How Indian SMEs are Prepared to Face New Aged Cyber Frauds

As per the recent study and survey conducted by Kaspersky Labs, India was the third worst-hit country by WannaCry, according to a Kaspersky Labs report. The number of users attacked by ransomware in India has nearly doubled from 2015-16 to 2016-17, the report says. According to a study by Kaspersky Lab and B2B International, 42% of respondents from SMEs agreed that crypto malware was one of the most serious threats they faced.

Deloitte surveyed 309 companies and professionals between October and November 2016. 168 of these companies were large, 48 were small and medium enterprises (SMEs) and 93 were corporate professionals.

70% of large companies, 54% of SMEs and 65% of professionals expect frauds to rise in the coming years but Indian organisations have a long way to go in effectively mitigating frauds, Deloitte said.

“Many organisations have been unable to keep up with the advancements in the hack and introduction of IoT has worsened the situation wherein the devices like IOT enabled devices, Electrical grids and IoT enabled factories are at the mercy of cybercriminals.

A survey conducted by cybersecurity firm ESET in the Asia Pacific region found that Indian SMEs have been the most vulnerable to cyber-attacks in the past three years.

Since we are living in a reactive environment wherein we react and take mitigation action after the organization is attacked by cyber criminals it is similar to buying a fire extinguishers only after experiencing the fire incidents. However the cybercriminals are proactive in their approach and in order to combat this threat, we have to ensure that we have to establish a robust system which will ensure the adequate prevention and treatment to refrain from cyber attacks.

As an experienced Information security veteran, I would like to advise the organizations to understand and emphasize more on the security of the information. The information which is the backbone of every business and the cybercriminals are majorly targeted to steal our information which gives birth to major frauds, online attacks and physical theft of the information. Organizations are more focused in understanding the life cycle of the information and should ensure its security during the “Birth of the Information”, “During the transit of information”, “During the Resting stage of Information” and finally “ During the Death of Information”. If we understand all these phases very well and ensure the security of information during all the phases we are all done and will be able to avoid the information theft in its electronic or physical forms. So, we should adopt a holistic approach when we think about the security of the information. For example, if a hacker is unable to hack your server from the internet because of strong technical controls on your IT Infrastructure but you have weak physical security control, the hacker will walk into your office and steal the information from your server directly without using any hacking skills.

In order to achieve watertight security, we have to adopt a systematic approach which is very well achievable in 7 Simple Steps:-

1. implement information Security Standard: -In order to curb the menace from its roots, we need to implement the renowned information security standard such as ISO27001:2013 in the organization through a qualified & experienced Security Consultant. Most of the organizations commit dire mistakes while selecting the right consultant. In order to save our few bucks, we are ready to compromise with the quality of consultant putting our entire business at stake which is prone to data theft &cyber-attacks. The ISO 27001:2013 version comprises of 10 Clauses & 114 Controls which if implemented properly in the organization will mitigate the security risks to a minimum. ISO 27001 provides a holistic approach towards the security of information and touches every domain of the organization to ensure the security of the information.
2. Select reputed Certification Body: -Certification bodies play a pivotal role in validating the security implementations done by consultants, hence it’s a second level check to harden the security parameters of the organization.Another mistake which is committed by most of the organizations' wrong selection of Certification Bodies. Most of the Indian organizations go for ISO 27001 Certification just because of the client’s requirement or to fulfil the tender requirements. Due to which they are most interested to adopt the easy ways of getting themselves certified through the Certification Bodies which can provide them paper certificate without proper verification of the implementation controls. In this scenario, we need to be choosy and should select the certification bodies of respectable repute possessing a qualified team of experienced security auditors who do not compromise with the quality of the audits and ensure that no security parameters are omitted during their assessments.
3. Regular Information Security Maintenance: - Post the award of certification it is equally important to maintain the security controls which have been implemented by the organizations failing which the organization may lose the effectiveness of controls implemented resulting in creating a hole in security posture of the organisation. In order to do so, the organizations must create internal security team to ensure the maintenance of the security parameters on the real time basis. Organisations of small sizes can outsource their maintenance to any of the reputed security consultants to save their costs.
4. Building Cyber Security Strategy: - Organizations should build a cybersecurity roadmap for the organization which should include the organization’s security strategy to deal with the cyber security risks in current and future scenarios.
5. Regular Vulnerability Assessments: - Organizations should hire experienced Ethical Hackers to internally hack their own Networks, websites, web applications and mobile applications and provide the remediation actions to the organization for closure of the loopholes found in their security assessments. The main objective behind the Vulnerability Assessment & Penetration Testing (VAPT) is to identify all the potential loopholes within your security system and show the potential impact of those threats & loop holes by exploiting them. In today’s business environment, no company can afford to lose a single confidential information or data. However, online businesses are always at the risk of hacking and unauthorized access to network to hack the confidential information and data. Therefore, it is extremely important to identify all the potential risk within a network and get them fixed on the time. This activity should be repeated at certain periodicity in order to ensure that newly evolved threats are being taken care of.
6. Regular Employee Awareness: -As an Information security and cybersecurity veteran, I would again like to draw the attention of the public on the basic security awareness which we are lacking while addressing such issues. Cybercriminals mostly take advantage of ourbasic humannature to create fast bucks by attracting them to lucrative lucky jackpots, new updates to their current technology gadgets promising new attractive features etc. Studies show that people’s negligence or malicious acts accounted for two-thirds of cyber breaches, according to historical claim data analysed by London-based consultancy Willis Towers Watson. Just 18% were directly driven by an external threat, and extortion accounted for a measly 2%. Overall, the research found that about 90% of all cyber claims stemmed from some type of human error or behaviour. In a nutshell training is the integral part of the Security Implementations which enables employees to understand the information security requirements laid down by ISO27001 standard hence we should ensure that the frequent security awareness trainings are imparted to all the employees of the organizations which will enable them to deal with cyber criminals, social engineers and tactfully handle security incidents and report them to the required authorities for immediate actions.
7. Join Online Security Advisory Group: -All organizations should join online security advisory groups which keep them abreast on latest cyberattacks, security vulnerabilities and provide remediation actions to resolve them on time. This will ensure organizations to harden the technical security controls and secure the environment from hackers and cyber terrorists.

If all organizations remember these thumb rules and follow them religiously and ensure the adherence, we will be able to fight this evil together without falling prey to the tactics played cyber terrorists, hence ensuring the security of  Digital India Mission of our Honourable Prime Minister hence making our Secure Digital India Mission a mere success. 

About the Author:

Mr. Naveen Dham CEO And Founder of GIS Consulting registered as G-Info Technology Solutions Pvt. Ltd. providing cybersecurity and information security consulting. Naveen Dham is a veteran security strategist & holds a total of 2 decades of rich experience in Information Security (ISO27001) Implementation, Maintenance, IT Security Auditing and IT Service Delivery.