On one hand, while the world is struggling with the pandemic COVID-19, another struggle is going on. Offices are now vacant and people are working from home. Employees do matter and so does the business. This is the reason behind the worldwide active adoption of ‘work from home’ culture.
However, work from home culture has its own drawbacks. Offices are secured with strong cyber security infrastructure along with a dedicated security team that monitors suspicious activities. Even after such stringent monitoring, cyber attacks still occur on organizations. One can imagine how vulnerable cyber security becomes when employees work from home.
In research conducted for the month of February and March, it was realized that there was a whopping 600% increase in cyber threats related to the COVID-19 pandemic. 40% of companies which enabled work from home policy for employees reported an increase in cyberattacks.
Employees must be provided with the knowledge to identify cyber-attacks such asawareness against phishing emails, risks associated with the use of public Wi-Fi, to ensure the security of the devices being used for work.
2. Secure medium of communication
Always use a secure medium of communication for official purposes. Make sure that security protocols such as DMARC are set in your email domain to secure it against any attempt of spoofing or abuse.
3. Deploy a phishing incident response team
In such a critical time when businesses are being hit hard, neglecting security can be an extremely dangerous situation for any organization. Every single effort matters and each form of vulnerability has to be taken into consideration. Since the majority of cyber attacks occur via emails. Therefore, a Phishing Incident Response tool is the need of the hour. A single vigilant employee can save the entire organization. A phishing incident tool empowers employees with the capability to report suspicious emails.
4. Deploy a VPN
Deploy a VPN for secure data transfer between the core system and work systems that employees are using remotely. It adds on as an additional layer of security by encrypting data while travelling.
5. VDI
Virtual desktop infrastructure (VDI) allows employees to work in a virtual environment as if they are connected to company’s local network from any place, at any time and from any device that is connected with the Internet. With VDI, data is stored on a server rather than the individual system. Not only does it significantly lower down risks to data but also, a lesser amount of bandwidth is required to store it.
6. Encourage employees to use cloud services
Encourage employees to use cloud services like doc, spreadsheet, etc. since this minimizes the risk to data as it is not stored locally.
7. Deploy an MDM solution
Deploying an MDM solution helps the organization in retaining control over business-related sensitive data. The solution allows administrators to remotely lock the devices and wipe all the data in case the device gets stolen. This prevents sensitive data from falling into the wrong hands.
Do You Want to Keep Your Organization Secure?
We are providing a 30-day free cyber health checkup for your organization. This will consist of free cyber security consultation and solutions including:
SaaS-based email authentication and anti-spoofing solution KDMARC
Cyber Threat Report of 2019: 69% of Firms Face Serious Cyber Attacks in India!
Do you know that India is in has been ranked the second position amongst the countries affected by cyber attacks between 2016-2018? According to a source, there was a 22% rise in cyber attack in India on IoT deployments. India has faced the most number of attacks in the IoT department this year. In fact, India has been consecutively facing cyber attacks, the second time in a row!
In a recent study, it was revealed that out of 15 Indian cities, Mumbai, New Delhi, and Bengaluru have faced the maximum number of cyber attacks. In the Annual Cyber Security Report by CISCO, 53% of cyber attacks caused more than $500K of financial loss to organizations in 2018.
India has faced a rise of 7.9% in data breaches since 2017. Also, the average cost per data breach record is mounting to INR 4,552 ($64). Cyber attacks in India have risen up to such an extent that our country ranks fourth out of the top 10 targeted countries in the world. In a report by India Today, Chennai experienced the highest percentile of cyber attacks with a stat of 48% in the first quarter of 2019.
No survey or warning has brought any change in the cyber security policies of companies across the nation. In spite of witnessing several cyber attacks in India, people are still not aware of lucrative cyber security solutions to prevent their organization from any other attack. Here are some recent series of cyber attacks that massively brought loss to renowned companies in India.
The 2019’s Biggest Cyber Attacks in India
Cyber criminals have adapted advanced cyber attack techniques for their targeted end-users. Various business sectors and geographical locations have faced recent cyber attacks in India.
Cosmos Bank Cyber Attack in Pune
A recent cyber attack in India in 2018 was deployed on Cosmos Bank in Pune. This daring attack shook the whole banking sector of India when hackers siphoned off Rs. 94.42 crores from Cosmos Cooperative Bank Ltd. in Pune.
Hackers hacked into the bank’s ATM server and took details of many visas and rupee debit cardholders. Money was wiped off while hacker gangs from around 28 countries immediately withdrew the amount as soon as they were informed.
ATM System Hacked
Around mid-2018, Canara bank ATM servers were targeted in a cyber attack. Almost 20 lakh rupees were wiped off from various bank accounts. A count of 50 victims was estimated and according to the sources, cyber attackers held ATM details of more than 300 users. Hackers used skimming devices to steal information from debit cardholders. Transactions made from stolen details amounted from Rs. 10,000 to Rs. 40,000.
UIDAI Aadhaar Software Hacked
2018 started with a massive data breach of personal records of 1.1 Billion Indian Aadhaar cardholders. UIDAI revealed that around 210 Indian Government websites had leaked Aadhaar details of people online.
Data leaked included Aadhaar, PAN and mobile numbers, bank account numbers, IFSC codes and mostly every personal information of all individual cardholders. If it wasn’t enough shocking, anonymous sellers were selling Aadhaar information of any person for Rs. 500 over Whatsapp. Also, one could get any person’s Aadhaar car printout by paying an extra amount of Rs.300.
Hack Attack on Indian Healthcare Websites
Indian-based healthcare websites became a victim of cyber attack recently in 2019. As stated by US-based cyber security firms, hackers broke in and invaded a leading India-based healthcare website. The hacker stole 68 lakh records of patients as well as doctors.
SIM Swap Scam
Two hackers from Navi Mumbai were arrested for transferring 4 crore rupees from numerous bank accounts in August 2018. They illegally transferred money from the bank accounts of many individuals. By fraudulently gaining SIM card information, both attackers blocked individuals’ SIM cards and with the help of fake document posts, they carried out transactions via online banking. They also tried to hack accounts of various targeted companies.
Aforesaid stats and events of the latest cyber attacks in India are the wake-up call for all those individuals and companies who are still vulnerable to cyber threats. It is very essential for organizations to implement cyber security measures and follow the below-mentioned security guidelines.
Cyber Security Measures for Organizations to Prevent Cyber Attacks
Educate employees on the emerging cyber attacks with security awareness training.
Keep all software and systems updated from time to time with the latest security patches.
Implement email authentication protocols such as DMARC, DKIM and SPF to secure your email domain from email-based cyber attacks.
Get regular Vulnerability Assessment and Penetration Testing to patch and remove the existing vulnerabilities in the network and web application.
Limit employee access to sensitive data or confidential information and limit their authority to install the software.
Use highly strong passwords for accounts and make sure to update them at long intervals.
Avoid the practice of openly password sharing at work.
Vulnerabilities are the anomalies such as programming errors or configuration issues of the system. Attackers exploit the weaknesses in the system and can, in turn, disrupt the system. If these vulnerabilities are exploited, then it can result in the compromise of confidentiality, integrity as well as the availability of resources that belong to the organization.
How Can We Detect and Prevent These Vulnerabilities?
Vulnerability assessment is the risk management process that defines, identifies, classifies, and prioritizes vulnerabilities within computer systems, applications as well as network infrastructures. This helps the organization in conducting the assessment with the required knowledge, awareness, and risk posture for understanding the cyber threats. Vulnerability assessment is conducted in two ways.
Types of Vulnerability Assessment
Automated Testing
Automated tools such as Vulnerability scanning tools scan applications to discover cyber security vulnerabilities. These include SQL injection, Command Injection, Path Traversal, and Cross-Site scripting. It is a part of Dynamic Application Security Testing that helps in finding malicious code, application backdoors as well as other threats present in the software and applications.
Manual Testing
Manual testing is based on the expertise of a pen-tester. They are the experts that dive deep into the infrastructure that will help them in finding out the vulnerabilities that cyber attackers can exploit.
Following are the types of vulnerability assessment and penetration testing:
Different Types of Manual Testing
Application Security Testing
It is the process of testing and analyzing a mobile or web application. This methodology helps pen-testers in understanding the security posture of websites and applications.
The application security testing process includes:
Password quality rules
Brute force attack testing
User authorization processes
Session cookies
SQL injection
Server Security Testing
Servers contain information including the source code of the application, configuration files, cryptographic keys as well as other important data. Pen-testers perform an in-depth analysis of the server in the server security testing. Based on this analysis, testers perform an approach to mimic real-time cyber attacks.
Infrastructure Penetration Testing
Infrastructure penetration testing is a proven method to evaluate the security of computing networks, infrastructure as well as the weakness in applications by simulating a malicious cyber attack.
Cloud Security Testing
Every organization that keeps its platforms, customer data, applications, operating systems as well as networks over the cloud; must perform cloud security testing. Cloud security is essential for assessing the security of the operating systems and applications that run on the cloud. This requires equipping cloud instances with defensive security controls and regular assessment of the ability to withstand cyber threats.
IoT Security Testing
With our increasing engagement with technology, we are becoming more advanced in incorporating technology with things that we use on a daily basis. Pen-testers are aware of the complexities and how cyber criminals exploit them.
IoT penetration and system analysis testing considers the entire ecosystem of IoT technology. It covers each segment and analyses the security of the IoT devices. The testing services include IoT mobile applications, communication, protocols, cloud APIs as well as the embedded hardware and firmware.
Which is the Better Method of Vulnerability Assessment?
Manual vulnerability assessment is better than vulnerability scanning tools since automated tools often give false results. This can seriously hamper the process of vulnerability assessment. Although automated tools make the assessment process faster and less labor-intensive, the tools are not capable of identifying vulnerabilities.
This can be far better done by observant pen testers who use systematic technology with years of experience. Manual vulnerability assessment requires time but, it is far more effective and accurate than vulnerability scanning tools. The reason behind preferring manual assessment is the lack of an in-depth understanding of the system to discover vulnerabilities. Therefore, it is always better to consult a leading cyber security company for investing in VAPT services that can help you strengthen your organization’s security infrastructure.
In the IT world, phishing is not a vague term. For those wondering “what is phishing?” it is an online identity theft. This cyber-attack is carried out by sending spoofed emails in the name of trusted sources like a bank or legitimate companies. Furthermore, the aim of this corrupt practice is to obtain credentials and financial information of the users. But with the rate of rapidly increasing phishing attacks, proper defense against phishing has to be taken.
In the cyber world, phishing attacks have risen up to 65% as compared to the past year. The level of phishing attacks has advanced so well that even top-notch companies have become phishing scam targets.
In order to secure data from any further exploitation, anti-phishing solutions have been introduced lately for defense against phishing. But before taking any step, you must know how to find a phishing email so that you are saved from phisher’s hook.
How Can You Identify A Phishing Email?
Phishers aim user’s inbox for phishing attack by sending various forms of email that convinces a user to:
Click on a link
Enter credentials like username, passwords, etc. on a legitimate-looking website
Install application or software on your device
Open a doc file or many other tricks to lure users
The motive of sending such emails is to trick users to download malware on their devices. By doing this, the attacker would have the ease of remotely controlling the user’s device so as to steal all the important data.
To avoid such attacks, you can follow tips that will help you to protect against phishing attacks.
Guidelines for Best Defense Against Phishing
Updated software and OS:
Always keep the version of your operating system up to date so as to avoid any sort of malware attack for the best phishing protection. Outdated software or operating system hold way too many bugs and hence become an easy target of phishing attacks.
Avoid Password Auto-Fill Service:
Phishers are experts in using platforms to attempt a phishing attack, so it is better to skip a “save password” option if it pops up on any website. This step will help in keeping your information secure from hackers.
Two-Factor Authentication:
It is better to adopt the latest technologies for security purposes if it comes from the right sources. Two-factor authentication is a widely used technique to secure data and financial information from unauthorized access.
Use Google Drive for Suspicious Documents:
In case you find any document sent from an unknown sender or receive a dubious-looking file, ensure to upload it on Google Drive. This would turn document into image or HTML, which in turn would avoid the installation of malware on your device.
What can be the cruelest but most effective way to test your employees if they are aware of the risks and preventions of a phishing attack? Godaddy, the world’s largest domain registrar and web-hosting company, simulated a phishing test for employees to increase alertness levels against phishing attacks.
On December 14, an email tucked underneath the snowflake banner with the words “GoDaddy HOLIDAY PARTY” from “Happyholiday@Godaddy.com” was sent to hundreds of Godaddy employees offering a holiday bonus. The message in the email said, “2020 has been a record for GoDaddy, thanks to you!”
“Though we cannot celebrate together during our annual Holiday Party, we want to show our appreciation and share a $650 one-time Holiday bonus!” it further added.
To ensure that the recipients receive the bonus, they were asked to fill in the personal details by December 18. But instead of receiving the bonus, two days later, almost 500 employees received an email from the company’s Chief Security Officer, Demetrius Comes.
Though many criticized the bonus offer in GoDaddy’s test as insensitive, companies do organize phishing simulation tests to educate employees on cybersecurity.
GoDaddy is not the first company this year to provide phishing email awareness for employees. Earlier this year, Tribune Publishing, a giant newspaper company in America, sent out a similar phishing email to the employees.
The email circulated by several employees on Twitter said the company was providing targeted bonuses between $5,000 to $10,000. Only to find out later that it was a phishing test sent from the company.
Why Should Organizations Run ‘Employee Phishing Test’?
Imagine the consequences, if GoDaddy’s phishing test was not a test but a real phishing attack from a hacker! Roughly 500 employees failed the test, so, almost 500 of them would have submitted their personal information to hackers. This could have led to a complete disaster for the company.
Providing this kind of real scenario phishing attacks helps employees understand what the falsified email might look like. And how it can trick them into falling for the scam by offering some incentive or creating a sense of urgency. The test helps the employees in recognizing phishing emails as well as to avoid and report it.
According to phishing statistics 2020, 97% of the users are unable to recognize a sophisticated phishing email. This is probably why phishing attacks, Business Email Compromise (BEC) attacks and other email-based attacks are rapidly increasing every passing year. In fact, BEC attacks yielded the most profit for cybercriminals in 2020!
How to Detect Phishing Attacks?
Phishing attacks today have evolved and become more sophisticated than ever before. These attacks are becoming increasingly difficult to differentiate between a legitimate email and a fake email. But here are a few ways that your organization can follow to detect phishing attacks and protect your organization and the employees against phishing attacks:
Email domain name
It is advisable to always check the name, email address and make sure no alterations (additional letters or numbers) have been made in the email domain or the email address. For example, a legitimate email address might be john@business.com but an altered email address can be john@busineess.com or john@busiiness.com. If you are receiving an email from an unknown organization then you can also check the organization’s domain name by writing the company’s name in a search engine like google.
Sensitive information and sense of urgency
A legitimate company or any government agency would never ask you to send your sensitive information over email. So, if an organization is asking you to send your credentials or personal information like username or password through email, it is recommended to not send it and get the mail verified personally. Moreover, most of the time scammers create a sense of urgency. Just because if there is not much time left then you don’t have enough time to think or cross-check. But you do not want to be in a hurry when it comes to losing your personal information.
Poor spellings and grammatical errors
You can often spot a phishing email if it contains poor spelling and grammar errors in the message. Legitimate companies have qualified and trained employees to write emails and the emails are double-checked before the emails are sent out to their staff or clients. So, if a message has poor spelling or grammar errors, it’s always better to cross-check if the email is from a legitimate company.
Too good to be true or designed to make you panic
It is common for phishing emails to offer a coupon for free stuff or to instill panic. The email message will either be offering some rewards which you were not expecting or will create panic by claiming that your account is compromised. To receive the reward or to secure your compromised account, you will need to verify you are the legitimate person by either giving out your credentials or by entering your login details. The common goal of both messages is to get your credentials or personal information.
Suspicious links or attachments
Phishing emails come in many different forms but no matter how the email is delivered to you, it always comes with a gateway. It can either be a link to redirect you to a bogus website or an attachment that you are asked to download. No legit companies will randomly send you links or attachments and if they want you to download something then it will be from the official website.
How to Prevent Phishing Attacks?
Your email spam filters might help you keep away numbers of phishing emails from landing into your inox but malicious actors are constantly finding ways to outsmart spam filters. So, it is highly recommended to add extra layers of protection against phishing attacks. Here are some precautious steps your organization can implement:
Protect the devices by keeping the software up to date with the latest security updates and patches.
Enforce strong password policy, passwords that are not easily guessed and avoid sharing passwords to elude the risks of password sharing at work.
Add an extra layer of security for the password with multi-factor authentication.
Encourage your employees to report suspicious emails with tools like Threat Alert Button.
Routine backup the confidential or important data in an external hard drive or cloud storage and also encrypt all sensitive company information.
There are multiple steps your organization can take to prevent email phishing attacks, however, it is important that your employees recognize the phishing emails.
Your organization must get a regular VAPT service in order to identify cybersecurity vulnerabilities and threats. It is a must to implement tools like KDMARC to prevent your email domain against domain forgery and protect your brand.
These services and tools help your organization in safeguarding against cyberattacks and it is highly recommended that you continue. But all it takes is one untrained employee to be tricked by a phishing attack to give away all the information.
The most effective way to educate employees is to provide cybersecurity training with tools to make them aware of the latest cyberattacks including phishing. It will not only provide them with the knowledge of most of the common cyberattacks happening worldwide but will also help them to avoid them.
You can also provide security awareness email samples and phishing awareness emails to employees. It can be done regularly or periodically but to remind them of how it looks and what they should look out for.
Making sure your organization and the employees strictly follow the cybersecurity protocols is the best way. In fact, it is the best possible way out to protect your organization against cyber threats.
“You can fool some of the people all of the time, and all of the people some of the time, but you cannot fool all of the people all of the time.” – Abraham Lincoln
The malicious actors have succeeded in fooling the employees to give out personal information. They have even succeeded in jeopardizing an organization’s network and IT infrastructure. But it’s up to you if these threats shouldn’t harm your organization in the present or in the future by taking the right steps!
It takes decade building a trusted brand that is vibrant and customer engaging. As a trusted online brand, your customers expect you to secure their private information and go over-and-beyond in defending them from becoming targets of cyber crooks.
In this era of a developing digital age, brand owners are at a huge risk of falling victim to a multitude of online threats. It takes only a mere moment of negligence and online fraud to leave a brand devastated from its reputation.
If this wasn’t obvious enough, the internet has already become a new arena for brand-related crimes such as identity thefts, virtual crimes, and data hacks. Over 150 brands are hijacked because of phishing attacks, every month. Cybersquatting crimes alone cost over $1 million annually to the brand companies.
Building and maintaining social media accounts, websites, and email campaigns for targeting prospects and clients is highly important to promote a business and a brand on an online platform. These things are highly essential, but they also make brands vulnerable and open to the prevailing cyberattacks.
There are miscellaneous ways to fall victim to unethical online practices and tools that not only affect the brand image but the entire organization. Online brand abuse, brand counterfeiting, cybersquatting, and cyber threat activities are needed to be combated with the right investigation and proper brand monitoring tool to prevent the loss of revenue, secure brand reputation and maintain customer trust.
Time for Online Brand Protection
With innovation and advancement in technologies, there should be proper strategies for domain and brand protection online. Every organization should be vigilant towards the online security of its brand and must make sure that their brand is not being used as a vehicle of impersonation and fraudulent messages.
Cyber fraud comes in an ever-evolving array of various forms. From phishing websites, brand impersonation to identity theft, many comprehensive cybercrimes can cause serious financial loss to an organization.
Brand protection online is critical and it goes beyond setting up firewalls or antivirus software. It requires having employees who are aware of the existing cybersecurity threats and are proactive towards the impending cyberattacks. Along with that, it includes the proactive scanning of public domains and Dark Web servers to identify any evidence of brand counterfeiting.
The main role of online brand protection is to find and shut down fake social media profiles or websites that use your company’s logo or message people in your brand name to steal login credentials and access to your secure networks.
Top 3 Online Brand Protection Solutions
With the help of the right tools in the right place, protect your brand online along with your digital assets against brand infringements. Here are some simple tips and brand protection solutions that an organization must implement and follow:
Website SSL
Website Secure Sockets Layer (SSL) is a security standard that creates an encrypted link between the web server and browser or a mail server and mail client. With website SSL, customers can more easily determine whether they have landed on your legitimate and official website or not. Websites that hold private data must have this implemented so that customers are aware of the information that is processed through that site is encrypted and authenticated.
Brand Monitoring
Make sure that no negative publicity of your brand is existing on the web and is not leaving a wrong impact on your customers. Proactive brand monitoring on the web is a smart way to identify and check the fraudulent cyber activities taking place against your brand.
Take Down of Phishing Websites
According to Webroot, around 1.5 million phishing websites are created every month. Brands on an online platform need to stay protected from cyber fraudulent activities like brand infringement and phishing websites/mobile applications.
Whether exchanging emails across networks or dumping them in your spam folder, a huge amount of data is sent, received and stored. You may not realize but there are high chances that an unsecured email might have landed in your inbox which can act as a source of data exploitation. Now you wouldn’t want that, would you? That’s why email security is very essential for our daily routine in order to keep a check if any malicious email is accessing our inbox or not. The cybersecurity professionals working in every industry vertical must stay updated with the prevailing attacks possible through emails.
According to ComputerWeekly.com, 82% of organizations claimed to have faced email-based cybersecurity threats in 2018. Whereas, ransomware seems to be the biggest cyber threat in the coming year. The reason being, ransomware attacks that encrypt critical business files and demand for ransom in return are often sent to individuals working in organizations by emails only!
These eye-opening facts call for proper email protection solutions that are needed to be implemented in every organization as a defensive system against invading cyber threats. As far as cybersecurity is concerned, the best solution is using email security tools that incorporate a wide range of security techniques that email accounts and services have. Proceed further for the top 5 email security practices that can benefit your organization from email-based cyber risks.
The 4 Types of Email Security Practices
Never click the “unsubscribe” link in spam emails:
At times, certain emails manage to surpass the spam filter and land in your inbox. For instance, you come across one such certain email and on opening it, you discover that it looks like a phishing email. What would be your first instinct? In any normal situation, users tend to unsubscribe suspicious-looking emails but that is not actually safe!
Hackers are good manipulators and they use such links to fool people into clicking attachment which redirects the targeted users to a phishing site. Apart from that, these links also provide hackers with a back door for access into your system.
Avoid Public WiFi:
Never access emails from a public WiFi because they are less secure and hackers choose public WiFi to steal information by passing through a weak network. Cybercriminals require nothing but a laptop and basic software to hack into public WiFi networks and monitor all the traffic. Accessing emails via unsecured public networks can lead to misuse of user’s credentials and a huge loss of sensitive data. This could also result in further intended targeted cyberattacks that are down the line.
Email Encryption:
Disguising and encrypting email content potentially protects the sensitive data that is sent and received, from being read by anyone except the intended recipient. With email encryption, you can secure your emails over untrusted networks from eavesdroppers or any third person trying to invade in between the email exchange. This security strategy reduces the chance of disclosure of information as well as alter of message content.
Employee Education:
Limit the chances of cyber risks in your organization by providing employees with cybersecurity awareness training tools. Along with the implementation of policies and email security tools to prevent cyber threat postures, it is essential to encourage employees to become proactive in combating attack vectors like ransomware, phishing emails, and cyber scams. Security awareness tools is an AI/ML-based security attack simulation tool that assesses the real-time threat posture of an organization. With the unlimited number of attack campaigns and automated training campaigns, this product builds cyber awareness among the employees in an organization and creates a resilient working environment.
Implementing and working on the above-mentioned email protection solutions will not only keep your data safe but will also be beneficial in the long term. In order to protect your business, it is important to make sure that all your employees are empowered to make email based decisions and are protected from data thefts.
Hackers are everywhere nowadays and they won’t stop holding back from discovering vulnerabilities and exploiting your data. Secure your organization now with a robust email security tool in order to reduce the chances of becoming a victim of the prevailing cyber threats.
Every year, the industry of cybersecurity in India faces new challenges and responsibilities to safeguard the growing online data and the digital economy. Did you know the digital economy currently comprises 14-15% of the total economy of India? While with more than 120 recognized ‘data centers’ and clouds in India, the digital economy is targeted to reach 20% by the year 2024!
Moreover, the incorporation of artificial intelligence (AI), machine learning (ML), Internet of Things (IoT), cloud computing and data analytics, has again become a huge challenge for the cyberspace as apart from becoming a more complex domain, it is giving rise to technical issues and the anticipated cyber risks.
However, with the development and introduction of advanced technologies in the market, India is yet to face and tackle new problems in the domain of cybersecurity. This disruptive innovation has brought India to crossroads with a complex network of modern enigmas and unprecedented harm.
Below mentioned are some of the major cybersecurity challenges that our nation is facing:
Email-based and internet-facing applications still remain to be among the top threat vectors.
With people depending more and more on the cloud infrastructure and solutions, human error continues to be the primary source of misconfigurations and vulnerabilities.
In the research analysis of 50,000 emails, a significant increase in the conversation hijacking attacks by 400% between July and November 2019 was experienced. Therefore, this still continues to be a major cyberrisk.
Growing online transactions seems to have generated considerable incentives for cybercriminals.
Phishing and unethical cyber practices have grown a hundredfold in the past few years, making it easier for even non-technical perform hacking.
Cloud, 5G and IoT devices have evolved as among the biggest cybersecurity threats of 2020.
The New Cybersecurity Approach for 2020
Back in late 2019, India was at the target of two cyberattacks in the same month. Moreover, the malware attacks at the Indian Space Research Organization (ISRO) and Kudankulam Nuclear Power Plant were believed to have happened due to phishing attempts on employees. After experiencing these devastating cyber risks, India is all set to fill the security gaps with the new Cybersecurity Strategy 2020!
With the vision of creating a “cyber-secure nation” for businesses as well as individuals, the Indian government is ready to release the cybersecurity strategy policy in January 2020 with an aim to achieve the target of $5 trillion economy.
Meanwhile, on the other hand, the IT Secretary Ajay Prakash Sawhney has stated that our country holds an estimated amount of USD 1.9 billion in cybersecurity service enterprises and USD 450 million of cybersecurity products from India. Along with the presence of multinational and Indian entities, engaging in R&D cybersecurity, all in total currently amounts to USD 5 billion worth cybersecurity ecosystem in India. (source: The Economics Time)
The cybersecurity companies in India have come up with innovative and leading technology-based products and services to reduce the prevailing cyber threat postures in organizations across the nation. As a contribution to creating a “cyber-secure nation”, these companies are effortlessly providing the best defensive tools and VAPT services for all the industry vectors.
Our country is fully inclined towards the path of sustainable development but to achieve that, we have to combat various hurdles such as patching up of the existing vulnerabilities in the cyber world. And this can only happen with the proper formation of critical IT infrastructure and consistent partnership between the public and private sectors working as key aspects for a cybersecurity framework.
It is vital to be visionary and recognize the upcoming challenges from the future in order to be fully prepared and preventing our organizations from becoming another cyberattack’s victims. We don’t have to match the worldwide standards in security when we are capable enough of setting up the highest standards in the world!
The investigation bureau FBI has issued an alert warning to internet users that “HTTPS” and a padlock icon in the address bar might not be enough to prove if a website is authentic or not. It has been observed that cyber-criminals are increasingly abusing the trust in TLS-secured websites for improving the success rate of phishing attacks.
“They [phishing attackers] are more frequently incorporating website certificates – third-party verification that a site is secure – when they send potential victims’ emails that imitate trustworthy companies or email contacts.”
In 2016, a report by the Ponemon institute revealed that nearly half of all the cyber-attacks used SSL encryption to evade detection within the period of last 12 months. Two-thirds of the organizations admitted that their organization was not prepared to detect malicious SSL traffic.
For many years, there has been a push toward adopting the HTTPS protocol on the web since it ensures a secured communication between the website and user’s browser.
Most of the browsers mark websites that use HTTPS with a padlock icon which indicates that the browser traffic is encrypted, and attackers cannot access the data in the transit. These websites also display warnings in case the user accesses a non-secured website.
With the advancement in the security measures, attackers have also started adopting HTTPS protocol to deploy sophisticated phishing attacks since the use of this secured protocol allows attackers to psychologically trick the victim into believing that the malicious emails or links that they received in their inboxes are coming from authentic sources.
They are designed with the motive to acquire sensitive login details or other information by redirecting victims to malicious websites that looks secure due to the padlock icon. However, only connection to these websites is secure and the HTTPS protocol is unable to authenticate the content on the website.
What is the reason behind the increasing use of HTTPS?
To deploy a successful cyber-attack, cyber criminals leverage the latest technology. With the number of websites that use SSL encryption, cyber attackers have started encrypting the phishing websites, making it harder for IT administrators to identify the difference between bad and good traffic. Attackers are increasingly using SSL to encrypt the communication between the compromised endpoint and command-and-control systems to hide payloads, instructions as well as other information that is being sent.
As an increasing number of attacks are using HTTPS to avoid the scrutiny by the traditional methods of cyber security, organizations should take steps to ensure that they are protected against bad traffic.
What is the solution?
Lack of awareness among employees is one of the major reasons for the success of such attacks. In recent years, attackers have shifted their focus from individuals to employees. Statistically, 90% of the cyber-attacks are a result of employee negligence. During the year 2018, there has been a 76% increase in the number of phishing attacks. 54% of the companies had experienced cyber-attacks that compromised with their IT infrastructure and data. According to a survey conducted by McAfee on 19,000 people, 97% of the people were unable to identify such cyber attacks.
This is where the cyber security awareness and training tool comes in handy. The tool helps in creating awareness among employees to combat real-life cyber-attacks. With the power of reporting tool TAB, employees become capable to protect the entire organization against probable cyber-attacks.
Every day the number of reported cyber-crimes are increasing. It is, therefore, important for organizations to invest in cyber security awareness and training programs which should be continuous and must be followed with the regular assessment of the employees’ knowledge on cyber-attacks.
Since the last decade, cyber attackers have especially affected businesses that depend on computerized technology for conducting their daily business. Cyber crime is a significant threat to all businesses regardless of their sizes. Therefore, it is important to invest in cyber security in banking for protecting your business and data against malicious cyber criminals and hackers. It is important to build cyber resilience.
Cyber security in banking is of great importance. Since 2010, Indian banks have rapidly adopted newer technologies and digital channels while keeping up with the underlying objective of increasing revenues and footprints. 83% of CISOs agree on the increase in cyber attacks on banks since 2018.
Why is Cyber Security in Banking Important?
Since 2019, several banking institutions have been targeted by cyber attackers. Some of them include:
OTP Bank Data Leak
Database that was dated back to 2013 consisting of the personal data of approximately 800,000 clients including names, addresses, phone numbers, approved credit limit, work notes on client’s contract was made publicly available with. The database allegedly belonged to OTP Bank. According to the bank, there was no evidence on information leakage recorded in our bank, and the origin of this database remained unknown to the bank.
HCF Bank Data Leak
A database consisting of the data of the HCF bank customers was available on the internet with the personal information of the bank’s 24,400 customers. The database included customers’ names, phone numbers, passport details, addresses as well as the credit limit.
Alfa Bank Data Leak
Two databases belonging to Alfa Bank were found lying on the internet. The first database was dated back to 2014-15 and held the personal data of more than 55,000 customers. The database included customers’ names, their contact information, addresses as well as their place of work. It was speculated that these databases might have leaked during 2014 when the IT staff of the bank was going through mass layoffs.
Banks must be on their guard more than any other business since they are the custodian of money, which is the most valuable resource in the present times. In the case of a successfully deployed cyber attack, the results will be the most devastating. Since the foundation of banking lies in trust and credibility with the customers, it is very important to ensure cyber security in the banking sector.
The following are a few reasons why cyber security in banking is important and why should it matter to you.
The wave of digitalization: These days, the government is emphasizing ongoing digital. This means an increase in the population that is using digital money such as plastic cards and is going cashless. Therefore, it becomes important to employ precautionary measures that ensure cyber security for protecting your data and privacy.
Data breach leads to a breach of trust:Data breaches make it difficult for the customers to trust financial institutions. For banks, it is a serious problem since a weak cyber security system can lead to data breaches.
Financial Loss: When a bank suffers from a cyber attack, not only the bank but also, its customers suffer from financial loss. Recovering from this loss can be time-consuming. It will involve canceling cards, checking statements as well as confirming other minute details.
Your data is no longer yours: cyber security is extremely important when the attackers Once the attackers get a hold on your private data; it can be misused in any manner. Your data is sensitive and could reveal a lot of information about what might be leveraged by attackers.
How to Enhance Cyber Security in the Banking Sector?
Bank regulators should be allowed to examine third-party vendors that many credit unions are using these days for technology services.
Data breaches and cyber security incidents require a rapid response to mitigating the impact. Employ proactive measures to evade such cyber threats.
With security attack simulator and awareness tools, bank employees can learn about various forms of cyber attacks. This is ensured with the help of the tools four-step cycle. This includes simulated attack, knowledge imparting, an assessment which is followed by another simulated attack.