India has a talented workforce and access to all the tools to safeguard its systems against data breaches, yet the country is unprepared to handle a massive cyber-attack like 'WannaCrypt' or 'Petya,' a top executive from global IT security firm Sophos has said.
"India has well-trained, well-educated and capable IT people. The country has got access to all the tools it needs to secure its systems. Yet, in the case of a big cyber-attack, India is still unprepared," John Shier, Senior Security Expert at the Abingdon, UK-headquartered Sophos, told IANS in an interview.
"It is the time to look at the procedures and make sure they are implemented to secure the data. Firstly, it is needed to see that the things are done. Secondly, it needs to be checked if the things are done correctly and thirdly, test it repeatedly to makes sure what has been done is done right," Shier noted.
According to a recent IBM study conducted by Ponemon Institute, while the average cost of a data breach in 2017 saw a 10 percent decline globally when compared to 2016, for the Indian enterprises, it grew 12.3 percent from Rs. 97.3 million in 2016 to Rs. 110 million in 2017.
Malicious or criminal attacks were the cause of data breach for 41 percent of companies surveyed. Nearly 33 percent experienced a data breach as a result of system glitches and 26 percent breaches involved employee or contractor negligence.
According to Shier, while you cannot entirely eliminate cyber risks, you can reduce it to a very low level if you have well-configured security measures to check the intrusion.
"The systems that are being compromised by cyber-attackers are owing to the poor security of the system itself or the protections around it," he said.
The systems are generally protected by software and firewalls to restrict the intrusion.
"Companies have the necessary attack deterrents but they forget to configure them in certain ways to block the attack, resulting in improperly-secured devices," Shier explained.
He said that most companies are securing their data with security software and hardware in a correct manner but it is the human factor that, at times, makes cyber-attacks a success.
"Sometimes, the criminals send an email to an employee who acts upon it. That gives the cyber attackers the first foothold in the company and from there, the criminals are able to move around the systems in the company," the executive pointed out.
Shier said that most of the times, humans are very carefully intertwined in a cyber-attack.
"Since the unwanted entry is blocked, criminals steal authorised credentials of employees by sending them emails who act upon it. In this way, the criminal who was blocked from entering the system illegally, has legal access to a company's system," he noted.
Our lackadaisical approach also makes us vulnerable to data hacking.
"In the WannaCrypt ransomware attack case, systems were compromised due to a missing patch. The patch was already available two months before the cyber-attack happened," Shier said.
Hackers normally use the loopholes present in the security system.
"Cybercriminals find weak spot to get into the systems. It is not necessary that these criminals send an emaill; it might be a phone call or a physical visit to the company. They might visit the office for reconnaissance. They carry a ladder or a clipboard and pose as a worker," Shier told IANS.
Hackers build a "crack" around the protective measure and come up with new tactics to enter into systems but companies today are fairly well prepared for the attack.
"If we are well prepared for the attacks with fully functional and well-tuned security layers, then we can deflect a lot of attacks. Doing the basics right helps cyber-security companies stay one step ahead of the criminals," Shier said.