March 09, 2021 | Soundhariya Viswanathan
MRC is an M.Tech graduate from Roorkee who has worked around the world before returning to India to begin his entrepreneurial journey. He has created a voice biometric platform and contact centre platforms that are currently used around the world.
Early on in my entrepreneurial journey, I got a call from someone inviting me to talk to the a leading investigative agency. I remember thinking it was a joke and asked them to stop calling. It was only later when I received a letter from an Embassy requesting a meeting, that I realised it was a legitimate call. When I arrived at the Embassy, I was connected to someone from the leading investigative agency who informed me that they wanted to learn more about my voice recognition software and offered me a fully funded trip to their country.
On this trip, I learnt a lot about how countries were using tools for cybersecurity. But I didn't believe developed nations needed it as much as we do. We are surrounded by threats all around – from far or neighbouring countries and others. Also, internally from various groups.
During this event, an officer was interacting with everyone, and I told him that his country didn't need this technology as much we do, and he agreed. This was where my journey began.
When I started selling, I found that people were not even aware that they were being compromised. My vision was to create awareness. We trained over 3,000 people in cybersecurity – both individuals and corporates. We have certification courses in IIT Madras called Certified Cyber Warrior and Career back to women, and hope to train 500,000 people by 2022.
I think everyone was caught unaware by the move to remote working. Many offices weren't shut down properly, and this caused a lot of concern.
We found that most companies were highly dependent on apps like Zoom and Google meet during the lockdown, which presented cybercrime opportunities. One of the leading videos meeting apps was found to be compromised, where aside from meeting invitees, 2-3 people would be present on conference calls, something that went on from March to November.
We also found that a leading free browser had a file stealing vulnerability through an unprotected back door entry, allowing files to be stolen off android devices, with similar compromises with another browser brand.
My colleague, Dr Harish, and I conducted an audit of a public sector undertaking during the lockdown, which claimed Rs.1200 cr was missing from a PSU company, which had an Rs. 1,00,000 cr annual turnover. We conducted a forensic investigation of this case and found that the company hadn't even realised the money was missing.
Some companies have taken steps to prevent this by giving enterprise-grade, dedicated access networks to employees, preventing hacking. Others, which don't typically report crimes, have taken active measures for its prevention now.
The most important thing is to have cybersecurity training for your employees. While having a Chief Risk Officer, or a CISO or an information security team can contain threats, the assumption among leadership that this is sufficient is wrong. A single employee clicking the wrong link can put the entire company in danger.
One such breach occurred at high-profile public-sector office, where someone plugged in a USB that dropped 20GB of malware onto the system, taking down the entire network. Luckily this was restricted to this location and did not cause issues at other sites.
Four key steps organisations can take to help prevent such occurrences are:
At a fort, you'd have layered defence. It would start with a moat filled with crocodiles, followed by a draw bridge where you let select people in. There would be high compound walls built with narrow stairs allowing offensive and defensive people to monitor the outside. You would need to cross 7 layers of defence to get to the King and Queen. This is the same model we use in cybersecurity. The simplest way to get around this is like what we see in the movies, where the traitor is already inside.
Insider threats are the easiest. You can very easily compromise a maintenance person, pay him to plug in a USB for 1-2 minutes, and you have someone who can give you access. There's only 1 admin login shared among multiple people for most organisations, and what someone does once they log on can't be tracked. There is new technology being created to track this – Private Access Management (PAM).
To watch the interview - Click here