Disruptive digitization leading to expanding cybersecurity threat surface forces a relook at digital. But newer technological risks means digital risk analysis should go beyond just cybersecurity
On 25 April, security watcher Alon Gal (@UnderTheBreach) tweeted that infamous threat actor ‘ShinyHunters’ had just then leaked the database of Indian online grocery store, BigBasket. Gal, co-Founder and CTO of cybercrime intelligence firm, Hudson Rock, also posted the screenshots, in his tweet. He said information, such as emails, names, hashed passwords, birth dates and phone numbers were leaked.
The news of the breach per se was not new. The actual breach happened in October last year and made it to the headlines for its size—20 million users’ data got stolen—and the way BigBasket reacted to it.
For the uninitiated, here are the timelines of the breach, provided by cyber intelligence firm, Cyble, in its blog. Cyble had first detected this breach. According to the firm, the breach happened on 14 October 2020. It was detected by Cyble on 30 October 2020. After verifying, the firm reported this to BigBasket on 1 November 2020.
“Cyble disclosed the breach to the BigBasket management as per the responsible disclosure process. Praveen (BigBasket) strongly insisted for not making any disclosure. Cyble advised them to let their customers know and explained to them it’s the right thing to do,” the blog said.
BigBasket was not the only company affected. Cyble began notifying their customers about the breach. The firm claims it was approached by BigBasket to help them on the breach, on which Cyble insisted on the disclosure to BigBasket customers first.
According to a report in OpIndia, Cyble was actually named in the FIR registered by BigBasket on 6 November, with the cyber cell of Bengaluru Police.
On 7th November, Cyble made a public disclosure. And two days after that, on 9th November, BigBasket acknowledged the breach, as reported by Bloomberg News.
After Cyble made it public and BigBasket acknowledged the breach, it made it to the headlines in most business media. It raised a lot of interest in general media, thanks to familiarity of the brand among common users of online purchase, which has risen significantly post the pandemic hit India in March that year.
It is almost after six months that the issue has taken center stage again. The hackers have put up the data after so long. A report by Nes18 confirmed that the post contains a 3.25GB database that includes “a varying degree of personal information belonging to over 2 crore individuals.” The report said the database file has phone numbers, residential addresses, dates of birth and email addresses, among others.
The BigBasket case shows that even now, there is a reluctance to disclose data breach in India. The reason why it came out was because the cyber intelligence firm was vocal about it. And also, the brand being well-known, general media got quite interested in the breach.
But by no means is BigBasket breach the only example of its kind. Post pandemic, in India alone, there have been number of such data breaches—and we are not even talking of other types of security incidents. With reluctance to disclose, many others would have just remained unreported.
The more recent ones (March-April 2021) have been in Domino’s India (Jubilant Foodworks) where data of 180 million orders were stolen. According to Gal, credit card details of 1 million customers were also compromised, though the company has denied it. In another similar breach, online trading company, Upstox, said its user data got breached. Though Upstox did not put a number to it, most media reports have put the figure of compromised users record as 2.5 million. Another alleged data breach happed with mobile payment company, MobiKwik, where security watchers put the figure of compromised records as 3.5 million.
There is a pattern to all of this.
All of these have happened with online businesses. While three of them are pure online businesses, the fourth one - Domino’s - has also shifted significantly to online ordering from phone-based ordering.
While breaches like these are not new and have been happening since years, what has forced a fresh relook is the speed at which Indian business, especially consumer business, is digitizing, thus expanding the threat surface. More digital business means more cybersecurity threats.
Between April 2020 and now—the period since the pandemic started impacting businesses leading to faster digitization—there have been dozens of data breach incidents (See BreachScape).
But wait. Data breach is only the more visible, talked-about security breach that is easier for us to track.
Digital Risk Landscape: Much Wider
In fact, if anything, data fraud or breach, does not even feature among the top 35 global risks, in the World Economic Forum’s Global Risk Report (GRR) 2021. While it used to feature among the top 10 most likely risks, it never featured among the top 15 most impactful global risks, since CIO&Leader has been tracking the report—that is from 2014.
That means the global business leaders have not considered data fraud or data risk as a highly impactful global risk. And now, the GRR does not even consider it as very likely. The perceived risk value of data fraud or data breach in the overall risk landscape is quite low—and that is true even within the context of technological risks.
It is interesting to see how the ranks (relative risk perceptions) of technological risks have moved in the GRR over the years. Till last year, the GRR considered four technological risks – Cyberattacks, Critical information infrastructure breakdown, Data fraud or theft and Adverse consequences of technological impacts/Misuse of technology.
Over the years, Cyberattacks and Data fraud or theft have always been considered among more likely risks, with Data fraud or theft always featuring among the top 10 since 2014. Cyberattacks too have featured among the top 10 most likely risks in GRR in all years except one. Both Critical information infrastructure breakdown and Adverse consequences of technological impacts have always been perceived as low-probability risks.
When it comes to impact of technological risks, data fraud or theft, the most common risk, has never been seen as a very high-impact risk. Cyberattacks, on the other hand, have been seen by GRR respondents as a more impactful risk, featuring between 6th to 13th position in various years. Critical infrastructure breakdown has moved with technology disruptions. In the early phase of cloud, 2014-2015, it was seen as a high-impact risk. As technology matured, the risk perception came down, even going to 22nd position in 2017. Massive disruptions in services at SouthWest Airlines and Delta Airlines in 2016, in British Airways in 2017 and subsequently outages in SouthWest Airlines, American Airlines, JetBlue, Delta Airlines, Air India, British Airways, National Stock Exchange, and HongKong Exchange in the next two years, all of which happened because of infrastructure issues—and not because of targeted attacks—made people realize the massive impact they could have on business and life around the world. The IT infrastructure was no more as invincible as it was thought to be. Expectedly, the risk perception in terms of impact of Critical information infrastructure breakdown, again rose, from as low as 22nd in 2017 to 6th in 2020, before dropping a few places this year.
Not surprisingly, critical infrastructure breakdown is listed by GRR 2021 as the 10th most impactful global risks. It is also the most impactful technological risk, among all the technological risks considered by the GRR study. This year, the GRR has dropped Data fraud/theft altogether and has considered three new digital risks, which we will look at, in some detail.
Apart from the six technological risks, the GRR this year has considered 7 economic risks, 6 environmental risks, 7 geopolitical risks, and 9 societal risks, totalling 35 global risks. Not surprisingly, Infectious diseases, has jumped from its 9th position in 2020 to the top position, among the most impactful global risks for in 2021.
Why a relook is important?
There are two reasons why a relook is needed about digital risks.
The first is what we can call the pandemic effect, which can be summarized as two Ds—Digitization and Distributed workforce. While digitization expanded the threat surface, distributed workforce working remotely created conducive environment for targeted attacks.
An ISACA survey released earlier this year said 87% organizations believe rapid shift to work from home increased risk of data privacy and protection issues.
All the data breaches, given in the box, Breachscape, for example, happened post-April 2020. Other kind of incidents too have increased significantly, so much so that businesses have been forced to look at cybersecurity as a basic business enabler.
Nearly 96% respondents in a recent research by PwC, Global Digital Trust Insights Survey 2021, said that they will adjust their cybersecurity strategy due to COVID-19. As many as 50% are more likely now to consider cybersecurity in every business decision — up from 25% in the same survey last year.
There are numerous research reports that confirm this realization that organizations need to be far more proactive about cybersecurity post-pandemic.
In short, reason no 1 – the Pandemic Effect – is well realized by the community.
But the other is not even on the radar: that is the emerging new digital risks. The Global Risk Report 2021 has, for the first time, mentioned three new digital risks - Digital inequality, Digital power concentration and Failure of technology governance, even as it has changed Cyberattacks to Failure of cybersecurity measures, with an implicit acknowledgment that stakeholders are now aware of the basic cyberattack risk and have taken measures; but they may fail.
Digital inequality, according to the World Economic Forum, is unequal access to critical digital networks and technology, between and within countries, because of a variety of reasons.
While on the face of it, it seems like a country-level risk, businesses in developing countries will be exposed to this risk—both because of unavailability of technology, inability to invest and lack of access to skilled manpower. But a more serious implication for India is lack of access to digital technology, despite cheaper phones and low cost of data. Language, availability of network access and regulatory restrictions are still pressing issues that are preventing many businesses to exploit the opportunity that lies across the country. We were badly exposed to this inequality, especially in education during the pandemic.
This is a risk that no company, especially a consumer business, can ignore anymore.
Digital power concentration, on the other hand, is concentration of critical digital assets, with a small set of companies, individuals and countries. The manifestation of this could be driven by regulation, historical evolution of technology, IPR or even international trade restrictions. The pandemic has exposed us to the risk too.
Finally, failure of technology governance is WEF’s term for lack of globally accepted frameworks, and standards. While WEF is concerned about ‘globally accepted’, in the local level too, this can create a huge risk. Today, a lot is being talked about AI, which works on data. Take healthcare. To make some meaningful decision on diagnosis of patients using AI, different healthcare providers should have compatibility in their data. Without well-defined standards, this will become a Herculean task.
Digital Risk, Circa 2021
The new Digital Risk landscape, hence, may look very different from how it has been conceptualized. All organizations may not be exposed to all these risks equally. But it is time the digital risk assessment went beyond cybersecurity assessments!