By Kanishk Gaur
The pandemic has changed the way businesses run. And, the world is gravitating towards a new normal. Social distancing, minimising physical touchpoints, and movement of customers from offline to online channels is the reality businesses must now live with. Offline businesses taking the help of online aggregators to survive is also the new norm, which has led to a sudden wave of digital availability of many business products and services.
However, this has also increased attack surface for online businesses with new categories and catalogues getting added. Due to increased product categories and to fulfil customer demand thousands of new codes get added to e-commerce, banking, e-retail, e-trading applications. Security by design gets left out in the name of speed, agility, growth and customer fulfilment.
While most of the online businesses use third parties to develop application, host and manage infrastructure, code written by developers does not go through coding best practises that have high-security standards. This leads to multiple security weaknesses, which are exploited by organised hacktivists and script kiddies.
Organisations using traditional coding practices not moving to Kubernetes, for deployment often face the issue of seed, timeline and managing release. Dev-sec ops is another way through which an organisation can identify and correct vulnerable code through increased automation, collaboration with teams which will ensure robust security protocols.
However, most of these practices are often ignored, and when organisations are caught in a bind with a sophisticated cyberattack, the worst mistake they make is to deny breach.
During the pandemic, multiple Indian organisation and government agencies data has been exfiltrated by organised hacking groups. Organised hacking groups and individual hacktivists then sell this data on the dark web, transacting using cryptocurrencies.
The health record data of 120 million Indian consumers comprising of discharge summaries, consultation papers, x-ray scans, CT scans are all available for sale on the dark web. The source of the leak is unknown, however, since most of the appointment, consultation and prescription is now available online for multiple hospitals today, the most likely source of this data is a large hospital chain.
E-retailers have been a major target of hacktivists during the pandemic and the resultant lockdown. Data of multiple e-retail companies breached during lockdown has heavy demand on these channels. One such company which has been long denying breach, but hacktivists claiming to have its data, is LimeRoad. The authenticity and credibility of this data, however, can only be verified post-purchase by running proper verification and investigation.
Other leaks include a database of 3.5 million unique email addresses and personal information of customers of delivery start-up Dunzo. Another database available on the dark web for sale are the details of bank accounts of Indian Dealers containing their personal identifiers and complete transaction details.
An imminent strategy adopted by hacktivists today is making some part of hacked data public on the dark web and then seek bounty for the obtaining entire database. An analysis done by leading cybersecurity think tank reveals that 23% data available on the dark web is available to download, however, around 69. 2% of data is available as bounty.
With no data protection law currently existing in India and weak Indian IT Act, most companies end up denying breaches publicly. Many companies also hire cyber investigation and cyber law firms to prepare a response for auditors, investors and issue public statements.
However, media and public statement denying breaches and not revealing what the company has done to improve its security posture has a long-term impact on the companies’ growth. A responsible disclosure of data breach and mitigation strategy followed by the organisation seems to have a positive impact on stocks of listed companies.
The JP Morgan Chase breach in 2014, for instance, is an example where data breaches didn’t impact its stock growth negatively. In fact, its stock prices soared because the company offered a mitigation strategy and disclosure of complete investigation into the breach.
Digital start-ups, today, live with the fear of investor backlash, start-up leaders feel investors, who have put money in the company, may jump ship, and this could also impact upcoming rounds of investments. It can also have a negative impact on company valuation and M&A activity.
The bigger issue is that these start-ups don’t discuss cyber-security strategy and mitigation strategy with investors during a fundraise and offer third party reports stating “All is well “.
With the world moving to more digital transactions and offline business relying on online, assuming all is well and revealing little to investors about cybersecurity risks an online business could face in a hyper-competitive market is a risk many start-up founders have decided to live with.
Hence, many venture capitalist and private equity investors have started appointing cyber experts to carry cyber risk assessment as part of the due diligence process.
Disclaimer: Data on Indian breaches was sourced fromdark web. The information has not been verified by India Future Foundation.
The author is founder, India Future Foundation