Changing Face of Cyber Threats to corporate entities

As the country has moved into the digital way of doing Business, Governance and conducting personal life, the threats of various kinds arising from the use of computers, mobiles and other devices that work on “Data” have only increased.

Technology persons often pursue their creative goal unmindful of the impact they cause on the society. Hence they often talk of “Disruption”. We as corporate managers and as users of technology therefore often confront the so called “Zero day vulnerabilities” that are exploited by hackers around the world to make money and commit all sorts of offences.

As a result today, we often find it difficult to trust content on the website, message that comes in WhatsApp or Twitter or even an email that lands directly with us. Now a days, if I get a phone call which says I am calling from Bank, instead of listening to it, we are more concerned in ending the call because we donot know if even picking up a call will let some virus in.

The biggest threat that we face today is therefore “Lack of trust” in anything that comes to us as “Data”. So, it may not be “Data which is on the run”. Some times we have to run away from data.

Recently we came to know that “Data” of one big company were attacked by a hacker group who first of all encrypted the data and made it unusable and further threatened to release confidential data to the public. They wanted payment of a big sum of ransom that too to be paid in the currency of the criminals called Bitcoins.

“Phishing” continues to affect us particularly importers and exporters who face impersonated messages such as we have changed our Bank account..please remit the invoice payment instead of the regular account to another account. In one such case a big company in Saudi Arabia paid out rs 190 crores to the fraudsters instead of to ONGC. We are also aware that many times money has been taken out of the Banks through the SWIFT messaging systems.

Every day we also hear about the losses common people face through GPay or other mobile payment systems

These kinds of frauds appear simplistic and not as sophisticated as the Stuxnet attack on the Iranian nuclear system or North Korean attack on Sony corporate network, or DDOS attacks launched from CCTV cameras, robots made to drop material on shop floor to murder workers, Automated Cars being hacked causing accidents or Drones trying to hack into your systems by hovering around your wifi devices.

While we are struggling to tackle such technology related attacks, the advent of a new law in India called Personal Data Protection law  is making the life of Corporate manager more complicated because the law is expecting you to take pro-active steps to prevent frauds failing which even when there is no attack, the corporate may be  imposed hefty fines.

This new development is coming in the form of “Personal Data” which is a subset of the “Data” and is like the “Hazardous inventory” you may have in your godown.  It may look small in quantity but the drums of those explosive chemicals require greater attention than the tonnes of steel which you can leave in the open space without much of a security risk.

The cyber threats like ransomware have moved from “Encryption” to “Threat to release the information” because release of personal information could be more damaging to a company than not being able to decrypt the information that is locked up.

The threats are therefore changing their nature and companies have to ensure that apart from protecting data from being unauthorizedly accessed, modified or denied access, threats such as “Non Availiability of Consent”, “Use of data for purposes other than for which they were collected”, “Retention of personal data beyond the expirty date”  etc can become more damaging.

Hence organizations need to change their outlook on defining what is a “Cyber Incident” and how they have to respond to a Cyber incident involving potential personal data loss.

The advent of the new law means also new responsibility centers in the organization along with the conflicts between the senior executives whose area of influence is getting disrupted.

The CEOs therefore have both the challenges of shielding against the known cyber threats but also bring about a transition of the organization to recognize the need to change the focus of security from “Protecting Data” to “Protecting the so called privacy rights of an individual”, which may require a complete overhaul of the business architecture.

The days for business managers is therefore challenging and exciting.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

2 Responses to Changing Face of Cyber Threats to corporate entities

  1. Firdaus Lalkaka says:

    With most people over 50 not being computer savvy, they are easy prey to hackers. So then, what do you suggest should be done to ensure that every post/email/etc. can be easily tracked to the sender?
    If there’s a way to ensure that every FB, Twitter, email, website, etc. is opened by and in the name of a “real” person who exists, do you think this menace could get mitigated?

    • PDPA has suggested that an option should be available to account holders in social media to get themselves verified and if done, it is mandatory for the platform to display their identity. As more and more people start using this feature the messages of un-verified persons will automatically be degraded.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.