You can’t expect to build a fortress without a solid base. No matter how fancy it may look on top, eventually, it will all start to crumble down without a firm base to stand on. The case of IT-related advancements without any firm Cybersecurity base to stand on in Nepal is a similar one. No matter how many bricks you add on top, it’s like a house of cards. Everything starts to fall apart at the slightest touch or gust of wind.
Cybersecurity related incidents are on the rise, not just in Nepal but globally. A large scale study in the University of Maryland found that computer systems and networks are attacked by malicious hackers worldwide every 39 seconds. Every 24 hours, 300,000 new variants of malware cause an average of 2,244 cyber-attacks. And statistical reports say that only 5% of companies can keep up with this hectic increase in crime rate. Is it really that surprising that this is a recipe for disaster?
Cyber attacks in the context of Nepal… and its cost
Unless you’ve been living under a rock for the past few months, you’ll be well aware of the fact that quite a lot of cyber-attacks and data breaches have occurred in Nepal recently. In March, FoodMandu, a popular food delivery app, had its database breached. The personal data of over 150,000 users were breached and 50,000 entries were publicly leaked. Vianet was the next to the guillotine. A hacker group by the name of “नरपिचास” leaked the personal info of over 170,000 users on twitter which included the name, address, mobile number and email addresses of the Vianet subscribers.
Just yesterday, twitter handle @satan_cyber_god leaked the personal info of hundreds of PrabhuPay users, private info of 69 teachers and employees affiliated to TU CTEVT and… as an icing on the cake, also publicly threatened the Nepali Congress twitter handle about exposing their donation list. The twitter handle seems to represent a group instead of an individual (use of pronouns like ‘We’ and ‘us’ instead of ‘me’ or ‘I’). They claim ‘This is not a breach’, on the tweet linking the public dump. So, this may hint that the data of PrabhuPay users was maybe already publicly accessible. This is something which, if true, would be extremely shameful for Prabhu.
And these are just the major ones that have gained public traction. Nepali companies face major cybersecurity attacks on a weekly basis. Some days, it is a major News portal that gets its data encrypted by ransomware. On others, it’s a company sleeping on malware that is remotely uploading user data and passwords to their servers. Just earlier this year, a gigantic (and I do mean GIGANTIC) porn stash was found publicly accessible in the DDC Parsa government website. It’s wholely possible the folks working there are very keen on sharing their personal interests to the public. Or maybe a security flaw was behind this as well.
The ones who suffer truly… the users:
But is this all to it, cheap fun? Why is it that every time a company gets hacked it’s the users who face the blunt of the hit? Are users really that cheap of a commodity that companies can burn and warm their paws with? Do we just quietly face the threats getting our data sold off on black-markets for online extortion and identity theft without complaining? Is end-user privacy a joke? With banking and finance moving rapidly online, one could have their entire bank balances robbed… business accounts, personal email, and social media handles compromised. Who is it to blame?
The ones responsible and how can we prevent these incidents:
The Goverment, faulty cybersecurity policies and even faultier policy abiding measures:
In today’s world, criminals are rapidly moving their operations in the comforting arms of Cyber-space. Cyber-crime seems both lucrative and relatively safer to many. It’s natural… as they say, “crime always finds a way”. But aren’t the unfollowed security policies and lack of security measures equally guilty for inviting cyber attacks with a loving ‘Namaste’?
Despite there being cybersecurity policies aimed to provide timely checks on the security status of computer systems, it vaguely seems that the government bodies responsible for regulating Nepalese info-space aren’t too keen on making companies follow them. It is natural for systems and their developers to focus more on functionality than on security. Companies focus on netting profits for their stakeholders as much as they focus on satisfaction to their customers. Sometimes it’s a deadly weigh scale, where tipping on one side means that the other side suffers greatly.
Well to be fair, there ARE various bodies like the Computer Emergency Response Team (CERT), the Department of Information Technology(DoIT) and various other organizations fighting against security vulnerabilities, cyberbullying, etc. The sad this is they seem to follow a model of “Why prevent when you can probably cure” instead of the old, “Prevention is better than cure”.
Needless to say, this isn’t the best policy… anyone who’s studied primary level Health and Physical Education can confirm.
Companies themselves… and the users that use them:
Another major issue is the lack of proper measures by the companies themselves. In modern cyber-space, cybersecurity should be the top concern of businesses. A simple security flaw can cost a company a LOT. Along with monetary loss, the companies can face public distrust and humiliation. Keeping customers is as important, if not more, than getting new users, and a security incident will drive both types of users rapidly away. And everyone knows, losing customers isn’t good for business.
Instead of waiting for cybersecurity incidents to hit and then to cover it up from the public, companies should take proactive responsibility and hire skilled professional cybersecurity experts to patch security flaws from time-to-time. It’s interesting to note that many hackers step into the “Grey” area for a reason. Most notify companies about their vulnerabilities and claim that companies don’t respond to their concerns ahead of time, forcing them to cause a public outrage to get attention. On the other hand, the peeps on the “Black” side of the fence, well… they don’t give a hoot. As such, a company should always take adequate measures to protect themselves and their valuable users from such malicious attacks.
Customers and end-users themselves also need to be aware of the various tactics and tricks hackers can use. Awareness against social engineering attacks is a must. And practices, like choosing secure passwords, not using the same passwords for multiple sites, using a trustable password manager, etc, can go a long way.
Cybersecurity isn’t a choice anymore. It’s a responsibility!
With improvements on all three sides, it’s possible that we may finally graduate from being a punching-bag in the digital world. This way, we can get ourselves and our systems to be more secure from threats and attacks that inevitably befall us eventually. And as for the consequences of not following them… they grow larger every passing day.