The World Economic Forum (WEF) has prognosticated that in 2025 the most sought-after jobs would be those in the field of information technology (IT). This prediction seems plausible because the world has entered into the era of the Fourth Industrial Revolution whereby machines and technology will become increasingly involved in our daily lives. Technological advancements like robots, virtual reality, cryptocurrency and blockchain will become the order of the day. Amidst the ever-increasing dependence of businesses as well as individuals on IT, it can be rightly said that the notion of a global village or a world economy would have been a thing beyond perception had there been no use of IT.
Today’s is a world of Information and Communications Technology (ICT). The ICT has become an essential contributor to our daily lives in more than one way. Not only has it become the engine of global trade and financial system, but is now also a vital component of our most critical infrastructure. When seen in broad terms, the networks that provide our water, food, electricity, communications and transportation are all dependent on ICT.
With this growing dependency as well as the heightened importance of information systems, it is imperative to assess the potential risks and threats they pose to businesses and economies. The concept of firewalls, passwords, virus scans, backups, etc., has now become little outdated, though still needed. Information risk management (IRM) is no longer a topic to be discussed only by IT professionals; rather it needs attention at higher levels in executives and boards so as to adopt appropriate measures against any disruption to business and potential loss of data as a result of failure of information systems. It should, indeed, become an integral part of risk management process of an entity.
If we take the concept of information risk management a step forward, there arises a need to understand cyber risk which is “any risk emerging from the use of information and communication technology (ICT) that compromises the confidentiality, availability, or integrity of data or services.” It is to be noted here that the impairment of operational technology eventually leads to business disruption, infrastructural breakdown and damage to humans – both physical and to property.
Cyber risk may be posed by natural disasters, e.g. earthquakes, floods, fires, etc., which may cause colossal damage to a company’s IT hardware, software, servers and network. It can also be manmade, e.g. mala fide on the part of hackers, terrorists and criminals, as well as human failures. Nonetheless, in any case, there is a risk of potential loss of confidential data as data integrity gets compromised. Business reputation and credibility would also be affected.
The potential effects of these risks can be assessed according to the nature of the business and its dependency on information systems. For example, banks, financial institutions, online businesses, hospitals, etc. are more vulnerable to cyber attacks than other institutions or organizations. The reason is they are dealing with an individual’s confidential data, account numbers, email addresses, credit card information, personal health history, etc.
A company, hence, needs to follow a proactive course to identify its susceptibility to cyber risks and to take, thereupon, appropriate measures to mitigate the potential consequences in the event of any threat or loss of data. This will enable the company to be operational quickly and also minimise the costs incurred in recovery of data.
Read More: SOCIAL MEDIA MINEFIELDS
Cyber Security in Pakistan
In Pakistan, banks are most vulnerable to cyber attacks. The recent attacks on Pakistani banks are enough to question the ability of these important financial institutions to counter such crimes. Because it shows that there are certain lapses of security which allow hackers to succeed in their nefarious designs. Therefore, it has become necessary to make a thorough assessment of what other countries are doing to deal with this complex issue of the century. There is a need at both institutional and government levels to look into the matter before it’s too late. A comprehensive cyber security policy should be promulgated by the regulator and implemented at banks to deal with online financial frauds. There is a need to continuously monitor and upgrade the IT systems and network as well as educate the users and employees about security measures to be adopted during online transactions.
“The Best Defence is A Good Offence”
An entity with a robust cyber risk management plan can minimise the potential damage from a breach and get itself back on track more quickly in the wake of a disruptive event. The first step is cyber risk assessment which is followed by protection, detection, response and recovery.
A cyber insurance policy, also referred to as cyber risk insurance or cyber liability insurance coverage (CLIC), is designed to help an organisation mitigate risk exposure by offsetting costs involved with recovery after a cyber-related security breach or similar event. With its roots in errors and omissions (E&O) insurance, cyber insurance began catching on in 2005, with the total value of premiums forecasted to reach $7,500 million by 2020 whereas in 2016, the size of the global cyber insurance market was valued at $3,416.4 million.
According to PwC, about one-third of US companies currently purchase some type of cyber insurance. Any organisation that stores and maintains customer information or collects online payment information, or uses the cloud, should consider adding cyber insurance to its budget. Cyber insurance typically covers expenses related to first parties as well as claims by third parties.
Although there is no standard for underwriting these policies, the following are common reimbursable expenses:
a. Forensics investigation b. Business losses
c. Privacy and notification d. Lawsuits & extortion
There is a good opportunity for insurance companies to explore and penetrate into this area as there is huge potential in the market. The relatively small size of cyber insurance market shows that it has not been taken serious by corporate and individuals till now. But the increasing trend of internet usage and cyber crimes suggest that in future certain category of individuals might also be buying cyber insurance along with the corporate. Insurance companies can also act as an advisor by pushing the corporate to adopt best security practices in order to avoid data breaches. Swiss Re Group Chief Executive, Michel Liès estimates that within 10 years “cyber coverage will be in every retail, commercial and industrial insurance policy.”
Need for a new cyber security law in Pakistan
In recent past our country has faced various cyber breaches on individual as well as on state level and we do not yet have an efficient countering measure. The major attack of the year began in mid-October with Bank Islami, now it has taken a rapid pace across the whole country. Individuals continue to lose money from their bank accounts of different banks and the major cause for concern is that banks are hiding the information about these cyber robberies. A total of 19,864 cards of 22 Pakistan banks have been compromised in this attack till now. People have also been receiving scam calls by hackers impersonating bank staff to make reveal their bank account details.
Unfortunately, there is no law on Cyber security, which needs to be brought in to safeguard the firewalls of our organisations which are prone to cyber-attacks. Ironically, the first ever Cyber Crime bill that was passed on August 11, 2016 by Pakistan’s lower house, the National Assembly, as the Prevention of Electronic Crimes Act, 2016, is controversial in its terms. The law has worried human rights and pro-democracy activists through its over-broad language against the freedom of speech.
The law also allows the authorised officers to have access to anyone’s computer and personal data whenever they want during investigation. It also gives unlimited authorities to the PTA to decide as to what is legal or illegal.
The law has provided 7 years of imprisonment sentence to those planning, recruiting or funding terrorism or propaganda online against the state. Hence, the sections of the Bill prove that the law only gives unfair prosecutions to the handlers of the state as no provisions have been set up to protect the privacy and sensitive data of the individuals.
Hence, the above discussions entail that all the above networks and data systems are unsecured unless they are secured through foolproof security.
There are no specific laws in Pakistan against those who break the security firewalls to steal the import data including the bank record. It is theft and its trial needs substantial digital evidence including attempt to enter in the database. It is, therefore, need of the time that Parliament bring new law only on Cyber security for the protection of national and private data including the bank database.
Overcoming barriers to cyber security in Pakistan
With cybercrime incidents making news on a regular basis, the importance of cyber security is evident. It concerns all denizens and organisations in proportion to the risk they are exposed to. It needs to be recognised as a key national security concern by the government, especially as it applies to government organisations, critical infrastructure and consumers. While we would like to see more evidence of this recognition at the government level, there are a member of aspects of cyber security that private and public organisations need to pay more attention to.
Most organisations have limited understanding of cyber security
Unfortunately, most organisations lack depth in cyber security, which results in weak security architectures, lack of critical security controls and poor security hygiene from staff. Since CEOs rely on their IT departments for security, if the IT organisation is either complacent or unwilling to acknowledge this, it is very difficult to take the organisation out of this state. Simple ignorance is knowing that one does not know, while compound ignorance is not knowing that one does not know. At-risk organisations cannot afford compound ignorance. It is critical for organisations with significant cyber security risk to never be complacent about their state and knowledge and always be open to improving both. CEOs and top management must be wary of IT departments that claim all is good.
Creating a supportive environment
Organisations must create a healthy and supportive environment in which those in charge of cyber security feel encouraged to be open about security gaps, lapses and incidents. Cover-ups have to be strongly discouraged. Weaknesses cannot be addressed unless acknowledged and glossed-over weaknesses can come back to haunt.
There is no such thing as perfect or foolproof cyber security. Cyber security is an ever-evolving domain, known threats get addressed by today’s measures and new threats emerge requiring new measures to address them. Defenders are fighting a tough battle and need support as long as they are not negligent or complacent.
Creating a healthy tension
Large organisations with sufficient budgets should create a separate information security department that should be a peer to the IT or engineering department and not subordinate to it. Subordinate security organisations tend to get stifled or co-opted.
Cyber security service-providers can be used as an additional source of independent perspective and can help keep internal information security organisations on top of their game and support them in addressing their skill gaps. Smaller organisations can benefit even more from engaging with cyber security service-providers. It is more cost-effective for them than building an in-house security team. There is limited talent available in the market for most organisations to be able to build effective in-house teams.
Paranoia is good up to a point
For larger organisations, especially in the financial services sector, where information security and IT exist as separate departments, security teams should have the required access to mission critical environments for them to be able to do their job effectively. From implementing critical security controls to active monitoring for breach detection and access for investigations IT and IS need to work in a highly collaborative manner.
The same extends to trusted cyber security service-providers. With proper whetting and legal protections, service-providers can be provided the required clearances for them to have the access required to address the gaps in internal capability. At present, especially in the financial services industry, certain apparent regulatory constraints are a significant barrier to taking full advantage of the capabilities offered by the cyber security services industry.
Reducing the attack surface
There are significant areas of improvement in how the cyber security problem is typically approached. A sound security architecture helps both reduce the attack surface and control the complexity and expense of security solutions to self-created and avoidable problems. Organisations can harness the power of the cloud and zero trust models to simplify security challenges and improve the effectiveness of their defenses.
Beyond prevention: detection and response
Traditionally, cyber security has focused on blocking attacks. This is the first line of defence and is critical to address. However, beyond a point, focus on prevention alone leads to diminishing returns. In the area of data protection as well, the focus has been on preventing leakage.
The current accepted wisdom is that prevention should be assumed to fail and measures should be taken to detect and respond to compromises quickly and to protect data wherever it goes. Organisations must invest in incident readiness, so that they can detect, limit and respond to attacks effectively.