India’s digital growth trajectory makes it an attractive target for cybercriminals. The large-scale initiatives of the government such as Digital India and the Smart Cities Mission are leveraging emerging technologies. Though positive for the economy, the digitalisation efforts come with their own set of cybersecurity risks. As systems are getting more interconnected, the industry is grappling with an increasing number of breaches and sophisticated cyberattacks, driven by different motives. While instances of cyberattacks in the past were largely for monetary gain, reasons for attacks now also include reputational damage and power play, further compounded by state actors. Network scanning, probing and vulnerable services accounted for over 61 per cent of the 208,456 cyberattack incidents reported in 2018, as per the Indian Computer Emergency Response Team (CERT-In).
According to a recent survey by Fortinet, 85 per cent of chief information security officers view security issues related to digital transformation of companies as a significant challenge. As a result, companies are keenly looking at innovative tools to protect themselves from cyberattacks and threats. As per a report by PwC India and the Data Security Council of India, the cybersecurity market in the country is expected to grow from $1.97 billion in 2019 to $3.05 billion by 2022, registering a compound annual growth rate (CAGR) of 15.6 per cent. The cybersecurity market will be defined by three key sectors banking and financial services industry (BFSI), IT and ITeS (information technology-enabled services), and the government. Altogether, these sectors will account for 68 per cent of the market share.
The BFSI sector accounts for 26 per cent of the total expenditure in the cybersecurity market. The sector is expected to increase its expenditure to $810 million from the existing $518 million by 2022, at a CAGR of 16.1 per cent. This growth estimate can be attributed to several factors – tightened directives from regulators and the rapid adoption of technologies like digital lending, utility payments, e-commerce, online insurance marketplaces and mobile banking – to drive operational efficiency and customer convenience. Meanwhile, the cybersecurity spend in the IT/ITeS sector is expected to grow from $434 million in 2019 to $713 million by 2022 at a CAGR of 18 per cent, the highest among all sectors. It is estimated that by 2021, there will be 1.5 networked devices per individual. With the IT sector being one of the largest employers globally, a huge upsurge is expected in the number of endpoints, which are identified as the most vulnerable points of entry for cyberattacks.
The government sector is highly prone to cyber espionage as adversaries are not just aiming to obtain state secrets but also to access citizens’ personal data. More than 275 government services are leveraging 1.24 billion Aadhaar enrolments to provide benefits to citizens. Digital inclusion has been enhanced with 337 million Jan Dhan accounts and 93 million health insurance policies already linked to Aadhaar, and with the Smart Cities Mission using technology to improve the quality of life for citizens, the threat spectrum in the government sector is very wide.
The adoption of smart meters, advanced metering infrastructure and decentralised renewable generation in the energy sector is increasing the attack surface for data theft, fraud, tampering and MITM (man-in-the-middle) attacks in the energy sector.
Securing digital infrastructure
- Securing access: Passwords should use two-factor authentication or be discarded in favour of biometric identification or cryptographic keys. Policies should enable only the access that is consistent with the role of a given user. The integrity of data must be validated regularly. Systems should be checked for breaches and remediated as quickly as possible. Analysing IT infrastructure information such as log data can enable an administrator to spot developing threats before they end up in becoming security breaches.
- Endpoint and IoT security: A diverse array of BYOD (bring your own device) devices and new IoT devices such as factory floor sensors require a new level of vigilance. IoT devices may not be secure and they may not be upgradable with security patches. Consequently, encryption of data on endpoint devices, as well as while travelling over networks, is an essential defensive tool. Organisations and the government continue to embrace IoT-enabled solutions to achieve automation and efficiency, especially for critical infrastructure and smart cities.
- Networking security: Data should be encrypted both in motion and at rest. When virtualisation is deployed, micro-segmentation should be implemented in order to isolate a security compromise to the segment in which it occurs.
- Data centre security: Applications running on virtual machines in the data centre should be secured using encryption, threat detection, data protection and network security. When an application is moved from one virtual machine to another, these security measures should move along with it. On the desktop, end-user systems can be virtualised through virtual desktop infrastructure technology.
- Cloud security: The use of cloud-based services is widespread across organisations of all kinds. Just as in the data centre, it is important to gain insights into the security of data in the cloud, and to be able to validate the security and compliance of cloud-based data. As per the PwC report, cloud providers will have to put in more resources to protect the infrastructure. Besides, organisations have started focusing on how to limit access to data stored in the cloud and let only authorised personnel access it. In order to address vulnerabilities and misconfigurations, organisations will adopt technologies such as cloud access security broker (CASB), which comes with additional security controls.
- Technology integration: The integration of network and endpoint security, in particular, has the potential to reduce the total cost of ownership and improve threat detection.
- Blockchain: It is becoming mainstream to prevent fraud and data theft.
The way forward
As India moves forward with digitalisation, it is centralising data sets, connecting them together. The country is in the process of setting up a public credit registry. There is Aadhaar, which is the largest biometric database in the world. Besides, a national health information network, with electronic health records, is being planned. All of these lead to an expansion of cyberattack surface, and thus create the need for introducing defence mechanisms at multiple touchpoints, including networks, endpoints, applications, cloud, bots and IoT environments.
Going forward, machine learning and artificial intelligence in cybersecurity will mature and become an integral part of the security suite, with a focus on anomaly detection rather than rule-based detection and response.
With the union cabinet’s approval to the Personal Data Protection Bill and the recent Aadhaar ruling by the Supreme Court limiting the use of data, the focus on data privacy will increase. Further, setting up of a national cybersecurity architecture in consultation with recognised industry bodies can be of help in monitoring and fortifying network systems in the country. Also, as per estimates by NASSCOM’s Cybersecurity Task Force, India will need 1 million trained cybersecurity professionals by 2025. Cybersecurity is no longer restricted to high-end computer learning, but practically percolates to almost every aspect of our daily lives. Hence, defeating cyberattacks requires the combined participation and sustained efforts from both public and private sectors.