With one of the largest Internet populations in the world, the growing digital interconnectivity has paved the way for greater vulnerability in the threat landscape.
Atlanta, United States; Bengaluru, Karnataka & Mumbai, Maharashtra, India: The Indian Technology ecosystem has seen a significant growth in the last five years. In 2019 alone, more than 9.3B dollars have been invested in the tech ecosystem in the nation. While technological advances have improved the standard of living, the timing for a rise in cybercrime could not have been better given the rapid expansion of digitization of India.
As breakthroughs in the digital technology have bridged global economies, India has not been an exception. On the flipside, with one of the largest Internet population in the world, the growing interconnectivity has paved the way for greater vulnerability in the threat landscape. There has been a steady increase in the volume of cybercrime in India. For instance, in 2019, India suffered more than 15B dollars due to cybercrime, cyber fraud, and identity theft. What is gravely concerning is that while these are publicly affirmed numbers, the reality could be much worse.
In the last 12 months, Cyble has observed a significant uptick in cybercriminal activities, including a number of threat actors actively targeting the nation. The motives of cybercriminals range from state-sponsored attacks on government agencies to organized cybercriminals syphoning off confidential data or sensitive user information from businesses. Here’s why Indian companies are turning into soft targets of cyber criminals.
Volume matters: India has one of the top 10 highest Internet users in the world. From students to government officials, most individuals are using Z-generation apps whether it is for making digital payments, paying mortgage, online banking, purchasing groceries, etc.
Inadequate regulatory framework: The data privacy and regulatory frameworks are significantly weaker and still in their infancy as compared with most other nations where laws are considerably matured and well in their implementation process. Presently, in India, companies are not required to notify a breach by any mandate, thereby often leaving room for autonomy on the security measures around the data they are collecting. The impact of this is even magnified when the data pertains to personal information (PI) for a sizeable group of individuals.
Virtually Nonexistent Security Contact: Companies that have been a victim of cybercrime almost always have one thing in common – they do not have a designated CISO in place. Interestingly, organizations often enlist the help of the existing internal IT professionals for managing enterprise security issues. However, these individuals may not possess the requisite experience for performing a risk assessment and implementing strategic measures to combat the threat. They may also be burdened with bandwidth issues alongside inexperience on the security domain.
Poor Technical Measures: Factors such as the insufficient understanding of the need for an effective information security program coupled with inadequate attention towards a basic security hygiene have fostered malicious cyber activities. Beenu Arora, CEO of Cyble commented - “Most victims have a few common attributes such as a non-existent security awareness culture; Cloud Access Tokens that haven’t been changed for months and in some cases, for years; developers embedding credentials in their code repositories; and compromises due to phishing campaigns and credential stuffing. Such lapses in the defense infrastructure are fueling the issues further.” At an individual user lever, one of the most common security shortcomings is that of reusing the same login credentials and passwords across multiple sites or apps. This is one of the primary reasons for Credential stuffing. Considered one of the most common types of cyberattacks, Credential stuffing is the theft and misuse of login credentials, typically comprising usernames/email addresses and their corresponding passwords to gain unauthorized access to user accounts. Lately, credential stuffing has emerged as more prominent due to a rise in the number of high-profile breaches.
Lack of Accountability: Recent incidents have highlighted that organizations are yet to take cybersecurity issues seriously and give it the due importance as part of their corporate social responsibility. Upon analyzing several high-profile breaches, Cyble noted that the diversity of personal information collected by organizations after a breach is considerably distressing. Corporations need to take stock of the grim reality of the cyber security space and acknowledge that adequate disclosure is the right move towards establishing customer trust and confidence in the long run.
This brings us to the question of where we are headed. Public reports have clearly stated that India is an attractive target for cybercriminals for a host of reasons ranging from motives of financial gain to geopolitical agendas. Here are five essential things Cyble recommends technology-based companies to consider.
1. Appoint a CISO – Without a clear vision and accountability on protecting customers’ information and intellectual property, it would be a nightmare to manage the risks posed by the ever-evolving threat landscape. 2. Implement a Basic Security Hygiene – The Australian Signal Directorate has released strategies to mitigate cybersecurity incidents. In our opinion, The Essential Eight, when implemented and governed correctly, can help thwart the majority of the cyberattacks.
3. Bolster Security Awareness Initiatives – Over 80% of cyberattacks originate via phishing and water-holing attacks. Organizations are increasingly using SSO to connect to their code repositories or third-party apps. Once a privileged account is compromised, the attacks can gain access to a large part of the company’s infrastructure, including customer records. Irrespective of how secure an enterprise’s IT security structure is, the company is only as protected as its user base. To improve awareness about phishing, organizations should conduct routine tests on the employees with fake phishing emails to educate them and help them learn how to recognize a real phishing attack.
4. Implement multi-factor authentication where possible – Ensure access token and secret keys are changed and accounted regularly. This builds an additional layer of security for protecting highly sensitive user PI.
5. Implement a Robust Security Monitoring capabilities – As the landscape of an organization evolves, it is prudent to maintain a situational awareness of the threats, risks, and vulnerabilities.