A confluence of factors has resulted in cybersecurity attaining greater significance this decade: the pandemic changed the way we work; Ransomware-as-a-Service (RaaS) created a business model for threat actors that led to a steep increase in the number of attacks; and cyberwarfare is used to augment conventional weapons in international conflict. All of these have made cyberthreats a national security concern.
The Minister of State for Electronics and Information revealed that India suffered 11,58,208 cybersecurity incidents in 2020-21: that’s more than 3,000 per day. The K7 Cyber Threat Monitor – MSME Report reveals that ransomware attacks significantly increased in FY 2021-22, crossing 30 million in Q3 alone. These are alarming statistics. It may be true that India hasn’t suffered a high-profile attack similar to the Colonial Pipeline attack in the USA but that shouldn’t make us complacent. An Indian airline recently faced some operational disruption due to a cyberattack, and threat actors have previously attempted to attack a nuclear facility. A larger, more successful attack may occur at any moment.
Will such malicious attempts on Indian organisations increase in future, both in frequency and severity? Undoubtedly yes. The University of Surrey estimated that cyberthreat activity generated $1.5 trillion in revenue annually, and that number will keep growing. Such revenue generation is possible only by casting a wide net for victims and India, with its growing economy, large number of businesses, and rapid digitisation, presents a lucrative opportunity for threat actors.
The cyberthreat industry is also evolving. Gone are the days when a lone hacker developed an attack, identified the victim, and deployed the attack. In today’s world, Initial Access Brokers (IABs) acquire access to an organisation’s network, which they offer for sale on the dark web; threat creators develop attacks like ransomware which are offered as a service; the attacker acquires compromised credentials from the IAB and ransomware from the threat creator and combines them to launch an attack against the organisation. Such division of labour leads to specialisation and a multiplication of attacks which implies that every organisation will be targeted sooner rather than later.
Is India under an illusion of cybersecurity? At the regulatory level, no. The government is paying increasing attention to cybersecurity; CERT-In (India’s Computer Emergency Response Team) provides frequent alerts on emerging threats; and organisations like SEBI are mandating attack disclosures. Nevertheless, compliance is key and this is where the illusion of cybersecurity emerges.
Organisations may be attacked in many ways but the attacks can be broadly classified into two categories: attacks on IT infrastructure, which typically involve some form of technology such as malware or the exploitation of unpatched vulnerabilities; and attacks on people, such as phishing, which rely on social engineering to mislead employees or other stakeholders into performing actions prejudicial to their interests. The illusion of cybersecurity must be avoided in both these categories.
Many Indian organisations face competing priorities for resources and their willingness to invest in cybersecurity depends on their threat perception. It is not unusual to find computers running on unsupported operating systems connected to business networks, and organisational culture often dictates that subordinates follow instructions from leaders relayed through digital channels without verifying the source. These indicate that cyber threat perception is (incorrectly) low. The illusion of cybersecurity is maintained by a lack of awareness, both on the probability of a cyberattack and the consequences of a cyberattack which could bankrupt a business.
Dispelling this illusion of cybersecurity requires a multi-faceted approach. Every organisation is a group of individuals and therefore, increasing cyberthreat awareness on an individual level is essential. The fundamentals of cyber hygiene must form part of school curriculum, which will require the empowerment of educators with tools and skills. Colleges should be encouraged to offer cybersecurity awareness and skill development programmes which will shape the threat perception of the next generation of leaders and address the cybersecurity talent deficit which hampers the development of organisational cyber defences.
Such intervention in education will create improvement in cybersecurity posture over the long term. Immediate and medium-term improvement will require awareness building and strengthening of cyber defences by businesses. Cybersecurity awareness must be provided to employees to help them spot and stop attacks both within and outside the workplace. Skill upgradation assistance must be offered to IT team members to help them build robust defences against cyberattacks. Cybersecurity policies must be put in place to create a framework by which the organisation can ensure it provides adequate cyber protection to networks, devices, data, and people.
In addition to these measures, a culture of cybersecurity must also be cultivated within the organisation to ensure that everyone, at all levels of the hierarchy, follows a cybersecurity-first approach in hiring, procurement, disposal, and design. The organisation should also insist that vendors and other stakeholders must follow cybersecurity best practices to protect against supply chain attacks and create a safer digital ecosystem for everyone.
An emerging area of concern is data sovereignty. Any digital solution, including cybersecurity solutions, may send or store data from India outside India which presents a privacy risk. Organisations should ensure that data sovereignty is part of their evaluation process and insist on procuring solutions that preserve the privacy and data sovereignty of Indians by retaining Indian data within India.
Smaller organisations may find the above list daunting and wonder if the cure is worse than the disease, but such fears are unfounded. Scalable cybersecurity solutions are available and entrepreneurs need invest in only as much cybersecurity as required by their scale of operations, and many cybersecurity best practices require discipline more than financial outlay. The cost of a cyberattack is far greater than the cost of cybersecurity which, when combined with the likelihood of a cyberattack, establishes a compelling business case for deploying appropriate cyber defences.
Cybersecurity is a constantly moving target; what is adequate today may be inadequate tomorrow. It is not, however, an impossible or impractical target. Avoiding the illusion of cybersecurity only requires a mindset that favours risk mitigation similar to the caution that is exercised in other areas of business.
- By Kesavardhanan J, Founder &President, K7 Computing