Cybersecurity: Risks and Best Practices
In conversation with Amit Dubey, Cyber Forensics and Ethical Hacking Specialist, National Security Expert
Executive Summary
Data is today as valuable as currency, and the steep rise of ransomware attacks in recent years is proof of just how large the payoff from such crimes can be.
If a service is ‘free,’ it often means you are ‘paying’ with valuable personal data. Protecting this data limits risk and increases resilience against cyber threats.
The following proactive steps can help limit data exposure, protect against cyber-attacks, and strengthen overall security on a personal and organisational level:
Limit app permissions
Manage account access
Monitor Google Dashboard
Enable device-specific security
Use Red Team exercises
Educate employees on data protection
Cybersecurity risks continue to rise, with a reported 20% of Indian users falling victim to cyber threats in the first quarter of 2024 alone and several high-profile cases recently coming to light. Scams are becoming more sophisticated, targeting even well-informed individuals. At the same time, with rising penalties for non-compliance, companies are under pressure to tighten their defences. At a recent cross-Forum online session, renowned cyber-security expert Amit Dubey shed light on the current cybersecurity landscape and outlined some best practices.
Data: A Prized Commodity
In an interconnected world, data is a valuable resource – yet one that is increasingly exploited, often without users realising it. Many of our everyday interactions with apps, websites and services result in large-scale data collection, with few safeguards in place to prevent misuse. Each time we install an app, it is critical to understand the types of data it might access and collect. Often, apps are designed to copy not just contact information, but also other files and details stored on the device. Once captured, data becomes an asset, subject to sharing, selling or other uses by third parties. Popular social platforms that continually monitor phone activity use data such as voice notes, location details, fitness levels and calendar events to build a comprehensive profile of each user. Despite being marketed as ‘free,’ these platforms generate massive profits by selling user data to advertisers, researchers, and sometimes to less-credible entities.
The cycle of data exploitation is not limited to social media. Search engines and ad platforms can inadvertently promote illegitimate or harmful services, as they lack mechanisms to thoroughly verify advertisers. A quick Google search, for example, can easily display sponsored links from potentially fraudulent sources, often outranking authentic contacts. Criminals exploit search engine optimisation (SEO) and advertising tools to boost their visibility, allowing them to embed fraudulent links or customer service numbers ahead of genuine ones, undermining public trust and safety.
Targeted Threats
Criminals often tailor their tactics depending on whether they are targeting individuals or organisations, exploiting data to penetrate both. For individuals, attackers typically begin with a process known as open-source intelligence (OSINT), a form of reconnaissance where they gather publicly accessible information about a target. This can include passwords, financial details or personal records collected from social media or various apps. With this information, they can impersonate individuals or bypass security questions, gaining unauthorised access to sensitive accounts. When targeting companies, attackers may employ more sophisticated attack vectors, such as phishing or malware. These methods exploit weak points in corporate networks or employees’ digital habits, allowing criminals to access valuable company data. By infiltrating through individual employees, attackers can gather critical organisational data, financial records or proprietary information, often with the intent to sell it or leverage it for ransomware attacks.
Personal information is often picked up from open-source platforms and websites, and hackers can unlock access to your data with your your mobile number or email address. Many fraud cases involve victims unknowingly sharing an OTP, clicking a malicious link, or scanning a QR code. However, attackers rarely request passwords outright; instead, they create scenarios that enable them to access accounts without needing either a password or an OTP directly from the user.
Managing Cyber-Risk
Reducing data leaks and minimising your digital footprint are essential. Excessive information on open-source platforms increases vulnerability for both individuals and organisations. For companies, a Red Team Exercise – where ethical hackers assess exposed information on the Dark Web and other sources – can reveal potential leaks. This allows organisations to proactively update processes and safeguard sensitive data. If a service is ‘free,’ it often means you are ‘paying’ with valuable personal data. Taking measures to protect this data helps limit risk and increases resilience against targeted cyber threats:
· Limit App Permissions: Regularly review and restrict app permissions on your device. Check which apps have access to your SMS, contacts, camera and microphone, removing unnecessary access. Many apps only need temporary access, but we grant it permanently, increasing vulnerability.
· Manage Account Access: Avoid keeping important email accounts logged into multiple devices, especially shared devices like an old phone or family laptop. Shared access makes it easier for criminals to remotely retrieve sensitive data or install malicious apps without your knowledge.
· Monitor Google Dashboard: Use Google Dashboard (http://myactivity.google.com/) to track device and app activity and reveal any unknown applications that were installed or deleted. For enhanced security, check your location history and download logs to detect suspicious activities.
· Enable Device-Specific Security: Protect critical accounts with two-factor authentication (2FA) or backup codes but be cautious with backup OTPs stored on devices or shared across multiple devices. Criminals often exploit backup codes, so ensure your device is secured, and change backup codes regularly.
· Use Red Team Exercises: Companies can conduct Red Team exercises to locate and secure exposed employee information or leaked data. Engaging ethical hackers to search for vulnerabilities in company data on the Dark Web can help identify areas where data is exposed.
· Educate Employees on Data Protection: Make staff aware of the risks of sharing OTPs, scanning unknown QR codes or clicking on unfamiliar links. Criminals often exploit simple errors to gain access to company systems, so ongoing training is essential.