Under the Modi Administration, India is rapidly coming of age digitally. In the relentless move towards a digital economy, India’s government has developed and implemented several initiatives designed to facilitate citizen’s use of the internet.
Two initiatives making a big difference are Digital Locker — which eliminates the need to carry around hard copies of government-issued documents — and Demonetization, which has vastly incentivized the use of digital payments country wide. These and other initiatives are praised for the convenience and accessibility of services they offer the average citizen.
As an added benefit, the initiatives are helping drive economic growth, attracting domestic and foreign investors and leading to increased job creation across all sectors.
This dramatic increase in digital activity has led to the creation and compilation of vast mountains of consumer and citizen data that is valuable as a way to better serve customers and speed business along. Unfortunately, because the data is valuable, it is also attracting bad actors who want it for their own nefarious uses.
Rising tide of cybercrime
As India’s digital footprint has grown, so too has the incident of cybercrime. India is one of the world’s Top 5 destinations for cyberattacks; and ranks third worldwide, behind China and the United States, as a source of malicious cyber activity. The rate of “reported” cyberattacks on Indian targets has doubled each year since 2005.
In 2016, the cost of cyberattacks in India reached $4 billion. The actual amount could be much higher, because many attacks are undetected and thus unreported. These attacks cause business disruptions, client dissatisfaction, an increase in insurance cost and claims as well as embarrassing lawsuits.
The situation isn’t expected to improve. Most experts agree that even with increased protective and remediation measures, the cost of cyberattacks will exceed $20 billion within the next 10 years.
Sophisticated hackers have been able to blow through standard firewalls and basic IT security systems because, traditionally, Indian companies have for the most part treated cybersecurity as the responsibility of their IT departments and not as a company-wide obligation.
Indian companies need to be proactive in their cyber security management by developing and implementing a strong cyber strategy, include all employees in their efforts and, most importantly, company leaders absolutely must make cybersecurity a high priority.
A target-rich environment
One of the big misconceptions about cyberattacks in India, and around the world, is that they are restricted to the financial services and banking sectors. Hackers aren’t discriminating. They target small companies as well as large, public utilities, government agencies, and even the military.
In June of this year, Symantec Corporation, a U.S. based digital security firm, identified a sustained cyber-spying campaign, likely state-sponsored, against Indian and Pakistani entities involved in regional security issues. The spying dated back to Oct. 2016 and appeared to be the work of several groups operating with the same goals.
The spying was executed via malware where the attackers used decoy documents related to security issues in South Asia. Reports from mainstream publications like Reuters, Foreign Policy, Zee News and others that dealt with military issues, Kashmir and the Indian secessionist movement carried the malware.
No one is even sure what the purpose of the spying was. This is especially concerning as this is a tension-filled time in southeast Asia. Not only has India raised operational readiness along the border with China, but Indo-Pakistan tensions also remain high over the disputed Kashmir region.
Fortunately, not all is doom and gloom: There are some bright lights on the horizon. Indian enterprises are waking up to the threat and making decisive moves to protect their mountains of data. Although India did not have a national cybersecurity policy until 2013, she has worked hard to implement such.
India presently ranks 23rd out of 165 nations on the Global Cybersecurity Index (GCI). The GCI is published annually by the United Nations’ International Telecommunication union (ITU) and it measures the commitment of nations to cybersecurity.
The top 10 countries most committed to cybersecurity are Singapore, the United States, Malaysia, Oman, Estonia, Mauritius, Australia, Georgia, France and Canada. The ITU considers cybersecurity to be crucial to a nation’s economic development and works to help nations establish effective cyber policies.
The increasing occurrence of malware attacks has highlighted the need for countries to develop and practice cyber protection policies. Per the ITU, “one percent of all emails sent in 2016 were malicious attacks,” the highest rate in recent years.
There is also a movement spreading among domestic enterprises to maintain on-site Security Operations Centers (SOCs) to prevent and quickly respond to industry or enterprise specific attacks. SOCs can be expensive and take time to adequately staff, but they are proving their worth in the cyber war.
Major corporations are increasingly buying into the need to strengthen their cyber security policies and are organizing “training workshops” and “awareness camps” for their employees. One example is TATA Group. In August, the company held a chief information officers conference focused on preventing and stopping cyberattacks.
The conference involved external cybersecurity experts highlighting and demonstrating a range of technologies for cyber defense while the CIOs shared best practices for their enterprises. In a statement to the Economic Times, Gopichand Katragadda, Group CTO, Tata Sons, said, “The options and challenges for cybersecurity insurance were also discussed. New and future technologies, such as artificial intelligence and quantum computing, were discussed as they applied to encryption, decryption, and learning normal vs. abnormal operational behaviour.”
Mahindra Group is also taking steps to strengthen their data security infrastructure by holding regular trainings and drills and circulating security mailers to make the employees aware of cyberattacks and the damage they can wreck. According to internal numbers, Mahindra servers are also quarantining almost two-thirds of incoming emails because they are detected to contain malware. In a statement to the press, a company spokesman said, “Cyberattacks are no longer a matter of ‘if’ but ‘when.’ Creating awareness among users is one more aspect that every organization needs to take care of.”
A higher price to pay
There is also a movement among some elected officials to mandate tougher laws on those who attempt or complete cyberattacks. While India can easily punish domestic perpetrators, the government is participating in ongoing discussions with numerous other countries to establish international cybercrime standards enabling the reciprocal pursuit and prosecution of cyber criminals.
Perhaps the most interesting development in the cyber wars is the idea of government regulators setting minimum security standards for companies with the goal of instituting a rating system. The idea holds the dual promises of encouraging organizations to take data security seriously and increasing a citizen’s confidence that an enterprise will protect their private data. However, critics fear that implementing such a public ratings-system will act as a lure to hackers who see a company’s high rating as a challenge.
The cyber war isn’t going away. Cybercrime will continue to evolve commensurate with cyber defenses. In a blog post, Rajpreet Jaur, senior research analyst at Gartner, Inc., the world’s leading research and advisory company, shared three essential and practical steps to protecting valuable data in a digital ecosystem:
- Sit with the stake holders and ask them about the key risks to the business.
- Categorize the risks into high, medium and low, and then tie it back to the organization’s cybersecurity key initiatives.
- Adapt and evolve the organization’s cybersecurity continuously.
Cybersecurity is like most business practices: Oftentimes, sticking with the basics is best.