“The potential for the next Pearl Harbour could very well be a cyber-attack”, quotes Leon Panetto. No statement can be presented with this verisimilitude on the current scenario of cyber-security as much as the one aforementioned. With every piece of data being listed on the internet, cyber-security has gradually become a cynosure in the world of finance. What was once nugatory, has now shaken every sector to its roots. From spreading at a snail’s pace, it has now tripled its presence owing to the Covid-19 pandemic. Therefore, let’s analyze the threat which has come to be of sheer importance of late.
Amount of Financial Losses Suffered due to Cyber-Attacks
(*All Amounts in US$, in Billions)
“Cyber risk” is a term that encompasses a variety of risks resulting from the failure or breach of IT systems. To quote a definition from PwC: “Cyber risk is any risk associated with financial loss, disruption or damage to the reputation of an organization from failure, unauthorized or erroneous use of its information systems.” Cyber risks are of several forms ranging from cybercrime, cyber terrorism, corporate espionage, data leakage from associates, and environmental threats. There can also be some specific forms of such risks such as ransomware or phishing attacks. However, there are essentially two basic types of cyber risks, external, and internal. External cyber risk is one that derives its existence from outside the organization and its associates such as the environment in which it operates. The majority of external attacks happen to steal confidential information through malware such as worms, Trojan horse viruses, phishing, and the like. While external cyber risk involves sabotage from the outer world, it is the exact opposite for internal cyber risks. An internal cyber risk can be defined as a threat from a current or former employee, contractor, or anyone associated with the organization who has access to its network, system, or data, and intentionally misuses it when they have an axe to grind. Internal cyber-attacks are generally used to extract pieces of information related to employees either to have them recruited for someone else or for other potentially malicious intentions. On the other hand, there are also cases where employees have themselves hacked servers with the intention of stealing intellectual property to fulfill their grudges.
Both internal and external cyber risks can prove to be hazardous for any organization. Where internal risks focus only on the threats posed by its authorized individuals, external risks have a broad range of attacks which shall be discussed later. In an estimate, up to 55% of the cyber risks arise from internal threats, which makes dealing with external and internal risks a herculean task for companies.
The causes or methods of cyber attacks vary and include both unintended incidents and deliberate attacks. Examples of those unintended incidents are accidental data disclosure and errors occurring as a result of the incorrect implementation, configuration, and procession. These incidents often take place due to the mishandling of important information available on the digital platform. Notwithstanding these facts, around 40% of the cyber incidents happen to have been carried out intentionally. Such incidents can in a real sense be called cyber attacks.
Attack Targets
The most common target of cyber hackers are unmonitored and unprotected home wifi connections. The hackers use Access to Compromised Personal Routers, in order to conduct Distributed Denial-of-Service (DDoS) attacks, financial fraud, or as a hop point to conceal original attack location, along with the method of Man-in-The-Middle Attack, which is a general term for when a perpetrator positions himself in a conversation between a user and an application—either to eavesdrop or to impersonate one of the parties, making it appear as if a normal exchange of information is underway. The goal of an attack is to steal personal information, such as login credentials, account details, and credit card numbers. Targets are typically users of financial applications, SaaS businesses, e-commerce sites, and other websites where logging in is required.
Measures like End-To-End Encryption essentially provide that only the sender and recipient are allowed to read the messages. Essentially, it provides an obstruction to any eavesdroppers in between by hiding the cryptographic keys required to decode the messages.
Hackers also target Collaboration Platforms and Communication Tools:
They use Disrupting Services, where the communications done are disrupted by eavesdroppers who pave their way through the meeting security and get information. Moreover, hackers may Abuse Cloud Accounts with login attempts from anomalous locations, thereby mistracing the accounts.
A Cloud-based Secure Gateway shall be implemented as a preventative measure, which is a feature with several benefits like Encrypted Traffic Analysis; Data Loss Prevention; Social Media Protection; Supportable Protocols; Integration for Zero-Day Anti-Malware Solutions; Flexibility of Locations.
Furthermore, hackers may attack Remote Workforce using Phishing and Vishing. Phishing is a type of engineering attack that is often used to steal user data including private information like credit card numbers and passwords. This happens when a black hat hacker portrays himself as an honest entity and somehow gets the user to open a flash message, e-mail, or SMS. Vishing is similar, but instead of using mechanics to derive information, it involves gathering information by duping the user to tell it themselves. Social Engineering attacks are also a medium of the same; it is a method of deriving information using a wide range of malicious attacks accomplished with one-to-one interaction with the user. It uses the psychology of the human brain in order to derive information.
Measures like cybersecurity awareness and training must be applied. If one does not know of malicious representation, then one is more likely to give away personal information. This is the main reason that such practices take place. Therefore, awareness and training can go a long way in helping us to get rid of such attacks.
Recent Cases
1. The Twitter Attack
July 2020 saw the popular social media platform, Twitter, hijacked by just 3 individuals who tweeted from high-profile accounts such as those of Mr. Barack Obama, Mr. Jeff Bezos, Mr. Elon Musk, and many others. The hackers tweeted about bitcoins through these accounts and earned over $100,000. It took Twitter over a month to bring back its normal functioning.
2. Overtaking Garmin
Garmin, operating in the aviation industry, also came under the radar when in July 2020, its technology got attacked by a ransomware tool called WastedLocker. Although the tool didn’t steal any data, it rendered programs useless until decrypted. The attack was launched to get ransom and the plan got fulfilled when Gramin allegedly paid $10 million to get its system decrypted.
3. Cyber Insurer needed insurance
One of the top Cyber Insurance firms in the States, CAN Financials, suffered a ransomware attack on the 21st of May, 2021. The attack disrupted the customer and employee services of the organization for three whole days, which led to the closure of CAN in order to prevent further compromise. An undisclosed version of the “Phoenix CryptoLocker Malware” was used for executing the attack.
4. Crime from money, to nature
A Cybercriminal in Florida has attempted to poison the water supply in the state by increasing the sodium hydroxide levels to a potentially dangerous amount for human consumption and use. The criminal was able to breach Oldsmar’s System and increase the level of the said chemical in water dangerously, from 100 parts per million to an enormous 11,100 parts per million.
5. Ransomware aces through Acer
Computer giant Acer faced a ransomware attack and was told to pay a sizable amount of $50 million, the highest known ransom to date. It is believed that a cybercriminal group called REvil was responsible for the attack. The cybercriminals leaked images of stolen data besides breaching the site.
Impact of Covid-19 on Cyber Crimes
As already mentioned, the financial sector has been hit by hackers more often as compared to other sectors during the Covid19 pandemic. Financial institutions – like other organizations – have temporarily shifted to remote working in order to continue their business despite the stringent lockdowns. Accommodating their entire work on digital space has acted as a catalyst, aiding the reach of cyberattacks. Taking advantage of the Covid-19 pandemic, opportunistic cybercriminals unleashed numerous cyberattacks in this sector. To be specific, known malware that had been relatively dormant re-surfaced with the onset of the pandemic, taking new forms or using COVID-19 to boost its social engineering tactics.
An increase in the number of domains containing keywords ‘COVID’ or ‘corona’, has been witnessed. It is believed that these domains have been brought into function so as to take advantage of the growing number of people searching for information about COVID-19. Palo Alto Networks reported that by the end of March, as many as 2,022 malicious and 40,261 high-risk newly registered domains were discovered. As stated earlier, cybercriminals are creating fake websites with keywords such as COVID-19 to entice victims into opening malicious attachments or clicking phishing links, resulting in identity impersonation or illegal access to personal accounts. Also, Trend Micro reported that nearly one million spam messages have been linked to COVID-19 since January 2020.
Work from home led to increased exposure to scams and phishing activities. Data-harvesting malware such as Remote Access Trojan, info stealers, spyware, and banking Trojans infiltrate systems using COVID-19 related information as a lure to compromise networks, steal data, divert money and build botnets.
From less than 5,000 per week in February to more than 2,00,000 in late April, cyberattacks grew by 40 times with the inception of the pandemic. The growth further accelerated by around one-third in May and June as compared with March and April. It is assumed that in the future, criminals will take fringe benefits of the underground market to look for ‘cybercrime as a service’ given that there is an ease of access, low cost, and potentially high returns offered by the platforms.
Relevance of Cyber Security for India
India has reached a new peak with respect to trades and businesses abroad relative to the last two decades. It has undertaken bold economic reforms, diversified its exports, and built significant relations with the outside world. The rise of technology has enabled India to become a global outsourcing and business processing hub. Now, multiple cyber cities of India house Indian companies who have made a mark in international markets and served global needs.
India took an oath to take digitalization to another level, but what stands in the way of this oath is the growing cases of cybercrime. To list a few, two hackers from Mumbai fallaciously gained SIM card information and used it to transfer Rs. 4 crores from the victims’ bank accounts in August 2018; they carried out transactions via online banking. On July 14th, a cyber crook posed as a jeweler and duped an IT professional of Rs 1.22 lakh under the pretext of some digital payment.
From a malicious cyber-attack perspective, phishing campaigns and ransomware attacks are all too common and have wreaked havoc in all businesses ranging from small family-owned setups to some of the largest global Indian conglomerates. The purpose behind attacks ranges from financial to political to commercial.
With the increase in digital penetration, Indian businesses have become increasingly prone to cyber risks. In 2018, Cosmos bank in Pune lost approximately Rs.94 crores, which was taken out of their systems using a vulnerability in the SWIFT system. Such incidents act as a precursor warning to the dangers that lie ahead in the financial sectors. However, they can be overcome to a great extent if cyber insurance becomes mandatory for any performing financial institution.
With regards to cyber insurance solutions, India is only a tyro in the sector. A smattering number of corporations have undertaken insurance so as to suffer the least out of a cyberattack. According to various sources, currently, around 500 standalone corporate cyber insurance policies are in place in India with a gross written premium of circa US$20m. Despite this progress, it becomes insignificant when compared to the global cyber insurance market of circa $4bn.
Recommendations for Protection from Cyber Attacks
The first step should be the Prioritisation of Cyber-Security Assessment before implementation by institutions. This is important with the help of White Hat Hacking is growing every day to carry out a regular threat assessment using a threat-based approach. A maturity level should be pre-determined for the Cyber-Security systems implemented. This Maturity Level must be set keeping in mind the increasing threat to cybersecurity, also considering the applicability of the same. Any gaps that are found in the continuous threat assessment, must be filled in by updations in the system that is running.
Fraud risk and Cyber Crime Reporting should be merged with the continuous threat assessment to increase the stake of the same, thus resulting in higher efficiency.
After the above has been accomplished, then the focus should shift on Securing Remote Access Control as reviewing remote connectivity solutions and security governance is essential to establish a clear distinction between platforms by a regular review of the same. In case of discovery of a loophole, proper measures must be ensured, either legally or by guidance for authorities. Moreover, deciding on the scope of functions needing secure access: a proper assessment of all functions must be done, and the ones where information is being stored must be given secured access, using end-to-end encryption for the same.
With secure remote access control, access to third-party cases must be tightened by exploring the possibility of modifying contractual agreements to monitor third-party access to banking infrastructure. Such access based on agreements must be carefully drafted avoiding as much third-party access as possible. Moreover, we can prioritize access to and availability of services for alliance partners and vendors, with all possible restrictions.
Now that access has been tightened to the third party, Contracting or Outsourcing Cyber-Security Capabilities shall become the main priority. Cyber-Security Solutions and assistance are available for outsourcing. Experts in the same field can help to provide cybersecurity, thereby unloading an additional burden on the bank’s management, and having the best of the services in the respective field.
As outsourcing is already considered, Adopting advanced technology solutions and tools would be more effective. Several lines of defense must be created in the entire firm’s digital experience. The stages can be Zero-Trust Architecture; Advanced endpoint security systems; Augment Cyber Security; DevSecOps.
Since groundwork has now been established, Raising awareness through training is very necessary. Introducing formal training programmes on cyber threats and cybersecurity practices for employees will help them take better precautions and report all the malicious attempts into the system.
Developing cybersecurity culture at every level, and viewing it as a continuous process, debugging, and re-development of the same is undoubtedly essential.
As Cyber Security is now becoming a matter of huge concern, we must bolster security through threat identification and response competencies, and integrate a modern and evolving security infrastructure with digitization, which is growing at a swift pace all around the world.
With a surge in cyber-attacks already being witnessed over the globe, the need of adding cyber risks as a threat to business and having the required protection can no longer be disregarded. After all, prevention is better than cure!
~ Contributed by Harsh Harlalka and Muskan Kalani
(Harsh Harlalka is a second year student pursuing Bachelor of Commerce (H) at St. Xavier’s College (Autonomous), Kolkata and a Junior Associate of the Xavier’s Finance Community)
(Muskan Kalani is a second year student pursuing Bachelor of Management Studies at St. Xavier’s College (Autonomous), Kolkata and a Junior Associate of the Xavier’s Finance Community)
References:
- https://www.nortonrosefulbright.com/en-in/knowledge/publications/b5de1c26/an-analysis-of-international-cyber-risks-faced-by-indian-businesses
- https://www.finance-monthly.com/2021/06/quantifying-the-financial-impact-of-cyber-risk/
- https://www.finextra.com/blogposting/20387/the-state-of-cybersecurity-in-financial-services
- https://ermprotect.com/blog/external-vs-internal-cybersecurity-risks-know-difference/
Xavier's Finance Community 