Data breaches today blow a million-dollar hole in India Inc's pocket. Financial sector firms lose the most, followed by the services and industrial sectors. Companies are now more aware than ever of the issues data breaches can cause. India saw the second highest number of data breaches in 2018.
Take a few burning examples in recent times. A leading e-commerce portal in India admitted that owing to a technical glitch, tax reports of some of its sellers were exposed to others. The company said this affected about 400,000 sellers on its platform. Sellers who were affected said they were able to download tax reports of other vendors.
One of the largest banks in India secured an unprotected server that allowed unrestricted access to financial information of millions of its customers. In this case, the bank had not protected the server with a password, allowing anyone who knew where to look to access the data on millions of customers' information.
Also Read: Digital Dose For Pharma
Stating just a couple of data breach examples would be significantly underplaying the level of threat that enterprise and personal data are exposed to at present. Take the recent case of Gnosticplayers, who has put up more than 863 million user records for sale on the Dark Web since February 2019 over multiple rounds.
More than 40 companies across the globe have been affected by this single hacker, and include businesses across sectors as diverse as game development, book retail, and e-commerce. Names and databases of several affected companies have not been named, as they caved in to the extortion demands of the hacker.
Such examples just go on to show how challenging ensuring data security in an increasingly digital-first actually is. This is a reflection of how innovative threat actors have become over the years. They exploit weaknesses in platform codes and often leverage multiple vulnerabilities in tandem to come up with unique attack vectors that internal teams would never even have thought to check for during security testing.
Also Read:Break Free From Data Colonialism
"To me, this underlines an urgent need for organisations to start approaching their processes, products/services, and technological integrations with a security-first outlook," says Sanjay Katkar, Joint Managing Director and Chief Technology Officer, Quick Heal Technologies. Doing so will allow companies to build robust business infrastructures which are more capable of withstanding new-age threats and cyber-attacks, and to ensure that the critical data they handle does not fall into the hands of cybercriminals.
Let's look at some more examples. One of the recent incidents that shook the banking industry globally was the British Bank Scam. Scammers stole 1.2 billion Pounds from British bank customers over the last year, but the data was released only recently by UK Finance. The fraud against customers rocketed to 1.2 billion Pounds, with a 25% spike in comparison to the previous year.
"The two key tools used to steal money were; unauthorized use of payment cards and authorized push payment (APP). APP breaches occur when fraudsters hack into email accounts to trick consumers into sending money to criminal accounts," says Ramesh Mamgain, Area Vice President of Sales - India & SAARC at Commvault.
However, it's great that the bank even reported this. Earlier, banks globally wouldn't report such incidents, due to fear of losing market cap. Indian banks too need to report such incidents publically, so that there is enough awareness and a robust mechanism is established to fight data breaches. Domestic banking corporations here can learn from incidents like these in foreign banks as technology continues to break physical barriers, and cybercrime has no borders.
We are not yet over with this. Data breach examples abound over the last year:
The world's largest container shipping company - Maersk was attacked by a ransomware. Maersk's ships are completely digitally run. The directions, volume and weights on the ship are managed by technology. As the ransomware hit their systems, the operations across the world stopped working. Billions worth of goods were stuck in oceans as the ships stopped working. With timely intervention and help from a major data security solution provider, Maersk was able to recover its entire backed up data in seven days.
In January 2019, cybercriminals hit the cloud storage service provider MEGA. More than 772 million email addresses and 22 million unique passwords were compromised in this breach.
In November 2018, the guest reservation database of Marriott's Starwood division was hit with a large-scale data breach that is estimated to have compromised the records of around 500 million customers. The compromised data included critical information such as guest payment information, mailing addresses, passport numbers etc. Experts estimate that the attacker(s) had unrestricted access to multiple IT systems across the organisation for a significant duration of time.
One of the most popular AMA platforms in the world, Quora was hit with a security breach in November 2018 that ended up compromising the personal information of around 100 million users. Cybercriminals got away with extremely sensitive user information such as user names/IDs, email/IP addresses, encrypted passwords, user account settings, personalization data, public actions, etc.
2018 was not a good year for Facebook in terms of data security. The social network was hit with several massive data breaches throughout the course of the year, with the worst incident leading to more than 50 million users being compromised. It is estimated that several hundred million Facebook users across the globe have been affected by these security breaches.
Cybercriminals stole the details of more than 380,000 booking transactions in a web skimming attack on British Airways between August 21 and September 5, 2018. The breach, which is one of the biggest cybersecurity incidents faced by the global aviation industry, saw extremely sensitive personal information such as credit/debit card numbers, expiration dates, and CVV codes being compromised.
High profile incidents and hacks of notable entities have brought digital security to the forefront of people's minds. Vinod Jaisingh - Head of Global Analytics, RBS India highlights some of the major digital security gaps faced by the BFSI sector:
Automation - Offenders can use automation to scale up their activities - many millions of unsolicited bulk spam messages can be sent out by automation. Hacking attacks are often also now automated with as many as 80 million hacking attacks every day due to the use of software tools that can attack thousands of computer systems within hours.
Anonymous communications - Determining the origin of communication is very often a key component of cybercrime investigation. However, the distributed nature of the network, as well as the availability of certain Internet services, which create uncertainty of origin, make it difficult to identify offenders.
A recent report by a think tank found that 97% of sites are hit with some sort of bad bots. Bots can be programmed to perform a wide range of activities, but here are the most common for e-commerce sites:
- Price Scraping: If the website has unique pricing and product information, the chances are extremely high that the site will be hit by scraping bots. These bots collect pricing and product data and send it back to the bot-maker, who could be a competitor so that they can lower their prices and take sales.
- Login Fraud: Bots can attempt to login using real user's credentials by guessing the password by rapidly going through a dictionary of words and number combinations, or by testing known credentials that have been leaked elsewhere.
- Holding Items: Because bots can act more quickly than human browsers, they are able to refresh pages many times over to check for sales or limited-release products. Bots can add items to a cart, limiting inventory for actual users who visit the site looking for a specific product.
When it comes to data and IT security, larger banks and financial institutions in India realized the magnitude of the security challenges that they face and are now taking adequate measures to bolster their cybersecurity. Although, an important thing to highlight from an IT/data security standpoint, is the gap in security spending by Indian BFSI companies and their global peers. Globally, banks spend around 8-10% of their overall IT budget in cybersecurity. Banks in India, in comparison, spend barely 4-6% on security. This gap needs to be addressed, and urgently.
The main challenge, however, when it comes to the Indian BFSI sector, exists in the cooperative banking sector. These localised banks have only just commenced their digital transformation journeys. IT security is a relatively new aspect for them. This results in lack of awareness about the critical need for IT and data security in BFSI operations, which permeates through the entire organisation. As such, they don't make the necessary investments in shoring up their IT defences.
Fintech companies need to enforce security within their development lifecycles at the design and architecture stage by identifying various threat models and ensuring adequate mechanisms to mitigate them. There is also a need to have a well-defined security response strategy in place, in case of a breach. An effective breach detection, response, and remediation plan can help contain any attack at a very initial stage and makes it possible for security experts to limit the surface area of the impact while they eliminate the threat.
A lot of data breaches also become possible because of poor awareness about cybersecurity, both within the BFSI workforce and third-party agencies which banks partner with for various operational requirements such as document/address verification. There is a need to sensitise both internal employees and external vendors about how vulnerable critical data is to cyber attacks, and what security measures need to be taken while handling or processing such data.
Banks need to take adequate measures to ensure that their security postures remain robust and evolve in step with a dynamic threat landscape. Cooperative banks also need to appoint qualified Chief Information Security Officers (CISOs) to manage the security of their IT resources and data.
There also needs to be a renewed focus on data classification. It is important to define data hierarchies and access policies to ensure that only authorised stakeholders handle critical enterprise and user data. "Banks also need to identify what data is critical and important to their operations, and what data has become redundant. Disposing off redundant data through data wiping tools also forms an important component of a robust cybersecurity strategy," says Katkar.
Innovative security solutions such as Data Encryption and Data Loss Prevention (DLP) can also help banks protect their critical data- whether at rest, in use, or during transit - from malicious threat actors. Moreover, independent third-party security audits, such as the RED Team Assessment, can also help BFSI companies identify existing security vulnerabilities and loopholes in their IT infrastructure, business processes, user sensitisation, and data handling capabilities. This can help them deploy the most relevant security solution to meet their specific requirements.
The Indian banking sector has evolved at a rapid rate in the past few years. "Firms providing these services are allotting bigger budgets towards developing a robust IT infrastructure and leveraging it across all operations to secure customer data," says Mamgain elaborating on some common measures which include:
Complying with local data policies: International firms with data centres in India have been given time to comply with RBI guidelines of storing data in the country. This also means all of these companies will now have to invest in technologies to meet domestic guidelines.
Using end to end data protection: This involves covering ranges and complete paths of computer systems, hard drives, data transmissions and functions to verify data correctness. A lot of ransomware enter the system via cellphones and laptops. It's important to protect electronic gadgets used by employees.
Training employees and customers: Setting awareness programs to align with the security parameters of the firm.
Hiring ethical hackers: To survey their systems and find loopholes in them before the malicious hackers could. This measure helps pre-empt possible problems with the system and aid the process of securing customer data. This ensures that loopholes in firewalls are detected in advance.
Jaisingh further adds on some of the key steps that Indian companies are taking to protect and safeguard customer data:
- Charting of Data Lineage: This entails creating an end to end data life cycle including the origin of the data and the flow of this data across the organisation. By accurately identifying their data flow and its vulnerable points, companies are taking informed decisions on how to protect their data.
- Robust policy for handling all types of data: Organisations are accurately differentiating their sensitive and non-sensitive data to outline a strict process for handling important information. In the case of restricted data, employees are given access on need basis only.
- Encrypt data for protection: As the sensitive data in motion is accessed by all types of people and applications, it must be encrypted.
- Educating employees at all levels: The human factor is often the biggest vulnerability in the chain of data protection. Companies are now ensuring that employees are kept informed of compliance regulations and internal cybersecurity policies, providing them with both training and clear guidelines for those coming into contact with the most sensitive types of data.
- Focus on password security: In most cases, employees use weak passwords to protect data in their systems that end up making them vulnerable to malicious attacks. Password security practices have been improved by providing enhanced security training to employees.
"Because, if blockchain is the brain, 5G will act as the nervous system and data like blood. With the adoption of 5G, there is bound to be an overflow of data. The key to harnessing this data is by using technologies like blockchain to manage data efficiently," says Mamgain.
Also, access to blockchain requires both a public and a private key. Keys are cryptic strings of characters of sufficient length to make the odds of guessing them truly difficult. Since it is essentially impossible to access data within a blockchain without the right keys, this represents the strength of blockchain technology.
Without the right keys, no hacker will be able to access any data ever. On the other hand, all a hacker needs are the right keys to access data.
However, this is true even with personal computers and cellphones. That doesn't mean we stop using them. Instead, the need is to focus on building a strong anti-virus technology and also simplified awareness campaigns on safe use of blockchain as organizations across the world move towards adopting newer technologies.
In this context, it would be pertinent to look at India's draft Data Protection bill which is modelled on the General Data Protection Regulation introduced by the European Union. "As such, several provisions in the bill mirror those made in the EU-GDPR, with some cosmetic changes. For instance, data subjects and data principals, as defined by the EU-GDPR, are referred to as data controllers and data fiduciaries, respectively, in the bill," says Katkar.
The absolute right of an individual over his/her personal data is one of the strongest provisions recommended in the draft bill, which also mandates organisational practices such as DPIAs. Furthermore, strict penalties have been recommended for non-compliance. The draft bill also recommends the creation of a Data Protection Authority (DPA) which has the power to interpret regulations, investigate enterprises, and issue fines, injunctions, and criminal penalties on non-compliant entities. Unlike the EU-GDPR, however, the DPA will be empowered to engage in the policymaking process to keep the regulations up-to-date with the latest developments.
Another key difference between the Data Protection bill and the EU-GDPR is the provision of data localisation. The provision requires businesses to store copies of personal data of Indian citizens within Indian borders and makes any transfer of such data across international boundaries extremely difficult.
In today's digital age, when data is the new 'oil', its security is no longer just an IT problem. It has, quite literally, become a business challenge. Apart from the obvious disruption in productivity and operations, it can lead to an erosion of a company's market capitalisation, reputation, and brand value. This, in turn, could lead to a loss of business opportunities and have a major impact on the company's customer loyalty and acquisition. The introduction of new data protection policies such as the EU-GDPR and the draft Data Protection bill in India also means that businesses across sectors will have to pay a heavy penalty for any non-compliance with the regulations.
"This is what makes it critical for organisations across sectors to invest heavily in security systems, practices, governance, awareness, and compliance. Businesses need to adopt a security-first approach to their data, IT resources, processes, products, services, and people," says Katkar.
(The author is a Delhi based writer & blogger on BFSI Industry.)