Cyber risk is a business risk as well

Reported by: |Updated: July 31, 2017

Banks need to be extra-cautious about the possibilities of ransomware attacks. Atul Gupta, partner – IT Advisory and cyber security lead, KPMG in India, analyzes the scenario and suggests preventive measure

Mohan: One of the recent cyber threats is ransomware and its latest manifestation is WannaCry. Can you explain how ransomware can impact security systems in banks?

Atul Gupta: Ransomware are normally designed to attack on computing resources and the attacker demands ransom (typically in the form of bitcoin) to provide access to resources. The recent ransomware attacks were also designed to encrypt the data and the access was provided to data only when the user would pay the requisite amount to the attackers. Any such attack exposes organizations (including banks) to significant issues relating to lack of information, which may lead to impact on overall business operations. These attacks also lead to impact on reputation of the banks, since in current times majority of transactions are carried out electronically and all stakeholders expect banks to have robust security systems.

What are the measures banks in general should initiate to counter a ransomware attack? Do you think criminals behind such attacks can indeed access the critical data that banks hold? What are the measures banks should take to escape a ransom demand?

Ransomware has brought in a change in the form of cyberattacks, where the attacks are becoming broad based rather than being focused on specific information sets and the attacker believes that during such attack there may be critical information which may also get impacted.

The measures which should be performed to protect against ransomware attack include:

  • Keep the anti-virus system updated all times
  • Ensure that security patches released are deployed across the organization
  • Increase user awareness to not act/ respond to unsolicited emails that demand immediate action
  • Users should be trained on not clicking on links or downloading email attachments sent from unknown users or which seem suspicious
  • Avoid usage of removable media (USB drives) on the corporate system
  • Data is backed up on regular basis

For that matter, how can banks educate their customers on this threat?

Banks can issue advisories to clients/ customers focusing on the dos and don’ts that should be followed during usage of IT environment.

Can there be a further and more powerful attacks in the immediate future? How prepared are banks in India to handle the ramifications?

Cyberattacks have become a reality and the recent spate of ransomware attacks has demonstrated that the attackers are ahead of the curve and successful in launching global attacks. This exposes every organization to attacks and in this scenario, it is imperative for all organizations, including banks to have focus on cyber security preventive measures and incident response mechanism.

In normal circumstances, managements focus significantly on the prevent and monitoring phase of cyber attacks. They do not adequately invest on managing incidents. There is a need to have comprehensive cyber response process, which should include:

  • Formal process to manage incidents with identified roles and responsibilities
  • Have pre-defined response mechanism based on the impact of incident and ability to identify incident to minimize the impact of incident
  • Capabilities to perform post breach investigation and address the root causes

The fraudsters are typically seeking payments in bitcoins in order to remain anonymous. Do you think this would lead to a situation, where digital currencies like bitcoins would come under regulation?

Crypto currencies are becoming popular and there are exchanges, which are established across countries where it is possible to buy and trade using crypto currencies. However, these are not regulated by the regulator and there is notification issued by regulator on caution related to usage of virtual currencies and the associated risk exposure.

In the background of countries like India bringing in more and more online and mobile-based technologies, what are the other cyber security threats the banks in these countries face?

Cyber security threats are emerging from external and internal threat actors, which are constantly increasing with the adoption of technology and new digital products. It is extremely important for banks to have a robust cyber security framework and perform regular risk assessments to assess on the risk posture.

The banks also need to ensure that cyber risk is not considered only as technology risk, but is clearly established as a business risk, which is taken across to the senior management and board level.

Despite the security measures being adopted, awareness of users (internal and customers) play extremely important role in maintaining the secure environment. Banks should also focus on having robust security awareness program and well-defined process for raising incidents.

Do you think security experts can be one step ahead of cyber criminals in devising counter technology measures?

Proactive approach along with ‘Security by design’ concept is need of hour to strengthen the security posture and address the threat from increased cyber attacks. Traditional security measure focusses have not been proactive (such as vulnerability assessments and identifying vulnerabilities which have already been published) and increasingly the banks are moving to have proactive approach in the form of ‘red team’ based assessments, which simulates very closely the exploitation, which may be followed by cyber criminals to compromise the system. This approach along with advanced security measures shall assist banks to have reasonable assurance of having secured and controlled the environment.

Do you have suggestions in the light of RBI’s recent effort in setting up an inter-disciplinary panel on cyber security? According to you how bad or how good is the security preparedness of the institutions in India?

There are multiple studies performed on cyber attacks in India and consistently the trend of attacks increasing has emerged.  In such times, it is critical for the regulators, such as RBI, to have robust cyber security guidelines and measures which is mandated across the industry. RBI has come up with detailed requirements on cyber security which is a key step in the direction to ensure that there is minimum baselines to address cyber threat across the banks. Also, the panel brings upon a good combination of skills, which shall be able to provide adequate intelligence that is relevant to the threat environment.

What are some of the typical enterprise security threats Indian CISOs should watch out for?

The key threat continues to be persistent attacks (malware/ ransomware) and social engineering based attacks (identity impersonation, phishing, email based attacks, etc). However, there is a need for organizations to also monitor on the threat which emerges due to information about the organization available on internet. Traditional security measures focus only on threats which are impacting the technology environment maintained by the organization. However, with the increased adoption of social media, mobile apps and other digital channels, it is becoming critical for organizations to monitor threats emerging on these channels (these could be in the form of fake identity, publishing insecure apps, sensitive information available on peer sharing sites, etc).

India is about to roll out one of its ambitious tax reformation measures. Much of the implementation of GST depends on online capabilities. This brings in the question of security. Do you think we have developed the required security infrastructure?

The new tax reforms have digital channel as the backbone and to ensure that the security is maintained across the technology environment it is critical to trace the movement of data across the chain and have adequate measures deployed across the ecosystem.

Often such large initiatives focus a lot on the ‘crown jewels’ (centralized repository) but it is equally critical to adequately secure the last mile (data entry) and transmission channels as well.

What according to you are the major threat perceptions that this new system would have? What are the remedial measures?

The ecosystem being established, specifically at the end points (retailers or equivalents), will be enormous in size given the overall span of the country. This brings its own set of complexities which may be in the form of standardization of security measures, data handling, availability, etc. It will be critical to establish consistent and standardized security measures which can be enforced across the end points in the ecosystem.

mohan@bankingfrontiers.com