in it for either individual financial gain or the thrill of the chase, still initiate a small percentage of cyber threats. This classification represents a fairly small portion of actual breach activity, however only a small percent of the former and current employees are an
insidious threat.

The Asia-India perspective

Here in Asia including India, these global risks are being amplified by two factors: the fast pace of the merger and acquisitions (M&A) process and the fluidity of the job market for senior IT personnel. Security is a critical component of M&A due diligence today. Determining whether the new partner brings an acceptable level of cyber risk should be as crucial as evaluating the deal’s financial and legal implications. An undetected APT intrusion in a target company could, for example, allow confidential documents to be monitored during negotiations and open a backdoor to your network postacquisition if vulnerabilities are not addressed. Publicity around an M&A could also attract malicious activity as cyber criminals probe for weaknesses to exploit. Getting appropriate security in place before integration begins is thus vital to protecting both entities and the value of the deal.

Cyber trends to expect in 2016

The U.S. elections cycle is expected to attract significant attacks - Mobile wallets and new payment technologies will introduce additional opportunities for credit card theft and fraud. "The cyber insurance market will dramatically disrupt businesses in the next 12 months. Insurance companies will refuse to pay out for the increasing breaches that are caused by ineffective security practices, while premiums and payouts will become more aligned with the actual cost of a breach. Data Theft Prevention adoption will dramatically increase in more mainstream companies and the Internet of Things will help (and hurt) us all. Attacks on the Internet of Things will focus on business use cases, not consumer products.

Ransomware has managed to hit a sweet spot. Users are all too willing to begrudgingly pay an expensive but not excessive ransom, in exchange for the return of their precious data. Expect ransomware to become increasingly corporate focused in 2016 and so enterprises won’t get away with paying consumer rates. The criminals behind the ransomware campaigns are savvy and once they realize that they’ve locked up source code and financial documents that haven’t been properly backed up, you can expect prices to skyrocket … and be paid.

As companies increase access to cloud and social media tools, Command and Control instructions will increasingly be hosted on legitimate sites. Mindset is shifting from “How do we stop breaches from occurring?” to “How do we respond and recover when breaches do occur?". The importance of behavioural and machine learning analytics will become a key focus for preventing or mitigating advanced persistent threats (APT) and insider threats. Boards and executive management teams will continue to develop enterprise wide cyber security governance and awareness programs that include a focus on insider threats and privileged accounts - whether it’s an employee, third party supplier or business partner. Solution providers will need to fully integrate risk and compliance requirements into business processes so their customers can better mitigate and transfer risk.

In 2016, the ‘cyber ecosystem’ will finally begin to become a widely accepted part of everyone's thinking. For years, we've seen companies try to gain efficiencies by outsourcing key tasks to third parties, but few outside of financial services have recognized the additional risks companies who outsource take on. The requirement to measure and understand the risk to your data that you assume when introducing third parties (and their third parties in some cases) will be a point of increasing emphasis with standards bodies and regulators.

Current Issue