Cyber-crime: A Global Perspective
Cybersecurity constitutes one of the top five risks of most firms, especially in Big Tech and Banking & Financial Services. A weekend reading led to some interesting data points from various sources such as AV-Test and Coveware, among others, and that further led to me pondering over the mitigating actions that we can take as individuals and as organisations for some, if not all, of these cybercrime risks. I extend my thanks to the respective experts who shared their knowledge, enabling me to piece together some parts of the larger jigsaw puzzle.
Global cybercrime damage costs this year are expected to breach US $6 trillion an annum. That is almost one-fourth of the US GDP or twice the GDP of India. This is expected to scale up to US $10.5 trillion an annum by 2025. Cyber attackers are disrupting critical supply chains, at least 4 times more than in 2019.
Yet, approximately 4 of every 5 organisations don’t consider themselves having proper responses to cyber-attacks which creates a need for a cybersecurity risk management team for them. Let’s have a look at the individual components
Total Malware expected to exceed 1.2 billion samples in 2021 and is averaging approx. 18 million new malware samples every month (Source AV-Test). Approximately 94 % of this malware is polymorphic, i.e., can constantly change its identifiable features to evade detection.
Average ransom payment peaked in Q3 2020 at ~US $234k but decreased to ~US $154k in Q4 2020. The threat to leak exfiltrated data was up 43% during this period. (Source: Coveware). Sodinokibi, Egregor, Ryuk, Netwalker and Maze are the top-ranked ransomware by market share.
In 2020, the average cost of a data breach was ~US $3.9 million. Data privacy and cybersecurity risk are major concerns that are seeing more regulation created, for example, GDPR (EU), PDP(India) etc. Unfortunately, data breaches take time to be detected.
More than 80% of reported security incidents were in the form of phishing attempts.
India is no exception to the global trends in cyber-crime and expects cyber frauds to continue to rise in 2021. India ranks 11th worldwide in the number of attacks caused by servers that were hosted in the country, with 2.3 million incidents reported in Q1 2020. Cyberattacks reported in 2020 were up nearly three times from 2019 and more than 20 times compared to 2016.
While digital transformation, move to cashless transactions and zero contact communication supported with proliferation in internet and mobile phone usage, cyber risks in India have risen exponentially during the pandemic. According to the annual IBM X-Force Threat Intelligence Index, India reported the second-highest number of cyber-attacks after Japan in the Asia-Pacific region in 2020, accounting for 7 percent of all cyber-attacks observed in Asia in 2020.
The cybersecurity market in India is expected to grow to over $3 billion by 2022, at about 150% of the global rate. A 2019 report by IBM revealed that cyberattacks cost India ₹12.8 crores on an average between July 2018 and April 2019, while the average cost of a data breach globally was ₹27 crore. Besides these financial losses, cyberattacks can and have caused huge dents in organizational brand value.
45% of adult Indian internet users faced identity threat in 2020, up almost 40% since 2019, at 2.7 crore – over 2 percent of India’s entire population.
A German cybersecurity firm, Greenbone Sustainable Resilience, reported that medical records of over 120 million Indian patients (mostly from Maharashtra and Karnataka) were leaked on the Internet. The leaked records included pictures of the patients, X-rays, CT scans and MRIs.
Stuart Solomon, COO of Massachusetts based Recorded Future, had made an interesting claim based on malware tracing. He alleged that a Chinese group called Red Echo, “has been seen to systematically utilize advanced cyber intrusion techniques to quietly gain a foothold in nearly a dozen critical nodes across the Indian power generation and transmission infrastructure.” The firm claimed that the electricity outage in Mumbai on 13th October 2020, was orchestrated by Red Echo. Whether Red Echo was acting as a state actor or not, the threat is nonetheless real.
The latest one in the country is a fake SMS message, that claims to offer an app to register for Covid-19 vaccination in India. Once the link is clicked, this installs malicious code that gains permissions to the user’s data, such as contact lists, and spreads via SMS to the user’s contacts.
Having perused these data points, it does not take much to decipher that these incidents are only expected to increase. Let’s look at some of the steps that can be taken to mitigate or reduce the impact;
We look at the mitigants from an individual and an organisational perspective
For home usage, some cyber etiquettes generally are good enough to firstly avoid being attacked, and if one does become a victim of cyber-crime, can minimize impact;
- Genuine hardware and genuine updated software;
- Full-service internet security suites are preferred;
- Usage of Virtual Private Networks is preferred, though this may slow things down slightly;
- Avoiding spurious websites;
- Usage of strong passwords, with alphanumeric characters (mix of the alphabet and numerals), symbols, not less than 8 words but preferably 10 or more words, not repeating passwords across sites;
- Avoid clicking on pictures on WhatsApp or other sites, that are forwards;
- Minimizing sharing personal information on social media, to prevent social engineering;
- Avoid losing data by backing it up periodically;
- To be extra cautious while outside work premises;
- And if one is unfortunate to have been a victim, report to local authorities.
Organisations need a much more structured approach to manage cybersecurity risks. Also, before commencing, it is important to realise that Human errors (~95%) are a major cause of cybersecurity breaches – any sophisticated programme that does not consider this element will be fraught with deficiencies. Having cybersecurity management can help mitigate the risks across the organisation.
A typical programme in a global organisation would mostly involve the following, amongst other steps, though may not be in any specific order;
- Hire skilled people;
- Launch a Cyber Security Programme;
- Start with identification of top cyber risks;
- Depending on the organisation’s risk appetite for cybercrime risks, secure budgets for investments in infrastructure, processes and training;
- Build processes to identify external and internal threats and vulnerabilities, review vulnerability assessments, phishing tests, penetration testing, etc.;
- Identify known and emerging threats that are likely risks for the organisation;
- IoT Strategies, Network Strategy, Cloud Security and prevention of DDoS attacks to prevent infrastructure;
- Assess shift to integrated security products;
- Assess Enterprise Application Security layers;
- Build awareness of cyber regulations and cybersecurity standards;
- Review SDLC from a security perspective;
- Review Source Codes;
- Build resiliency models, to enable recovery in case of an actual cyber-attack;
- Review access and identity management components;
- Review insurance/reinsurance arrangements for adequate coverage;
- Implement Security control frameworks, complete with policy suites, standards and procedures;
- GDPR assessments;
- Continuous threat monitoring through organisation’s Security Operations Centres;
- Oversight of third parties’ physical and logical security; and
- Develop Cyber Incident and Crisis Response Mechanisms.
While employees are expected to follow the cyber etiquettes for individuals anyways, Zero Trust Model assumes that a breach is inevitable or has already occurred. This is recognizing internal and external threats. As a result, users get restricted access to corporate data, on a need-to-know basis. It entails constant user monitoring, real-time data protection, risk-based access controls, etc. Logically, Zero Trust Models are implemented to safeguard critical networks, such as those associated with national security.
Hopefully, these mitigating steps enable individuals as well as organisations to take stock of their journey, and course-correct where necessary.
Dedicated to safer cyberspace.
Submitted by: Ashish Malhotra