The digital realm, while offering unprecedented opportunities for growth and connectivity, has also become a fertile ground for malicious actors. The stark reality, highlighted by Verizon’s 2024 Data Breach Investigations Report, reveals a concerning over-180% year-on-year surge in cybercrime globally. 

In an interview with The Sunday Morning Business, Circulo de CISO President and information security and cyber safety adviser Sujit Christy noted that this dramatic increase, derived from organisations and cybersecurity professionals worldwide, painted a picture of an evolving threat landscape that demanded steady attention. 

While Sri Lanka’s representation in this specific report remains uncertain, the global trend serves as a potent reminder that we are not immune to these escalating dangers.

Following are excerpts:

Could you highlight the main threats that account for increasing cybercrime?

Within this surge, ransomware attacks account for a significant one-third, while extortion-related incidents constitute 9%. Ransomware, the digital equivalent of ‘information kidnapping,’ cripples organisations by encrypting their vital data, holding it hostage until a ransom is paid. 

This malicious tactic has evolved into more sophisticated forms. ‘Double extortion’ sees attackers not only encrypting data but also stealing it, amplifying the pressure on victims with the threat of public data leaks and the ensuing reputational damage. The emergence of ‘triple extortion’ further escalates the stakes. 

Beyond encryption and data theft, attackers may launch crippling Distributed Denial-of-Service (DDoS) attacks, disrupting operations and potentially targeting third parties like customers or business partners. By reporting the victim to regulatory bodies, they introduce another layer of consequence – legal repercussions and financial penalties. 

This relentless evolution of cybercriminal tactics underscores the urgent need for robust and adaptive cybersecurity strategies.

Currently, Sri Lanka’s publicly available cybercrime data is limited, primarily relying on complaints lodged with the Sri Lanka Computer Emergency Readiness Team (Sri Lanka CERT) and the Police Computer Crime Investigation Division. However, this likely represents only the tip of the iceberg, as many incidents go unreported. A more systematic approach to data collection is crucial to gain a comprehensive understanding of our national cyber threat landscape.

What have been the initiatives undertaken by the Government in this regard and how have they helped?

In a significant step forward, Sri Lanka stands as the first country in the region to formulate a Personal Data Protection Act, currently awaiting enforcement following recent amendments. This proactive measure aligns with the global movement towards safeguarding personal information. 

In fact, some private sector organisations, particularly those with international exposure or listed on the stock exchange, embarked on their privacy journey as early as 2015, driven by the need to comply with regulations like the General Data Protection Regulation (GDPR). 

However, within Sri Lanka’s diverse ecosystem, encompassing private enterprises and Government entities, a noticeable disparity can be witnessed in the maturity of technology adoption, business process transformation, and adherence to privacy regulations.

Recognising the crucial role of the digital economy, the Government has established the Ministry of Digital Economy, bringing together leading industry experts to spearhead digital transformation initiatives. 

Complementing this, the Information and Cybersecurity Strategy of Sri Lanka, formulated by Sri Lanka CERT with World Bank assistance and oversight from the Ministry of Technology, explicitly addresses the necessity of adapting our legal framework to meet the demands of a resilient digital economy and counter modern cyber threats.

Despite these positive developments, cybercrime often remains underreported in traditional media, forwarding a perception among citizens that it is not a significant concern. There is also a considerable gap in public awareness regarding basic practices for securing personal and sensitive information, which is a vulnerability that extends to organisations as well.

Could you explain the nature of cybercrimes, especially pertaining to financial crimes?

Cybercriminals are adept at exploiting popular social media platforms like WhatsApp, Instagram, and Facebook, luring unsuspecting individuals into disclosing sensitive information such as One-Time Passwords (OTPs) and money, often capitalising on a lack of awareness or the enticement of quick gains.

The threat landscape is further complicated by the increasing sophistication of cyberattacks. Technologies like deepfakes, along with the power of Artificial Intelligence (AI), are enabling cybercriminals to innovate novel ways to deceive, launching highly targeted impersonation attacks and sophisticated phishing campaigns. 

We have even witnessed instances of substantial financial losses resulting from interactions with bots convincingly impersonating humans in virtual meetings. A common thread in phishing attempts, whether via email or phone calls, is the exploitation of emotions like anger, fear, and urgency to manipulate victims.

Could you comment on the aspect of compliance with cybersecurity policies in the country and the implications?

Sri Lanka CERT has been diligently working to raise awareness through various channels, often operating with limited resources. Its efforts, though perhaps not always visible to the wider public, are commendable. 

However, a more widespread and localised awareness campaign is essential. We need more voices on the ground, simplifying complex cybersecurity concepts and spreading the message to diverse communities, to ensure that everyone understands the tangible threats we face. 

While the lack of comprehensive national data impacts our ability to fully grasp the dynamics of the current situation, several accounts reveal the devastating consequences, with individuals losing their life savings and even falling victim to modern slavery through online manipulation.

An important aspect of our cybersecurity posture is addressing non-compliance with national cybersecurity policies, particularly within financial organisations. We must also critically evaluate the adequacy of our existing legal framework to effectively address this rapidly evolving threat landscape.

While our legal framework has a broad foundation, it is important to identify existing gaps and proactively work towards addressing them rather than simply deeming it insufficient. Effective enforcement depends on widespread awareness across all levels of society, a task that cannot be handled by a single entity alone. 

Every capable individual and organisation therefore must actively participate in this endeavour. Building trust and forwarding collaboration with civil society is of significant importance in finding comprehensive solutions, while a robust and well-instituted feedback mechanism is essential for effective law enforcement and mitigation strategies.

The Information and Cybersecurity Policy for Government Organisations, approved in 2022, provides a risk-based framework for implementing comprehensive cybersecurity programmes within public sector entities. This policy, aligned with international standards and best practices, outlines essential actions for identifying and protecting assets, detecting and responding to security incidents promptly, and ensuring efficient recovery from cyberattacks. 

The mandatory compliance for all Government organisations defined as public authorities suggests the seriousness with which the Government views cybersecurity. Achieving widespread compliance requires dedicated efforts in awareness creation, clear identification of stakeholders and accountabilities, and effective communication strategies to keep all relevant parties informed and consulted.

What is the scope for improvement?

There is significant scope for improvement, particularly in addressing resource constraints, including financial limitations and a shortage of specialised cybersecurity skills within Government bodies. 

Moving forward, a fundamental shift in approach is required and security must be embedded as a default element in every new digital initiative. The mantra should be ‘secure by design, privacy by design’ rather than treating security as an afterthought.

Turning our attention to digital payment platforms and prevalent finance-related cybercrimes, it is reasonable to assume that platforms like GovPay have undergone thorough security assessments, especially with the involvement of entities like LankaPay, which prioritises security. Incorporating best practices into such critical infrastructure is essential. 

However, all technological components have a lifecycle, which requires continuous security assessments and proactive measures to address emerging vulnerabilities. Regular audits are also crucial to ensure that systems are functioning as intended. Given that financial systems are prime targets for malicious actors, a holistic approach including technology, processes, and people is essential to minimise risks.

With the shrinking lifecycle of technology, how should Sri Lanka approach cybersecurity?

Sri Lanka must adopt a proactive and agile approach to cybersecurity, recognising the rapidly shrinking lifecycle of technology. With new technologies emerging every six months, organisations’ strategic planning for three to five years is increasingly challenged. 

This rapid technological advancement, along with brain drain and a widening skill gap in the IT sector, presents a significant opportunity for cybercriminals. Organisations may lack the expertise to implement new technologies securely or the resources to maintain them effectively. Evaluating the return on investment in cybersecurity can also be challenging, as the benefits are often intangible until a breach occurs. 

Therefore, there is a need for a shift in perspective where organisations consider the potential costs incurred by competitors or the expense of recovering from a data breach. The prevalent practice of storing sensitive data without robust protection measures like multi-factor authentication further worsens risks. Every organisation must prioritise identifying critical assets and information and adopt a risk-based approach to security.

How well protected is the data of citizens, especially those related to finance?

The protection of citizens’ personal data, particularly those held by financial institutions, shows a common attack pattern, based on targeting individuals through their usernames and passwords. 

Today, with users accessing data from anywhere, attackers focus on targeting and compromising identities through various methods, including guessing weak passwords, deploying keylogging malware, and employing password spraying techniques across multiple platforms. This highlights the importance of two-step or multi-factor authentication as a fundamental preventative measure.

Educating every citizen on how to protect their digital identity, particularly regarding password hygiene and enabling multi-factor authentication, is important. While general awareness campaigns are valuable, exploring mechanisms to encourage or even mandate the adoption of strong authentication practices is crucial, while carefully considering user experience.

How should cybersecurity be embedded in application development?

Application development must prioritise both user experience and security. Systems should be designed to ‘fail safely,’ ensuring that no sensitive information is disclosed even in the event of a security failure, preventing unauthorised access. 

The principles of ‘secure by design’ and ‘privacy by design’ must be integrated from the outset. Treating security as an afterthought often leads to costly rework and potential business impact, especially when competitors are already prioritising security. 

Adopting a ‘shift left’ approach, integrating security requirements early in the design phase, and conducting thorough testing allows for the identification and remediation of vulnerabilities before deployment. 

Cultivating a security and privacy-centric mindset during the design process, without compromising user experience, is essential. Solution providers also have a responsibility to proactively develop user-friendly security measures that encourage widespread adoption.

In the event of system cybersecurity breaches, the initial point of failure often lies with human error, whether by a user or an administrator, followed by vulnerabilities in applications. These weaknesses can be exploited by attackers to bypass security controls and directly access databases.

A significant challenge for organisations is managing access control, determining who needs access to what information. A clear understanding of processes, personnel, and data types is essential for implementing the principle of least privilege, granting only the necessary access rights.

How important is timely recognition by organisations to prevent cybercrimes?

The cybersecurity journey is a continuous process requiring constant vigilance and adaptation, and therefore addressing existing vulnerabilities swiftly and considering this matter with utmost seriousness is essential. 

Regarding the Personal Data Protection Act, even with extended deadlines, it is concerning how many organisations in Sri Lanka have yet to initiate internal discussions. It’s important to recognise that data protection extends beyond customer information to encompass employee data, which organisations often possess in greater volumes.

Securing administrator accounts with elevated privileges is paramount, followed by steady protection of sensitive information and the identities of both users and employees. Implementing mechanisms to continuously monitor the effectiveness of security controls is essential. Organisations must also have well-defined incident response and remediation plans to address detected threats and restore systems to their original state.

Addressing the cybersecurity skill gap requires a multi-pronged approach. While academic institutions have introduced cybersecurity-related degree programmes, the depth and practical relevance of these programmes can vary. 

Industry certifications, such as the Certified Information Systems Security Professional (CISSP) from ISC2 or other certifications from the Information Systems Audit and Control Association (ISACA) and International Association of Privacy Professionals (IAPP), serve as globally recognised benchmarks for cybersecurity, assurance, and privacy professionals, validating their knowledge and alignment with best practices. Encouraging individuals to pursue these certifications is crucial.

Knowledge-based economies like Singapore actively attract and cultivate cybersecurity expertise. In this regard, it would be beneficial for Sri Lanka to also invest in developing its own talent pool. While some Sri Lankans are pursuing advanced research in AI abroad, local universities often face funding constraints and a lack of focus in these critical areas.

The global cybersecurity skills gap is substantial and continues to grow, worsened by the rapid advancements in AI. Adapting to this evolving landscape requires a commitment to continuous learning and upskilling. Embracing AI will reshape workforces, requiring strategies to repurpose individuals engaged in routine tasks.

Despite these challenges, significant opportunities exist within the cybersecurity domain. The potential for growth is immense, but it depends on cultivating a workforce with the right skills and, equally importantly, the right attitude. By forwarding a culture of security awareness, investing in skills development, and embracing proactive measures, Sri Lanka can navigate the rising tide of cyber threats and build a more secure digital future for all.