The past three months were a watershed period for cyber security. Wanna Cry and then Petya hit the world like cyber tsunamis and left behind significant business impact and business loss. Could these attacks have been prevented? First, let’s understand some aspects of these attacks.
In almost two decades in the field of cyber security, I have never witnessed the widespread electronic and mainstream media coverage that was received by the recent ransomware attacks. It almost became national news. This is one of the positive outcomes of any major cyber attack. It reminds us of how exposed we are to these risks and underlines the need for building a robust cyber defence for individuals as well as corporations.Painful experience
Unfortunately, those caught in the middle of the storm are able to understand it more profoundly than the observers. While there was unprecedented large-scale impact due to the recent ransomware, it was minuscule compared to the computer infrastructure of the world. Which means that the majority of individuals and organisations would continue to remain unaware of the need for steps they should take to build an optimal cyber defence against cyber threats. That is the biggest bane of the cyber security industry and profession.
The second observation is that the organisations that were impacted are building and strengthening controls around the risks of the recent ransomware attacks. That is important, but when you build cyber defence, you should consider all the possible risks to your business and build a security programme that works on mitigating these risks comprehensively. The one thing that these recent attacks have taught us is that cyber security is now a mainstream business activity. How many more attacks and devastating impacts does the world have to suffer before we realise this and start integrating cyber security into business strategy? Crypto algorithms and encryption has always been the foundation of the cyber security world. There have been progressive advancements in these algorithms so as to protect the confidentiality of information. The threat actors have flipped this notion on its head by encrypting information either to demand ransom or just cause devastation. So what was meant to protect confidential information is being used to deny availability of the same information. This is a dangerous trend, especially in a climate of technology innovation.
So far, the thumb rule has been that you innovate and when your mission or project is successful, you fix the risks. The notion of ‘secure by design’ was loosely implemented. However, given what we are witnessing now, ‘secure by design’ is a fundamental requirement. For example, the IT fraternity has never been able to address the issue of complete visibility of the IT landscape and ensuring that it is patched on a real-time basis. This has now become a basic hygiene and zero tolerance aspect of IT management. Organisations that have not yet invested in comprehensive cyber defence expose their businesses to risk.
While cyber threat materialises only through contact, the openness and connectedness of the internet makes contact more likely. Hence, although a large number of organisations were exposed to the ransomware, they were not impacted. Industries that are heavily regulated for cyber security controls have been far less impacted than those without strong and mature regulations. Organisations with comprehensive and robust implementation of security have been able to claim a victory, but resting on those laurels would be a mistake. They were not impacted because they have a strong patch management process, have invested in threat intelligence platforms, have built a strong cyber defence centre, have real-time query capability to review status and vulnerabilities in their IT landscape, have built advance threat/malware management capabilities to identify zero day attacks, constantly review their entry points to that network, have built some level of network segmentation and have a strong and tested incident management system.
Cyber security calls for a focused and fresh look at how to secure your business from cyber attacks.
The writer is the chief information security officer at Infosys