Lock out cyberattacks
WannaCry reiterates need for companies to fix ownership for IT network security
WannaCry reiterates need for firms to fix ownership for IT network security, write SANGEETA TANWAR & RITWIK SHARMA
The recent WannaCry ransomware attack, which spread its tentacles across over 150 countries affecting more than 10,000 organisations and 200,000 people, showed the world that for organisations it’s not a matter of “if” they are going to suffer a cyberattack but “when”. Unprecedented in its scale, the episode once again exposed the vulnerability of security systems to large-scale network hacking and data breaches. It is a wake-up call for a country like India which ranks third as a source of malicious cyber activities and its enterprises are the sixth-most targeted by cyber criminals. Cyber resilience has to be a critical boardroom imperative for all organisations.
“Large organisations have already invested or are investing in advanced persistent threat (APT) solutions. However, a number of Indian corporates are still vulnerable to cyberattacks. Ransomware could attack networks that are not supported by APT solutions. There is a need for building a strong organisation-wide awareness programme encouraging the management to deploy latest security solutions to protect their networks from cyberattacks,” says Rajesh Uppal, executive director, IT and people development, Maruti Suzuki.
The reality is that barring large enterprises numerous other organisations urgently need to protect their data.
Burgess Cooper, partner, cyber security, EY, says there is no digital boundary for a company anymore. “The boundaries have changed from the old companies’ network to all the small suppliers and distributors who are now interconnected to their systems. Therefore, you are attacked for not only who you are but who you can give access to.”
Crossing geographical boundaries, hackers are increasingly targeting industries which lack the wherewithal to withstand cyberattacks. In a latest trend, manufacturing and healthcare sectors are emerging as the new sweetspots for hackers. The consequences of a cyberattack on organisations in these sectors can prove to be more devastating than others.
“Lives are at stake because a cyberattack which may seem like a monetary gain, could have far greater consequences if encountered in these two sectors,” he says.
With the growing threat of cyberattacks, it is the absence of a proactive approach towards foolproofing one’s information technology (IT) infrastructure and open network that exposes enterprises to cyberattacks. For example, the WannaCry attack breached security networks by using the hacking tool, Eternal Blue, originally unleashed by Shadow Brokers — the outfit said to be behind the hacking tool leak — in April.
“Microsoft had released the patch (repair) solution in March. So, there was enough time for enterprises to apply the patch on their systems to prevent the spread of the virus which struck companies in May. The banking and finance sectors were better prepared to tackle such a network breach but other industries were caught unawares,” explains Sanjay Katkar, managing director, Quick Heal Technologies.
To avoid cyberattacks, the first step is to fix ownership for IT network security. Many organisations continue to focus on the technology aspect of cyber defence, which is crucial, but often at the expense of people risks — the largest source of data breach.
A survey on cyber security by Willis Towers Watson indicates that within organisations about 66 per cent cyberattacks emerged on account of internal employees and only 18 per cent security breaches emerged from external stakeholders. These numbers prove that organisations may have the best of software but it is equally crucial to have trained people who are responsible for maintaining security and can be held accountable in case of data breaches if any.
It isn’t that organisations are deliberately not recognising people’s role in cyber security. But they are unaware of the preventive role employees can play. This often happens as chief technology officers (CTOs) look at risks from a technology perspective alone. It is time for HR personnel and CEOs to step in and create awareness in employees for identifying potential security breaches, says Ashish Ambasta, director, employee insights and assessments, Willis Towers Watson.
Raj Sabhlok, president, ManageEngine division of Zoho Corp, underlines cybersecurity is not a static subject. It is a specialised and very dynamic area which requires constant investment and innovation. At ManageEngine, the management keeps abreast of latest patches (version) of operating software and encourages employees to hack into the company network so as to identify potential source of data breaches.
Uppal says global standards are available to assess the maturity of organisations in response to cyberattacks and accordingly network management processes can be instuitionalised within firms. At the same time, the high cost of security-led solutions proves to be a deterrent for some enterprises while updating their systems. But in future cloud-based pay per use options would make security solutions more affordable.
Deekshit Marla, CTO of Arya.ai, an artificial intelligence firm, recommends that if a security breach comes to notice, organisations must make affected parties (such as customers’ whose data may have been stolen) aware immediately. Doing so will help people take remedial measures such as changing passwords or removing credit card information. While a data breach makes for bad PR, helping users will only repose faith in the organisation.