Close on the heels of the Breach Candy hospital breach which resulted in the compromise of 121 million records and Dr Lal Pathlabs resulting in a compromise of over 1 million records, both of whom were neglected by the CERT IN as well as the media, an attack on Dr Reddy Laboratories seems to have been noticed more prominently by the media.
The reason appears to be that Dr Reddy labs decided to keep its operations closed in India, UK and US, until the breach is properly investigated and remedied and the stock markets also reacted to the closure.
The exact nature of the Dr Reddy labs is not known and unlike the other two cases where the access to the Cloud was reportedly compromised, by hackers, in the case of Dr Reddy’s, company’s own data centers might have been adversely affected probably by ransomware.
The spurt of attacks appear to indicate that before the PDPA becomes a law, hackers want to ensure that valuable data from the pharma industry is siphoned off. In the case of Dr Reddy’s, hands of the competitors and State Actors from China cannot be ruled out.
If PDPA had been in place, there would have been better resources allocated to Information Security/Data Protection by these companies at least in the fear of the heavy penalties. Now companies are taking it easy and hence are vulnerable.
One of the reasons why Companies tend to ignore security for the data assets is that the value of the data asset is not visible on their balance sheets. For example, according to a recent study, the price of medical records in the Dark web can be anywhere between US$250 to $1000. (Refer here). If this is true, then the value of 1 million records is around Rs 1750 crores to around Rs 7000 crores. If this value was seen on the balance sheet of Dr Lal Pathlabs or Breach Candy hospital, they would have easily appointed the best professional as a DPO or CISO to take care of the information security and probably prevented the attack. In the case of Dr Reddys, there could be value out of IPR more than the number of records along with the reputation loss, and business loss arising out of closure.
While Information Security professionals worry about how to encrypt, the data, manage the keys, ensure access through complex passwords or digital signatures or hardware tokens etc., we need to also look at the possible reduction of risks if the Company was aware of the value of the data they are holding.
It is therefore suggested that the Institute of Chartered Accountants and the Ministry of Finance should find a way of bringing the notional value of data held by a company into the balance sheets. For example, “Good Will” and other intellectual property rights are often brought into the balance sheet in the form of special reserves which are there on record but not available for dividend distribution. Similarly, contingent liabilities such as guarantees are brought into the books as contra entries. In either case the share holders and SEBI would be aware of the presence of the data assets in the company. The Board can ask relevant questions to the CEO whether the asset is properly secured and insured.
If this is achieved, there would be a huge improvement in the information security investments and corresponding reduction in the attacks. This has been established in studies on the Data Breach losses in companies where it is found that companies with a designated CISO have lower cost of data breaches.
The Ministry of Finance has a second weapon to reduce such Cyber attacks. This is by choking the economy of Cyber Criminals in the Dark Web and making Cyber crimes less remunerative. This can be done by banning all forms of Crypto currencies. I am aware that many administrators, politicians and even members of Judiciary are in favour of Bitcoins for their own reasons. After all Bitcoins is the best Currency for Corruption and even Mr Modi and Amit Shah think twice before attacking Bitcoins. But the long term solution to mitigation of Cyber Risks lies in banning Crypto Currencies rather than chasing Cyber Security through better Firewalls, Consumer education etc. Current approach in Cyber Security is to let the damage happen and then try to address the consequences rather than counter attack the hackers and bleed them of the reward of crime.
We hope the Government will muster enough courage one day to take Crypto currency by the scruff and destroy it for ever. It is more dangerous than the Narcotic drugs and can easily compromise every one who comes across.
I am confident that Mrs Nirmala Sitharaman, Amit Shah or Mr Modi are immune to such compromise but may still lack the will to take on other bureaucrats and politicians who may pounce on the Government together if Bitcoin is banned. Hope Goddess Chamundeshwari will on this Vijayadashami provide courage to these three to pick up their swords and kill the demon of Crypto Currency.