Specific details aside, these were internal breaches — a danger that organisations are well aware of. Back in 2015, McAfee's 'Grand Theft Data' report had revealed that about 43 per cent of data breaches happened because of internal violations — either wilful or inadvertent — involving the company's employees, contractors and third-party suppliers. "The key causes for data breaches and infiltrations usually are the 4 P's — People, phishing, passwords and patching," explains Venkat Krishnapur, vice-president (engineering) & managing director, McAfee India. Similarly, Kaspersky Lab (South Asia) General Manager Shrenik Bhayani says, "Humans are the weakest link when it comes to the data protection chain."
Multiple cyberattacks and data breaches show the absence of cybersecurity awareness among Indian companies, say experts. "Organisations are ignorant or callous about cybersecurity when it comes to information assets. It is high time they took necessary measures," says Mukesh Choudhary, founder & chief executive, Cyberops Infosec. "Organisations should encrypt all sensitive data at rest and in motion, securely manage and store all keys, and control access and authentication of users," explains Jaspreet Singh, partner — cybersecurity, EY.
Inadvertent exposure of data might go unnoticed by malicious actors, only to be caught by security researchers, but deliberate external attacks have also increased in the country. India was the second-most-affected country for targeted cyberattacks between 2016 and 2018, said an April 2019 Data Security Council of India (DSCI) report.
The rise in attacks and breaches has already imposed a hefty economic cost on organisations. A 2018 Cisco study showed that 63 per cent of respondent organisations in India reported that cyberattacks in the past year cost them $500,000 or more, going up to over $10 million. An alarming 21 per cent of organisations reported that such attacks cost them between $5 million and $9.9 million. The financial impact of such attacks was estimated after considering lost revenue, lost customers, lost opportunities and out-of-pocket costs. The study involved more than 2,000 respondents, most of them senior security professionals, from across 11 Asia-Pacific countries, including India. And, the costs are rising. The DSCI report also said that the average cost for a data breach in India had gone up to about $1.7 million, 7.9 per cent more than that in 2017.
The threat is further magnified because any organisation can be a victim or target. For instance, foodtech company FreshMenu, travel platform Ixigo, online restaurant guide Zomato, and fintech company EarlySalary have all seen data breaches. "Not only big companies
but also small and medium enterprises need to take cybersecurity measures," says Kaspersky’s Bhayani. He warns that common wisdom suggests that all organisations could face an attack at some point. He adds that the goal is to keep attempts from turning into data breaches; understanding how and why data breaches happen is the first line of defence.
While the challenges on the cyber front are well known and researched, not everybody is prepared to meet them. In November last year, it was reported that data shared with the Prime Minister's Office by the country's cybersecurity agencies showed most attacks targeted financial networks and government arms. In 2018, about 20 per cent of attacks were reportedly aimed at financial networks, and nearly the same percentage was aimed at government departments. However, the spike in cyber frauds at banks shows how one of the most targeted sectors — and therefore most vulnerable sector — is falling short of meeting the challenge.
Data from the Reserve Bank of India's (RBI's) 'Report on Trend and Progress of Banking in India 2017-18' show that the number of cyber frauds at banks doubled from 978 in 2013-14 (amounting to Rs 54.5 crore) to 2,059 in 2017-18 (amounting to Rs 109.6 crore). In fact, the most dramatic rise in the number of cyber frauds and their associated cost came between 2016-17 and 2017-18 — the same period during which major cyberattacks hit Indian banks.
In October 2016, Indian banks were hit by one of the biggest breaches of financial data ever in the country, with an estimated 3.2 million debit cards being compromised. Several customers had reported unauthorised usage on their cards from locations in China. SBI, ICICI Bank, HDFC Bank, YES Bank and Axis Bank were the most affected.
The breach was caused by malware introduced in the systems of Hitachi Payment Services, a payment switch provider that ran and operated YES Bank's ATMs. At the final count, 641 customers of 19 banks had become victims of fraudulent transactions, leading to a fraud of Rs 1.3 crore. It had taken about six weeks to detect the malware infection.
Then, in August 2018, cybercriminals stole Rs 94 crore from the Pune-headquartered Cosmos Bank, after attacking its servers on two separate occasions. According to an FIR filed by the bank's management, the hackers had exploited a malware vulnerability in its ATM switch system. First, the hackers transferred Rs 80.5 crore from accounts at Cosmos Bank to a foreign bank in 14,849 separate transactions through debit cards. Then, they attacked again to steal Rs 13.9 crore through the SWIFT network. The bank's VISA and RuPay debit card systems were also compromised, along with personal and financial information of about 500 customers.
Earlier that year, in February, the Kumbakonam-headquartered City Union Bank had said it had been hit by cybercriminals, who had transferred nearly $2 million by way of three unauthorised remittances to lenders overseas through SWIFT. The bank successfully blocked and retrieved money from two of the three cyberattacks. The third one, totalling $1 million, was sent to the Zhejiang Rural Credit Cooperative Union in Hangzhou, China.
The spate of cyberattacks, data leaks and breaches is a major cause for worry, as the country witnesses a burgeoning digitization drive. A wide range of preventive measures need to be taken and many Indian firms have a lot of ground to cover.
EY's Jaspreet Singh advises that organisations must remain focused and implement vulnerability assessment and penetration testing (VAPT) solutions, and cyber security assessments. They should also conduct periodic network and system scans for known vulnerabilities. Choudhary also warns that organisations often get their audits conducted by companies
that are CERT-empanelled but do not specialise in VAPT. By attaining a security certification from such companies, the organisation gets a false sense of security, even as its data remains unsecured.
"BYOD (Bring your own device) policies further contribute to data leaks as USB drives and laptops used by employees are intentionally or unintentionally used for insider thefts," adds Krishnapur. BYOD is the policy of allowing employees to bring their personal devices — laptops, tablets, and smartphones — to the workplace and use them to access privileged information. Bhayani lists enforcing BYOD security policies among the best practices to avoid a data breach.
Experts also say that a gap in the defence requires prompt detection and a "patch" — a set of changes to a computer program meant to fix security vulnerabilities. "Between the ignorance and reluctance of IT administrators to ensure that systems are constantly updated with the latest patches, system vulnerabilities that could be potentially exploited at will are another weak spot that hackers look for," says Krishnapur. He advises that an automated patch management system that includes vulnerability assessment on a regular basis is critical to ensuring that systems stay up to date. They also minimise the chances of attacks. Bhayani concurs, saying that patching and updating software as soon as options become available is vital.
Choudhary advises that to secure data more effectively, organisations should have an information security operations centre, conduct red team-versus-blue team assessments, undergo a security audit every quarter, and comply with ISO 27001 — a universal information risk management standard. Krishnapur adds that data loss prevention (DLP) technology and intrusion detection and prevention systems, along with next-generation firewalls, should be put in place.
A security breach can cause loss of trust and hurt a company's brand. That can be "catastrophic", concludes Krishnapur.