n a cold winter night in December 2015, Manan Shah, founder of Vadodara based cyber security firm Avalance Global Solutions, woke up to an alarming text message from a prospective customer. “Your competition says you can be hacked. Why should we use your services?”
A hassled Shah realized that a competitor had taken down his IT systems and informed the prospective client about it. After plugging the holes in the system, the first thing Shah did was remove the “Success Stories” section on his company website. He did not want other competitors to know who his other clients were.
Shah’s firm isn’t the only one to get attacked by a rival. “Cyber security firms getting attacked by rivals in the business is quite common. It’s quite the norm,” says Shah.
Exploding demand for cyber security has led to a boom in the number of firms offering services. According to Data Security Council of India (DSCI), India’s cyber security market is expected to grow to $35 billion by 2025 from about $4 billion currently.
“And there are over 150 vendors – big and small – competing in that space. CheckPoint, IBM, Fortinet, and Kaspersky on the one hand, and more than 120 start-ups and smaller companies operating in niche solution areas,” says Sandeep Sharma, Research Manager, Software and Security, IDC.
This splintered market is probably the biggest reason for the cutthroat competition and the desperation to bag business using hook or crook.
The Managing Director of a Russian cyber security firm with customers in India says that he often gets emails that appear genuine and ostensibly offer sensitive data of larger rivals. “I have got many emails from unknown people sending me attached vulnerable documents on competition information. My solutions protect me but I fear for CEOs at regular organizations that get phishing emails like these,” said the executive, who declined to be identified.
The same executive also mentions that whenever a customer walks into his office and tries to connect via the office Wifi, their antivirus platform scans and determines the user’s devices for external threats. Once the platform clears the devices, the visitors are allowed to use their devices.
Sunny Vaghela, director, Tech Defence labs says that on many occasions the personal laptop of the CTO of a leading Unified Threat Management provider in India, who he knows personally, was compromised and details were leaked out. “Sometimes, CEOs and CIOs of cyber security companies in India do not keep their laptops behind their own firewall and as a result get targeted,” says Vaghela.
Most cyber companies seldom report hacking incidents fearing reputational damage. “Just because they are providing security solutions, it does not mean that they cannot be breached. Most of them fear that they might be branded unsecure so that fear stops them to reveal all murky details of their hacks,” says Pavan Duggal, senior Supreme Court advocate and a leading cyber law expert.
An executive from a California based cyber security firm that has millions of customer across the globe says that cyber attackers have often used public sources on the internet to identify where senior cyber security executives travel on speaking engagements so that they can send them phishing emails which look legitimate. For instance, if they find out that a senior executive is traveling to a particular city to speak at a convention, they often send an email pretending to be the organizers of the event or the hotel staff where they are staying.
“In certain cases, they send travel itineraries or conference materials to target the executive’s assistant’s laptops or smartphones,” says the executive.
But not always there are organizations behind an attack for nefarious reasons. Back in 2011, famous Indian Hacker & founder of AFCEH (a cyber security course for students) Ankit Fadia challenged on CNBC announcing a direct job offer to any security researcher who is able to hack his website. Himanshu Sharma, an ethical hacker rose to the challenge and successfully hacked his website.
But things got interesting when Sharma tried to contact Fadia to inform him about the completion of the challenge but received no proper response from him. Meanwhile, the website was patched. “After waiting for around 6 months without an acceptance email from Fadia, Himanshu tried and was successful in breaching the website of Ankit Fadia again and caught the attention of media as he defaced the website. Till now Fadia has not made a public comment about the entire incident.”
“One can never ensure 100% security, even if you are the head of a cyber security firm. Everyone is being hacked, the difference is only if they are aware of it or not,” says Ankush Johar, Director, BugsBounty.com.
Similarly, Shritam Bhowmick, Red Team Lead, Defencely Cloud Security says that cyber security companies are proactive in building their trust relationship with clients & very much take effective measures from the beginning. “However, Lack of an in-depth Transparency, Trust, Policies, and Governance to Motivated Psychological Conditions of hackers hired can create just not reputation loss but a massive data loss to the security company.”