As we get more exposed to the digital world, the extent of threat to data security and privacy has grown multi-fold. The Hindu caught up with Jagdish Mahapatra , Managing Director, India and SAARC, Intel Security to understand the magnitude of this threat and how to deal with this menace. Excerpts.
As businesses and individuals go online, what is the extent of threat to data security today?
India has the third largest Internet population in the world with a 190-million user base in June 2014. According our Digital Asset Survey 2014, almost half of the surveyed Indian respondents said they personally own three-to-four devices in their homes. Compare this with our lab’s data which show that 48 per cent of attacks against average end-users in India are auto-run worms that exploit minor vulnerabilities for which patches are easily available.
On the other hand, mobile tends to be more evolved. About 38 per cent of attacks on Indian mobile users are mobile adware, attackers are exploiting new technology as well. Given this device explosion and the growing sophistication of threats, there is a need to have cross device security.
On the enterprise front, I think attackers have already developed a level of sophistication that is well beyond the hobby-hacker of the past. To give you an example, according to Intel Security Labs, of all the Indian organisations that have experienced security incidents in recent times, 34 per cent were financial services organisations and 34 per cent were IT companies. So, we are clearly seeing a streak of organized and targeted crime as was also evident from some of the high-profile security incidents that took place in 2014. For example, with the advent of the Internet of Things (IoT), the attack surface has expanded exponentially, thus making our environment potentially more vulnerable.
In the Indian context, we are dealing with a lot of new economy enterprises such as e-commerce and adding a layer of complexity from a security perspective is the fact that mobile shopper penetration in India ranks third among emerging markets.
How significant is it for enterprises and individuals to secure their data?
I believe that securing enterprise or personal data is about as critical as securing oneself and your home. It also needs to be looked at in the context of the data explosion we are witnessing today. According to our Digital Asset Survey, 2014, the average Indian has more than Rs.25 lakh worth of under protected digital assets stored across multiple devices.
From a business perspective, India Inc. is seeing a data explosion like never before. According to estimates, digital information in India will grow to 2.3 million petabytes in the next decade. There is also likely to be a 4,00,000 petabyte gap between information generated and storage capacity.
When looked at from the perspective of mega trends like IoT, security will become a significant challenge since it is redefining what sensitive data is.
I believe, therefore, that as technology advances, the need to secure the data that it generates is even more critical as the cost of losing that data will far exceed the cost of securing it. Today, security has become a regular boardroom discussion matter.
Can any security firm provide 100 per cent guarantee on protection of data?
Attackers have already developed a high level of sophistication, and today, no organization can offer a 100 per cent guarantee while providing data security and protection to customers. There are two types of companies; those that have been breached and know it, and the ones that have been breached and don’t know it.
We believe that most organisations may be able to detect 99 per cent of all security breaches, and it is mostly the one per cent attacks that will slip through and cause the most damage. For us, the goal has been to detect and fix those one per cent attacks in the shortest time possible.
Just like in the medical profession where doctors must deliver heart-attack patients to the hospital within a ‘golden hour’ to maximize likelihood of survival, the security industry must work towards reducing the time it takes organizations to detect and deflect attacks, before severe damage is inflicted upon them. Doing this requires a major rethink of established security practices as we attempt to figure out what is failing us.
In line with this, globally, Intel Security has become a part of the Cyber Threat Alliance, which is a group of four companies. Since the attack landscape is changing very rapidly, we are helping our customers by sharing information. We all have different footprint and different types of attacks, so we figured out if we work together any one of us will do a better job of providing the overall security posture that our customers need. We are trying to shrink the time from detection to recovery.
What is the emerging trend in cybercrime?
Our findings indicate that Ransomware (a form of malware, where an attacker demands money in return for not wiping out a company’s entire data system) has been on the rise lately. According to findings from the latest McAfee Labs Quarter Threat Report: May 2015, the number of Ransomware samples grew by 165 per cent in Q1, 2015 largely due to the proliferation of the CTB-Locker family and its “affiliate” program, against 155 per cent in Q4 and Q3 of 2014.
We recommend that organizations take steps to strengthen threat detection at the known initial attack vectors, such as phishing messages with malicious links and malware-infected USB drives and CDs, as well as consider solutions that can help prevent data exfiltration.
How do you help ordinary individuals accessing data on mobile phones?
Mobile users have become an easy target today; our internal data indicates that 38 per cent of attacks on Indian mobile users are mobile adware. In line with this, Intel Security has made the McAfee Mobile Security software free of cost to all mobile users. Supporting all Android and iOS mobile devices, this initiative is targeted at making security a more integrated part of the Indian consumer experience.
Additionally, device explosion is also a vector one needs to consider, and there is a need to have cross-device security. It is for this very purpose that we created the McAfee LiveSafe- a cross-device security solution to secure consumers. One subscription of McAfee LiveSafe covers an unlimited number of devices, so you can protect all the PCs, Macs, smartphones, and tablets you own.
There is concern about unknown apps which people download. What are the safety tips?
In the case of apps, a user risks downloading malware if it is not downloaded from a trusted source. Moreover, if adequate security measures are not adopted, then we run the risk of infecting other users too with malware since a lot of consumers share information from their mobile phones using Bluetooth and other connectivity solutions. Even highly rated and well known apps can become the source of security breaches which could range from stealing personal data to sharing identifiable information on phone usage with unauthorized people. In fact, in many instances, these vulnerabilities are a result of the poor programming practices adopted by app developers.
It has been found that mobile app developers have failed to patch critical secure sockets layer (SSL) vulnerabilities thereby potentially impacting millions of mobile phone users. Our research has revealed details on the increasingly popular Angler exploit kit, and warned against increasingly aggressive potentially unwanted programs (PUPs) that change system settings and gather personal information without the implicit consent of users. To avoid such challenges, users should typically read through an app’s privacy policy to understand the what, why and how of data sharing before installing the app.
lalatendu.mishra@thehindu.co.in
