By: Sanjay Deshpande, CEO & Co- Founder, Uniken & Menny Barzilay, Technology Advisor, Uniken
Interconnected is an understatement in today’s context. We live in a hyper-connected world influenced by the now ubiquitous cloud, the rapidly transforming Internet of Things, the proliferation of Web 2.0 fuelled by the emergence of new device form-factors and improved connectivity.
With the rapid evolution of new-age technology and connectedness, comes the emergence of new security blind-spots, in the way this data is accessed. For instance, employees, who access the enterprise digital applications through enterprise intranet (essentially a managed network) or over internet (unmanaged network) through managed and unmanaged devices, scaling beyond a few thousand end points, currently being protected with a myriad of existing security technologies. On the other hand, for partners, vendors, customers and end-users, the Internet, accessed via various personal devices, is the primary interface for application/data-access. These weak-links are constantly exploited to give rise to a new gene of cyber-security threats, which makes data—our private, confidential, critical data—extremely vulnerable.
Threats today are no longer restricted to fragments of malicious code, aimed to exasperate, incite or stall. Today’s threats are strategic, targeted, organized and relentless. Such targeted attacks, like we have seen in the recent past, can cause significant financial losses as well as deep-seated damage to an organization’s reputation and leave an abysmal dent in organizational resources.
It has been the recognition of the consequences of such threats that has seen issues of cyber security emerging as a top agenda for business leaders. A recent report by FTI Consulting as a part of its Law in the Boardroom Study found that data security is a top concern for the top echelons of the management team, outranking even concerns over succession and leadership transition.
Just recently, in November, we saw hackers attack Sony, leaking sensitive and private information. We expect that in 2015, we will continue to see such targeted attempts at large-scale hacking. We expect that in 2015, the larger theme of cyber security will continue to dominate boardroom discussions. Here’s a look at some themes that will impact the security outlook for members of the board and management teams.
Are existing security systems adequate to protect against future and unforeseen threats?
Existing security systems are not adequate to deal with the new rising threats and modus operandi such as advanced persistent threats, in which attackers are increasingly investing real efforts and resources to hack a specific target. Recent incidents have shown that many times the weakest links that are being exploited by the attackers are remote access solutions.
In this increasingly sophisticated era of cybercrime, VPNs have fast lost ground and relevance in today’s cloud-based economy. Customers and third parties access enterprise digital services through the Internet via various devices which basically constitutes an unmanaged network. Traditionally, customers are protected through SSL, OTPs, digital certificates, etc, and third parties through an additional SSL-VPN client. These security controls have proven ineffective and recent breaches are a testimony of it. Moreover, SSL-VPN poses scaling issues when the number of users and devices rises beyond a few thousands. We expect a major change in computer networking technologies—from connecting devices (LAN/WAN/INTERNET) (VPN is just an extension of that) to—securely connecting (Apps, Users and Devices) resulting in private digital networks for enterprises which will be completely protected from unauthorized access.
Have we successfully and adequately addressed security concerns with mobility and BYOD?
The sheer number of devices and organization connected to the cloud, the amount of content being shared every day is massive. From an enterprise perspective, it is both consumers and employees who can pose security concerns.
Gartner’s report, “Bring Your Own Device: The Facts and the Future,” suggested that by 2018, 70% of mobile professionals will conduct their work on personal smart devices. With a heterogeneous device environment, organizations will have to continue addressing the need to introduce checks and balances towards securing remote access for sensitive applications & data.
For instance, the JP Morgan & Chase hack, earlier this year, was perpetrated by people who were familiar with the systems and had access to the bank’s network.
On the other hand, the penetration of mobile devices, the rise of social media platforms and e-tailing has given rise to new platforms and channels as well as access to more consumer data than ever before. With the potential for e-tailing alone pegged at $76 bn by 2021, access to this data, if not protected well, and in the hands of the wrong people could spell disaster for many organizations and individuals.
Is our security infrastructure sufficient to protect valuable financial data of our customers?
Mobile apps, e-commerce and online banking have opened up quicker and more accessible routes for customers to transact and interact with enterprises. Latest apps allow you to pay for everything from cab rides to food delivery via mobile wallets.
The BFSI sector is one of the most attacked sectors in the world. The potential “promise” of gaining real money gives attackers a huge motivation to invest real efforts in the attacks and become more innovative.
And it is not only new channels that will come under the scanner. Existing physical infrastructure and systems will also have to be upgraded to protect against newer attack vectors. Banks and other financial institutes are in a difficult position. On one hand, customers continue to demand for more easy-to-use solutions and permanent access while on the other hand attackers are becoming smarter and more effective, increasing the risks as well.
It is obvious that banks are required to stay in line with the most updated and innovative technologies that will allow customers to access their data in a secure way and mitigate the risks involved.
What are the implications of the Internet of Things for cyber security?
Internet of Things is a collection of objects, which create a new breed of smart devices which are capable of collecting, transmitting and receiving data over networks.
The basic rule of thumb in the Cyber Security field is “more functionality = more vulnerabilities”. Accordingly, the nascent IoT technologies will present new security risks for both personal and organizational usage. Imagine this: while you are riding in your driverless car on your way to work, the GPS navigator identifies that due to a traffic jam, you will be late for your next meeting, and automatically notifies your organizational calendar to reschedule the meeting. This scenario is no longer relegated to science fiction but is fast emerging as real life possibilities.
In the enterprise space, IoT could open up security loopholes, which could allow hackers to listen in on commands or data transmission, transmit inaccurate data or send false commands. This ultra-connected world will require implementing a platform that will allow secure connectivity between those devises and other sensitive organizational assets. We have to be proactive in handling those emerging threats and to invest today in preparing for the problems of tomorrow.
How organized is cybercrime?
Cybercrime, as is evident from recent attack vectors, is a far more organized and concerted activity today. Over the last few years, we have seen the global rise of the Cyber-crime-As-A-Service model. The model effectively enables easy access to malicious software, supporting infrastructure, stolen personal and financial data and the means to monetize this.
Cybercriminals are becoming more proficient at sharing information, tactics, and intelligence amongst themselves. There is a rich criminal ecosystem that contains marketplaces for selling stolen goods including credit cards information, bank account usernames and passwords and that allows hiring professional hackers and criminals for a specific job. Criminals and hackers work together, many times without even knowing each other, in order to facilitate sophisticated attacks.
A couple of years ago, industry reports suggested that the total average organizational cost of a data breach was close to `60 mn. It is safe to assume that with the rise in targeted, persistent attempts at data breaches, the total financial losses could cost as much as billions of rupees. And, this is just the estimated financial loss. The loss of trust and credibility that can negatively affect the brand and reputation of an organization is immeasurable and far more lasting.
We expect that the malware industry will only become more professional and efficient, which could lead to mounting losses globally.