Towards the end of October 2016, several Indian banks announced they would be recalling millions of debit cards in the wake of a data breach that affected the backend of software that powered an ATM network there.
It was a situation that could have been better mitigated; a government-sponsored organization tasked with sharing information about data breaches completely missed the warning signs that a breach was taking place. As a result, no one connected the dots until millions of fraud cases had been detected.
Raj Singh, Regional Bureau Director for the Asia-Pacific region, Internet Society, recently gave me his insights into the lessons that organizations in all industries can learn about mitigation from this incident, as well as how to overcome barriers that prevent collaboration, which is vital to mitigation efforts.
Information Sharing and Collaboration: The Keys to Successful Mitigation
Data breaches are all too prevalent nowadays. “Hackers will always try to find a weakness in the system,” Singh asserted. While organizations should continue their efforts to prevent such breaches, they must also have a mitigation strategy in place to offset the disastrous effects of cyber crime.
In the case of the Indian ATM data breach, the Information Sharing and Analysis Centre (ISAC) established by the Indian government failed to detect the breach in time because each compromised debit card was flagged as a case of fraud rather than the result of a cyber attack. Before this incident, banks bore the responsibility of tracking and handling fraud cases. No one raised an alarm until millions of debit card customers complained of fraudulent charges.
Singh pointed out that the situation could have been managed much better “if people had realized that hacks and breaches have multiple dimensions.” If ISAC had treated each case of debit card fraud as a cyber crime, a pattern would have emerged much sooner. When the Indian government founded ISAC, no one considered the possibility that credit and debit cards were so vulnerable to hackers. “People are focused on the door when the hacker is coming in through the window,” Singh added.
In general, the finance industry has some strong information sharing mechanisms in place that have a good reputation for mitigating the impact of data breaches. Singh noted that Singapore’s Association of Banks (SAB) and the global Financial Services – Information Sharing and Analysis Center (FS-ISAC) are two examples of organizations that enable members to share news of threats so that others can attempt to prevent or at least mitigate attacks.
It’s becoming abundantly clear that information sharing and collaboration must take place outside of the finance industry, too. The EU’s Agency for Network and Information Security (ENISA) published a report at the end of December 2015 about the importance of information sharing and collaboration in prevention and mitigation of cyber attacks for all industries. In the Obama administration’s final cybersecurity report, released at the beginning of December 2016, researchers stressed how crucial it is that the private sector and the public sector share information to prevent mass cyber attacks from taking place.
Easier Said than Done: Barriers to Information Sharing and Collaboration
Making recommendations and even being a member of an information sharing network still isn’t enough to keep incidents such as the one in India from unfolding. Singh observed that barriers hamper vital collaboration between firms and organizations that would otherwise counter or at least mitigate the consequences of a cyber attack.
For a start, SAB and FS-ISAC only share information with members. So, if your company doesn’t operate within the finance industry, you don’t have access to details of threats submitted by SAB or FS-ISAC members.
Secondly, Singh observed that businesses tend to be quite competitive and hesitant to share information about any possible weakness. Yahoo is a recent example of just such a company. In 2014, hackers stole encrypted passwords and personal data from over 500 million accounts. It took Yahoo over two years to uncover the breach and disclose it. Users responded by threatening to shut down their accounts. American senators expressed their dismay at Yahoo’s slow detection and response to the attack. After disclosing the breach, the value of Yahoo’s stock fell three percent.
Another barrier to information sharing and collaboration is the “it can’t happen here” mindset. “There’s a lack of empathy and understanding,” Singh explained. Businesses might say, “Oh, a data breach hit a bank. We’re not in the banking sector, so we don’t need to worry about something like that affecting us.” While some businesses in industries outside of finance might pay attention, others won’t because they haven’t been hit by hackers yet, or they’re unaware that they’ve been attacked. Of course, that mindset leads to firms falling prey to hackers. “A data breach can happen anywhere, anytime,” Singh emphasized.
Overcoming the Hurdles to Improve Breach Mitigation
Singh doesn’t view these burdens as insurmountable. He believes that organizations can improve collaboration and information-sharing efforts in order to mitigate breaches.
One of the first steps is stronger regulations and enforcement of existing rules on data breach disclosure and data sharing. “From what I hear, everyone says that they’re talking to each other and working with each other,” Singh remarked. “But that’s taking place at conferences. What’s happening on the ground?” He added that self-regulation is unreliable, because of the competitive nature of business and the desire to be seen as strong and invulnerable. Although many countries have enacted personal data protection laws, they don’t seem to be powerful enough to force companies to collaborate so that incidences such as the one in India don’t take place again.
As consumers share more information with organizations, and those organizations rely on interconnected digital systems that are prone to breaches, the risk for hacks will only continue to rise. When businesses work together and treat information on data breaches as something to be disclosed rather than a closely guarded secret, they have the power to better protect their customers and keep their reputations (and profits) intact.
Editor’s note: For more on data breaches and their impact, please see the Internet Society’s 2016 Global Internet Report.