Ignorance, poor risk management key causes for attacks on cyber security

By Shannon Jayawardena

Ignorance and poor risk management processes are some of the key reasons why organisations are susceptible for breaches and attacks on cyber security according to experts at the Modern Data Security Seminar which was organised by the International Chamber of Commerce Sri Lanka at the Institute of the Chartered Accountants of Sri Lanka (CA Sri Lanka) early this week.

The event focused on subjects such as data worth, data exfiltration, digitalisation, major incidents of both local and globally renowned hacks, security and privacy, insider versus external threats, consequences and so forth.  

Keynote speaker, CICRA Holdings Group Director and CEO Boshan Dayaratne said: “We all know of the famous Facebook data leak that hacked personal data from over 50 million profiles. Another major breach suffered was by consumer credit reporting agency Equifax in US which saw data of 145 million accounts compromised. 

“People are stealing data more than money,” said Dayaratne who revealed that in 2006 there were 321 breaches reported and numbers rose to 953 in 2010.” Via nearly 4,000 breaches a staggering 736 million records were exposed in 2015, up from 96 million records in 2010. 

The reason for this is the fact that data can be multiplied easily unlike money, he noted. Due to this the security industry is facing serious talent and technology shortages as employees in the field do not have relevant knowledge as well. 736 million records were exposed in 2015 compared to 2006.

“It is important to know your data’s worth. Companies generate more data every day and now even the Government is going through digitalisation. This is the digital transformation and there is a lot of data being created through this transformation,” said Dayaratne.

There are three categories of data perpetrators which are external attacks which account to 57% of the total hacks, internal intentional attacks which account to 21% hacks and internal accidental which account to 22% of total hacks and breaches.

“It is your responsibility to know what is happing around you so that you don’t compromise your own data. You also have to have a balance between security and productivity and end-user awareness is very important,” stressed Dayaratne. 

According to Dayaratne, almost two third of the breaches involved traditional “on-premise” corporate networks and the balance were Cloud break-ins. 

The CICRA CEO emphasised that organisations keen to safeguard themselves from cyber attacks must effectively combine internal resources - people, processes and technology and pursue best practices on a continuous basis. 

The event also featured a panel discussion, with Dayaratne, Microsoft Sri Lanka Country Manager Hasitha Abeywardena, Cargills Bank Chief Operating Officer Rohan Muttiah and SLCERT Senior Information Security Engineer Roshan Chandraguptha serving as panellists and Daily FT Editor Nisthar Cassim functioning as the moderator.The participants shared their thoughts on how data breaches could be prevented and handled with care.

From a Microsoft perspective, Abeywardena stated: “Speaking of a regional example, the Bangladesh Central Bank was compromised and it was then that Sri Lanka got a wakeup call. Our banks have tried hard to secure themselves. There is a massive increase in cyber-attacks and the most important thing is to maintain the balance.”

“If you look at the organisation, Microsoft I would say is one of the places that is being targeted most. If you look at the big IT environment that provides services that’s what happens. Ransom is also very common, where someone comes and says I’m going to shut your system if you don’t pay me. These are the common attacks that we see today. It is said that by 2021, 60% of business in Asia Pacific will be done by digitalisation and if so we need to question the fact whether we are ready as a nation to embrace that change,” he added. 

There are three categories of data perpetrators - external attacks which amount to 57% of the total hacks, internal intentional attacks which account for 21% of hacks and internal accidental which account for 22% of total hacks and breaches.

“Banks and security go together hand-in-hand. Thirty years ago if you went to a bank, a customer would interact with a teller through bars so security threats have not decreased but increased since. Banks although moving to becoming customer friendly have to look into security more intensely,” emphasised Muttiah.

Muttiahadded: “As digital banking becomes more and more prevalent and the channel of choice for customers, the same thing applies. As a customer we are not going to put up with all these complicated passwords and various other gadgets, we want to use our mobile phones, do our businesses and move on. It’s not just transactions, we want to do more and more things. So banks need to support that and come up with better security methods.”

He focused on the fact that banks needed to come up with improved, enhanced and safer security procedures while ensuring customer friendliness. The event also stressed the importance of sharing information on data breaching as cyber security was nothing to hide or be ashamed of. 

Chandraguptha said: “We always talk about security but it really is a technical thing. We have to be careful with who we educate and give awareness to. Social attacks can be prevalent. The number of complaints have not reduced over time and you have to have technological knowledge on the matter as well.”

He also stressed the fact that over the years the number of breaches have increased causing so much data loss. This is not just a global issue but occurs daily in a Sri Lankan context as well. Through digitisation more people are on the internet hence both security and subject awareness are crucial. Data breaching has two sides to it. One is purely technical attacks such as ransom and so forth and the other is end-user ignorance.

Pix by Lasantha Kumara