In 2016, mega-breaches worldwide illustrated that today's cybercriminals are skilled, organized and equipped to carry out highly successful attacks. Many organizations lacked the capability to withstand new forms of attacks, with private information stolen on an epic scale.
So what's the outlook for breach prevention and detection in India in 2017 with the economy undergoing demonetization?
"As cars start to have connected capabilities, it is only a matter of time until we see an automobile hack on a large scale."
Experts say demonetization has shaken the payments industry to the core, leading to a mad rush of digital payment acceptance.
"This rushed, unplanned and uncontrolled move raises very pertinent questions on security as practitioners face new threats in 2017," says Sriram Natarajan, chief risk officer at Quattro, a business process outsourcer.
I asked experts for predictions regarding data breach and security trends in India and Asia for 2017. Here's a summary:
Ransomware Attacks Continue
As cybercriminals work toward accessing organizations' data, ransomware attacks will become even more common.
Cloud-based storage and services make the cloud a very lucrative target for ransomware attacks, says Tarun Kaura, director and solutions product manager for APJ at Symantec. "The cloud is not protected by firewalls or more traditional security measures, so there will be a shift in where enterprises must defend their data. Cloud attacks could result in multimillion dollar damages and loss of critical data."
The security firm Kaspersky says about 63 new ransomware families made their appearance in 2016 - and those were more sophisticated and more diverse.
And the ransomware attacks will continue to evolve, exploiting new infection paths, says Kaspersky's report. Also, ransomware-as-a-service solutions will enable cybercriminals with fewer skills, resources or time to wage attacks.
Sean Duca, Palo Alto Network's vice president and regional chief security offficer, Asia Pacific, expects more ransomware attackers to lock up business data and demand ransom for its release.
"2017 will be worse than 2016. We can expect higher attack volumes using more sophisticated technologies," he says. "If the discovery of Locky ransomware was anything to go by, financial malware will continue on an upward trajectory."
Duca says that the size of ransoms demanded may increase. "Cases show that ransom was paid, the data unlocked and the victim was hit again. Our advice has always been: don't pay," he says.
Michael Joseph, Fortinet's regional director-systems engineering, India and SAARC, says that while ransomware was the gateway malware, he expects very focused attacks against high-profile targets, including celebrities, political figures and large organizations.
But broader attacks will continue as well, he predicts. "Automated attacks will allow hackers to cost-effectively extort small amounts of money from large numbers of victims simultaneously, especially by targeting IoT devices," Joseph adds.
India witnessed cyber extortion and ransomware in 2016 largely driven by Windows-based crypto-ransomware. Three banks and a pharmaceutical company were hacked, with attackers demanding ransom in bitcoins for decryption keys to release the systems. Security practitioners expect these types of attacks to continue in the year ahead.
IoT as a New Target
Gartner predicts the number of connected devices in APAC will rise from 6.5 billion in 2015 to almost 21 billion by 2020. As a result, hackers will target more IoT devices.
"In 2016, we saw the first real challenges with compromised devices connected together in a botnet to launch attacks against banks and key parts of the internet infrastructure," says Duca of Palo Alto Networks.
Security experts worry there may be many millions of infected IoT devices, given the intensity of recent distributed denial-of-service attacks, such as the one that hit Singaporean ISP StarHub.
As a result of the hacking attacks so far, millions of connected devices may already be outside the control of their owners, says Pierre Noel, chief security and privacy officer at communications technology vendor Huawei.
Fortinet's Joseph says if IoT manufacturers don't secure their devices better, and consumers hesitate to buy their products, the impact could be devastating. "We will see an increase in the call to action from consumers, vendors and other interest groups for creation and enforcement of security standards so that device manufacturers are held accountable for their device's behavior," he says.
Symantec's Kaura predicts that connected cars will be targets for cyberattacks. "As cars start to have connected capabilities, it is only a matter of time until we see an automobile hack on a large scale," he says. "This could include cars being held for ransom, self-driving cars being hacked to obtain their location for hijacking, unauthorized surveillance and intelligence gathering or other automobile-focused threats. This will also lead to a question of liability between the software vendor and automobile manufacturer, which will have long-term implications on the future of connected cars."
Data Breach Regulatory Outlook
Meanwhile, Asian nations are mulling data privacy and breach regulation legislation, studying the European Union's General Data Protection Regulation.
Singapore, among others, plans similar legislation. There's strong support from data privacy proponents to issue a law mandating reporting of data breaches as well as data protection laws in line with "mature jurisdictions" like those in U.S., Canada and Europe.
Wong Yu Han, director of strategy at Singapore's Cyber Security Agency, says the ministry will introduce its new cybersecurity bill in Parliament next year to revise data protection and breach disclosure requirements.
In India, financial regulators, including RBI and SEBI, are working toward issuing a regulation making data breach reporting mandatory for enterprises.
Need for Risk Assessments
Duca argues that in 2017, given the threat environment, more organizations must instigate a regular program of security risk assessments.
A systematic approach must be taken to list the priorities of a risk mitigation plan for 2017 and beyond, he contends.
Indeed, organizations need to determine if adequate data protection is in place to mitigate the risk to mission-critical systems.
What's your perspective on the security outlook as we burst into this New Year? Please share your views in the space below.