Time has comes for nepali enterprises to bolster their cyber defences against the substantial threats presented by cybercriminals
At a time when data has become the most valuable asset the world over, the level of cybersecurity threats has elevated for enterprises in Nepal. Domestic business institutions that were largely insulated from the global cybersecurity epidemic such as data theft and network attacks until a half a decade ago due to their low exposure to the worldwide internet connectivity, now find themselves surrounded by several such threats.
The last few years have seen increasing incidents of cyber attacks in Nepal orchestrated by foreign hackers. According to Uttam Raj Subedi, spokesperson at Nepal Police, there have been several data breaches of organisations in the country in recent years, but the institutions victimised by such incidents have attempted to conceal the breaches. “With the expansion of financial services, hackers are attempting to extract the data of customers to steal money,” says Subedi, who is also the Senior Superintendent of Police (SSP).
The biggest case of a cyberheist in Nepal was registered in October 2017 when foreign cybercriminals hacked the SWIFT system of NIC Asia Bank, stealing millions of rupees. SWIFT (Society for Worldwide Interbank Financial Telecommunication) is a network which enables banking and financial institutions to send and receive money. While the bank later recovered most of the amount, the incident showed how vulnerable the Nepali enterprises are to cybersecurity threats.
“Most enterprises in Nepal are not willing to embrace the costs, and hence compromise on security by using basic protection,” says Sagar Dev Lakhe, founder and chairman at Sagar Group of Companies, the authorised distributor of Kaspersky security systems in Nepal. Kaspersky is a Russian antivirus and internet security brand that has been providing a range of security solutions to households as well as corporate clients. According to Lakhe, phishing attacks are a significant cybersecurity problem for enterprises in the country. A phishing attack is a cyber attack to extract user login details, credit card credentials, and other types of personal, business or financial information. Nepal Police, which has already registered five phishing attacks by the end of December 2018, is said to be investigating the incidents.
“Evaluating the network and cyber security scenario is a tedious task for enterprises and requires trained professionals to test the situation of network and security. This is the main reason many enterprises don’t implement a complete security solution in Nepal,” says Lakhe, adding that many enterprises are vulnerable to cyber attacks because of the use of pirated and cracked software. “Many enterprises are suffering from basic virus and spam attacks due to the lack of proper implementation of security solutions,” he notes.
Better Preparedness of Banks
The world over, the financial services sector has been the most vulnerable business area to cyber threats. Loose integrations, outdated technologies, unpatched systems, the absence of data encryption, unfixed vulnerabilities, inadequate process control, the lack of IS review etc. are some of the significant factors that expose BFIs to cyber threats, say experts. The fast expansion of electronic banking, network connectivity along with growing ‘smartness’ of cybercriminals and increasing sophistication of their moves have led the financial services providers to focus on cybersecurity besides regular business activities. Compared to other businesses that do not rely much on sophisticated IT systems in terms of data storing, banks in Nepal are also keeping their security systems up-to-date to protect their valuable data. Nepal Rastra Bank (NRB), the banking sector regulator, has also increased its role in this context. Through its directives, NRB has mandated BFIs to review and audit their security systems regularly to minimise risks. In this context, bank promoters and bankers who until a few years back did not prioritise cybersecurity readiness, are gradually becoming attentive.
Dhawal Bharat Dave, chief technology officer (CTO) at Nepal SBI Bank, says banks need to keep updating technologies that are implemented at several layers. “As such, there is no single solution which provides fool-proof and guaranteed protection. Weak internal data control and process mechanisms enable hackers to exploit the vulnerabilities,” he mentions. According to him, Nepal SBI has deployed the latest firewalls and patched its systems along with secured configurations. Additionally, the bank conducts continuous monitoring and regular audits while practicing stringent access controls, best industry policies and guidelines that help it in protecting the systems from cyber threats. “We at Nepal SBI have zero outsourced employees. Moreover, out of the permanent staff, access to applications is restricted to authorised personnel as per their specific roles. Even desktop access is controlled through Active Directory Services,” informs Dave. After the hacking incident, NIC Asia took steps to add robustness to its cyber defences.
According to a source at NIC Asia, the bank spends over Rs 1 billion on the IT Department, which includes purchase/upgrade of banking software. “No matter how secure the IT system of an institution is, threats will always exist in terms of cybersecurity. It is not that NIC Asia’s cybersecurity was weak before the hacking incident. The system was hacked during the Tihar festival when only a few security professionals were working. After the incident, we reviewed our overall security system and upgraded it. Also, the cybersecurity professionals at the bank now work 24/7,” the bank source adds.
According to SSP Subedi, cyber crimes such as system hacking and ATM frauds are reported often. In September 2017, the Central Investigation Bureau (CIB) of Nepal Police arrested a Turkish citizen for duplicating cards and withdrawing cash from ATM booths in Kathmandu. Subedi says BFIs know of cyber threats and have adopted security systems accordingly, but customers should also be wary of ATM frauds. “Over 50 percent of ATM frauds can be avoided if people follow basic instructions like the security of their PIN code and reporting to the concerned authority on loss and theft,” he says adding, frauds reuse the stolen card, or track the information through CCTV and other devices to steal money.
The rising number of thefts in ATM counters led BFIs to install security cameras in their ATM booths as a countermeasure to check such activities. This has helped reduce the cases related to ATM frauds in recent times. Also, notification alerts to banks customers such as sending SMS messages when any sum of money is debited or credited to their accounts have also been helpful in this regard. “ATM skimming and cloning are major issues in the ATM product of the banking sector. This issue was observed substantially for magstripe ATM cards, however after replacing the cards to EMV chip and securing our ATMs we are not facing such issues,” says Dave of Nepal SBI.
According to Lakhe, the increasing number of cyber hacking cases has made enterprises more aware of the threats and consequences of these attacks. “Most enterprises in Nepal have started using licensed software as much as possible. They are also implementing advanced security measures for antivirus solutions, an intrusion detection mechanism and multiple back-up maintenances,” observes Lakhe.
“The threat of cyber attack in the system always remains. So banks keep on upgrading the system and software regularly,” says the NIC Asia official. “Despite our best attempts to make the system secure, cyber attackers can potentially hack the system, so awareness among businesses is a must,” he adds. According to Lakhe, Kaspersky security solution has a wide variety of product segments starting from security for end-points (PCs and mobiles), file/data server, mail server, internet gateway, targeted attacks, and firewalls. “The solutions can be implemented in small business, medium business and enterprise level business in a scalable manner and PPU (pay-per-user) model,” he adds.
Nepal SBI Bank has been using the highest level of secured configurations and monitoring mechanisms for networking devices, data encryption, SOC, Database Access Management and Network Access Control. “Before rolling out any new application or module, a comprehensive Information Security review is conducted by third-party IT auditors. We also ensure IT awareness among our staff through monthly IT magazine and extensive training. This becomes the first line of defence to cyber risks,” concludes Dave.