Crisis in Sri Lanka Affects Local CybersecurityCollapse in Currency Means Cybersecurity Could Become Unaffordable
Political unrest that included protestors storming the presidential palace amid a financial crisis causing shortages of food and medicine has another downside for Sri Lanka: growing insecurity in cyberspace.
Collapse of the Sri Lankan rupee has caused the price of cybersecurity product license renewals to skyrocket. Opportunistic hackers are treating the emergency as an excuse to pillage as many companies face heightened phishing and distributed denial-of-service attacks. Cyber insurers are leery of renewing existing policies.
Jayasiri Amarasena, CEO of Sri Lanka CERT, can easily describe the situation of the past few months: "phishing attacks, financial fraud, ransomware attacks and breaching of infrastructure." Digital vandalism on government websites is common. The culprits, he says, are more likely opportunists than organized groups.
"An investigation of those attacks reveals that many of them were triggered from outside borders of the country, and performed not by organized groups, but by the individuals with malicious intentions," he tells Information Security Media Group.
The ransomware attacks are typically low in sophistication, he says. And for good reason - organized groups know Sri Lanka isn't a jackpot.
"Small-time individual hackers are trying their luck or honing their skills," Amarasena says. Prevalent among ransomware victims are students or photo studios, he adds. "We do not really know a specific reason why students and photo studios are targeted."
Sujit Christy, a group CISO at John Keells Holdings, one of Sri Lanka's largest conglomerates, says he's seen data indicating that phishing attacks are prevalent in the manufacturing, education and healthcare industries. "These are the industries that have been hugely impacted by the crisis, and investing in cybersecurity products is not their priority right now," he says.
The education sector is also experiencing ransomware attacks, he says, but Christy also believes the attacks are amateurish.
Difficulty in Renewing Security Licenses
For many companies from the telecom, banking and the manufacturing industries, the economic crisis is a double whammy of low revenues and a collapsed currency. For those with security products licenses that have expired or are about to expire, cybersecurity threatens to become unaffordable.
"I have put in a request with my security vendor to extend their services to us out of goodwill. Dollar values have skyrocketed in the past two months. They have been kind enough to extend their services by a few more months," says Harsha Wanigatunga, chief information officer at Seylan Bank.
Not everyone is as lucky, especially small and medium-sized businesses. "Their primary market is Sri Lanka, and they have been seeing a reduction in demand for a long time. For them, it has been particularly tough," Wanigatunga says.
Those companies have either switched to manual mode or are seeking help from open-source software, he says.
A head of IT at a company in the hospitality industry who asked to remain anonymous said the firm had no choice but to let the license of its DDoS mitigation service expire in March. The vendor is allowing the company to use an older version of the product.
"It was part of our sales agreement. In addition to this, we are also monitoring manually, but that is tough," the hospitality executive says.
Darshana Jayasuriya, chief information officer at telecom Airtel's Sri Lanka office, said some companies technically have access to American hard currency to extend licenses for a few more months. "We are headquartered out of India, so paying in dollars is not such a huge issue for us. However, the situation is not easy. Dollar values have gone up considerably and we don't want to spend more than what we had budgeted for. Fortunately, our vendor has been generous enough," Jayasuriya says.
"Most vendors I know of have been very understanding and extended their credit period. Alternatively, they are trying different means like paying on a staggered basis," says Jeewapadma Sandagomi, senior vice president, enterprise risk management at Mobitel, a leading mobile service provider in Sri Lanka.
Impact on Cyber Insurance
Cyber insurance companies have become leery of providing or renewing insurance for companies in Sri Lanka.
Though the cyber insurance market in the country is small in size and has yet to mature, estimates by Mordor Intelligence suggests it was set to explode. Premiums grew from US$600 million in 2010 to about US$2 billion in 2018, Mordor found in a recent report. Lloyd's cyber insurance reports a premium growth of 45% year-on-year since 2012 in the Sri Lankan market.
Bhishma Maheshwari, senior vice president at Marsh India, says cyber insurers have to take a step away from Sri Lanka - for now. "While cyber insurance is an effective risk transfer tool, there are other aspects of risk management, which contribute to the prevailing cyber market conditions in Sri Lanka," Maheshwari says.
Reinsurers "are of the opinion that the crisis will negatively influence the ability of the firms to continue to invest in cybersecurity."