By Harshavardhan Godugula
Cybercrime has rapidly evolved, with newer forms of threat vectors plaguing many businesses. While companies and governments have amped up their preparedness to tackle this menace, the incidents are still rising. In the 16th edition of the World Economic Forum’s Global Risks Report 2021, cybersecurity alongside COVID-19 pandemic, climate change and debt crisis was a key threat for the next decade. The report ranks India third after the US and the UK when facing major cyberattacks during 2006-2020. While the pandemic weakened the existing cybersecurity frameworks of many organizations, the frequency and sophistication of cyberattacks further affected the cybersecurity infrastructure of several businesses.
As the number of cyber and data breach incidents observed in 2020 and 2021 rose, the following are the trends that businesses need to be prepared for:
1. Stricter regulatory compliance and increased self-reporting of security incidents and breaches: Many countries put the responsibility of reporting or notifying instances of cybercrime or data breaches on companies. Over the last couple of years, regulators have increasingly focused their attention on corporates’ cybersecurity disclosure policies and on their responses to and reporting of cyber incidents. Business leaders should therefore plan adequate security postures, accompanied by administrative, technical and physical security controls, including self-reporting.
The Reserve Bank of India, as part of its circular on Cyber Security Framework in Banks, has made it mandatory to report data breach incidents to the regulator within two to six hours. Regulatory watchdogs such as the Indian Computer Emergency Response Team (CERT-In) have also directed companies, service providers and intermediaries to disclose the quantum of data exposed and intimate employees and customers.
2. Surge in cyber insurance to protect critical assets: As the magnitude of cybercrime increased during the pandemic, many companies are now taking larger cyber insurance policies to safeguard their data. They are also taking proactive steps to mitigate risk, protect assets, safeguard their reputation and recover monetarily after a data or security breach. The coverage of the cyber insurance typically varies – including but not limited to forensic investigation, business loss, costs for data breach notifications and legal expenses including the cost of paying ransom to attackers.
As per the Data Security Council of India, the global cyber insurance market is expected to grow at a CAGR of 27% from US$4.2 billion in 2017 to US$22.8 billion in 2024. The growth in India is mainly driven by IT/ITeS, banking and financial services, manufacturing, pharma, retail, hospitality and research and development led and other intellectual property (IP) led organizations.
3. Crimeware or ransomware as a service is transitioning into a highly profitable industry: Today, crimeware-as-a-service and ransomware-as-a-service are increasingly becoming widespread practices. The former refers to advanced tools and packaged services that are offered for sale or rent to criminals, while the latter is readily becoming available to anyone capable of paying digitally or through cryptocurrencies such as Bitcoin. Cybercriminals often get generously compensated for delivering or spreading malware and may even get a percentage of the extorted ransom paid per infected device. The global economic downturn caused by the spiralling pandemic has created an ideal situation for both experienced and novice cybercriminals to carry out sophisticated attacks easily.
4. Business are being crippled by outdated and open-source software: Cybercriminals these days are continuously on a look out for outdated web software. Once a vulnerability is discovered, cybercriminals exploit external web systems that run the vulnerable piece of software. Undocumented Open-Source Software (OSS) used by many organizations can be a ticking timebomb, ready to explode anytime. With the pandemic adversely impacting allocation of budgets for business operations, many enterprises ended up falling in the trap of opting for low-price software. Using the corresponding (poor) code quality in the undocumented OSS components and frameworks to save programming time may compromise the system security and ultimately cost much more.
5. Software-as-service-platforms (SaaS) continue to be attacked: There have been several reported incidents of the platforms being infiltrated through phishing and crypto-malware tools and locking companies out of their own data. We see browsers as a weak link in the security chain, as a number of zero-day flaws exploited have been because of browser vulnerabilities. Going through the list of CERT-In advisory guidelines, as on May 2021, we see that every single one of them relates to popular SaaS platforms being compromised and their vulnerabilities, be it data scraping of users or multiple vulnerabilities in operating systems.
As cybercrime continues to evolve, companies need to adopt robust cyber defence frameworks to mitigate rising threats. Protection against cybercrime must be enabled as a part of business culture and must become a boardroom agenda. Business leaders should also be actively involved in the discussion around cybersecurity strategy to better manage the evolving threat landscape.
(The author is partner, Forensic & Integrity Services, EY. Views expressed are personal and not necessarily that of Financial Express Online.)