Lately, the world has seen a slew of cases of cyber-attacks and frauds across industries. This is true especially for the banking and financial industry. Today, cyber-crime is perhaps the most dangerousweapon of mass destruction. According to cyber security company McAfee, the cost of cyber-crimewas $600 billion last year. The top management of companies realizes that cyber security needs to be prioritized along with the business. On the other hand, businesses also expect that initiatives taken to fend off attacks are not counterproductive or affect agility adversely. Muqbil Ahmar, Executive Editor, DynamicCISO.com speaks with Delzad P Mirza, Head – Information Security & Compliance, Tata Technologies.
“The cyber threat landscape is changing drastically. Every day there is something new. Look at the latest Memcached attack – 1 1.7 Tbps DDos Attack. Who would have expected that the largest DDOS attack would happen? The past year was full of ransomware attacks – the top 3 that come to my mind are WannaCry, NotPetya and BadRabbit. From this point onwards, things are only going to get worse. With all the privacy concerns coming in and with the way people handle data, there will have to be drastic changes in the way professionals look at cyber security. They are currently playing catching up. It will have to be the opposite now. We will need to be ahead of the bad guys,” says Delzad emphatically.
The billion-dollar question that comes to mind is how do CISOs address this perceived lack of awareness and inculcate industry best practices, so that threats do not slip through. One of the main things that every CISO needs to focus on is raising awareness of their employees as well as their customers.
“At Tata Technologies, we take the issue of creating awareness very seriously. We try to do it differently. We try to gamify awareness,” said Delzad. “One of the most recent things that we did is run a phishing campaign and drill. The InfoSec team crafted a devious message which had an authoritative tone (the message mentioned that it was sent out by the InfoSec team and the email mentioned that there was something wrong with the user credentials and they would need to validate their identity by clicking on a link mentioned in the email) and sent it out to 500 key users globally within the organization. Of course, the message had some key indicators that it was a phishing email such as spelling & grammatical mistakes, fake domain links which could be discovered once a user hovered his/her mouse on the link that was mentioned.”
The Tata Technologies CISO also added, “The scope included employees from various departments across the organization globally and of course the HR and Finance functions. Why? Well, look at any phishing attacks, they won’t just target anyone today, they will target people who make decisions, who are in charge of data, financial transactions and human resource data, etc. We set up the fake domain and the server on the cloud and sent the phishing message across. The end results will give me an insight of where my weak links in the organization are and where I’d need to put in more focus from an awareness perspective. All the users who clicked on the link will have to undergo the phishing training and assessment on our LMS portal. The statistics will be shared with the senior leadership. This is just the beginning; the next couple of phishing drills are not going to be that easy. It shouldn’t be easy, the bad guys are not resting, why should the good guys relax? We’ve already drafted sample mailers that will be sent out when the users least expect it.
He further emphasized, “Awareness of employees is critical: people don’t know where their assets are, they don’t know whether systems have been patched or not, etc. Thus, they are always end up trying to catch up; this means they are not proactive. They will have to anticipate and prepare. In all this, threat intelligence & incident response is critical. A lot of appropriate response depends on how you correlate the right data in your environment. The critical element here is ‘right’. Often, a lot of data gets lost in translation as a huge amount gets generated through logs. Cyber security professionals need to keep a tab not only on high or medium logs, but also the low ones as the low one may culminate into something larger and you won’t know what hit you when it actually does hit you.”
Cyber security is crucial today and is one of the top risks for organizations. In such a situation, CISOs will have to lead the way in being proactive on security, as Delzad P Mirza of Tata Technologies says. They will have to be bedrock for their organizations and successfully fend off threats and challenges.