The ever-expanding digital ecosystem has brought data privacy and security issues to the fore. According to the National Association of Software and Services Companies (NASSCOM), India is one of the most vulnerable countries with regard to cyberattacks. The primary factors responsible for the increased risk to critical digital infrastructure are wider adoption of the internet, smartphones and other connected devices, growing digital interconnectivity across sectors and lack of awareness. The country needs to develop a comprehensive cybersecurity framework that meets both privacy and business requirements. The framework should be able to address unique sector-specific requirements, ensure proper functioning of digital applications and prevent data breaches.
A look at the key trends in the Indian cybersecurity space and the way forward for the segment…
Among 60 countries, India is ranked 15th in terms of cybersecurity. Further, the country faces the highest number of cybersecurity threats in the Asia-Pacific region with over 500,000 alerts received daily, which is nearly thrice the number of alerts faced globally. Nearly 39 per cent of these alerts remain unattended due to the lack of required skill sets according to a report by Cisco Systems.
During the past year, the country has witnessed a number of cybercrimes. In July 2018, an ATM scam was reported in Kolkata, which resulted in losses of over Rs 2 million, affecting more than 75 people. In August 2018, criminals were accused of making fraudulent bank transfers by stealing SIM card information. In the same month, Pune-headquartered Cosmos Bank lost nearly $13.5 million when anonymous hackers stole customer information by installing malware on the firm’s ATM server, and then conducted globally coordinated withdrawals in 28 countries. The bank lost another $2 million when hackers made three unauthorised transfers to a Hong Kong-based company’s account. The world’s biggest biometric identity programme, Aadhaar has also fallen prey to multiple breaches. Further, since the digitalisation of government operations, around 700 hacks into the state and central government websites have been reported in the Lok Sabha. These can be attributed to the lack of proper security protocols.
In light of the growing number of cyberattacks, cybersecurity has become a major concern for organisations in India. Around 70 per cent Indian organisations plan to increase their cybersecurity budgets in the coming years, according to EY’s Global Information Security survey, which captures responses of 230 C-suite leaders representing India’s most recognised organisations with revenues ranging from less than $10 million to over $10 billion. Further, more than half (53 per cent) of the organisations have started spending on cyber analytics.
The demand for security solutions is at an all-time high. According to industry experts, the cybersecurity market in India is expected to grow from $4.5 billion at present to $35 billion in 10 years. Vendors are offering different cybersecurity solutions for different verticals. Both private and government organisations have deployed various products and solutions to prevent potential attacks. These include next-generation firewalls, distributed denial of service protection, web application security, breach prevention, disaster recovery-as-a-service, endpoint protection, authentication suites, network sandboxing, deception technology and response tools.
The government has been playing a proactive role in fostering a cybersecurity ecosystem. It has identified three ways to secure the national cyberspace – preventing cyberattacks, reducing national vulnerability to cyberattacks, and minimising damage and recovery time. Further, it has taken various initiatives to address cybersecurity challenges. In 2008, the government enacted the Information Technology (Amendment) Act, 2008, to cater to the cybersecurity needs of the country. This act was later amended to cover broader security-related issues. In 2013, the government announced the National Cyber Security Policy with the aim of integrating all cybersecurity initiatives and tackling cybercrime. The initiatives taken under the policy include setting up of the National Cyber Coordination Centre, the National Critical Information Infrastructure Protection Centre and sector-specific Computer Emergency Response Teams (CERTs) under a specialised unit called the Indian Computer Emergency Response Team (CERT-In). CERT-In has been operational as a national agency for cybersecurity incident response and is actively involved in mitigating cybercrimes in India. The government has formulated a national crisis management plan to tackle cyberattacks and cyberterrorism. As part of this, security auditors have been empanelled for conducting security audits of both government and private companies. The plan is re-evaluated and updated every year to keep up with the changing cyberthreats landscape of the country.
So far, government initiatives have focused on tackling threats to critical information infrastructure and national security by adopting relevant security technologies, creating information security awareness, and conducting training and research. Owing to the dynamic nature of cyberthreats, these actions need to be continued, refined and strengthened from time to time. While the government has passed laws and set up agencies, the onus now lies on the states to take it forward, drive on-the-ground implementation and ensure a safe cyberspace. Telangana and Karnataka are the first states in India to realise the importance of state-driven initiatives in the field of cybersecurity and are way ahead of their peers in terms of defining policies, taking preventive measures and developing infrastructure.
While the government has formulated a policy on cybersecurity, an overarching law for cybersecurity and data privacy is lacking. India needs to draw from the cybersecurity regulations of other countries to formulate its own policy and framework. It can leverage the European Union’s General Data Protection Regulation, which is a comprehensive privacy-focused regulation, to draft its own framework. Further, it can draw on insights from privacy regulations in countries like China, the US, Australia, Singapore and Canada. It can also benefit from partnerships with private firms that have global expertise in cybersecurity.
Even as several organisations are stepping up their game in the cybersecurity space, there are several challenges that hamper the deployment of cybersecurity solutions. These include:
- Lack of skilled workforce: The shortage of skills has emerged as a key problem in the adoption of cybersecurity solutions as organisations from relatively well-resourced sectors are also struggling to recruit the talent they require. The demand for talented and skilled labour far outgrows supply. With the market poised to grow substantially, this gap is likely to widen further.
- Lack of national-level architecture: In India, critical infrastructure is owned both by the public and private sectors, which operate under their own norms and protocols for protecting digital infrastructure from cyberattacks. The armed forces too have their own agencies. However, there is no national security architecture that unifies the efforts made by both the sectors so as to assess the nature of threats and tackle them effectively in a coordinated manner.
- Lack of awareness: The country lacks awareness about cyber laws and regulations both at the corporate and the individual level. Further, the country does not have a national regulatory policy in place for governing cybersecurity issues. Internet users can be protected from cyberattacks only if there is a guided and supervised legal framework in place. There is also a lack of awareness about security solutions. Many small-sized organisations are unable to implement the guidelines and invest in costly cybersecurity solutions.
- Lack of uniformity in devices used for accessing the internet: Only less than 1 per cent mobile phone users in India have access to mobile phones that have high security standards. Further, the widening gap between security offered by high-end mobile phones and low-cost mobile phones in the market makes it impossible for the regulators to set legal and technical standards for data protection.
- Adoption of new technologies: New technologies such as internet of things (IoT) have made consumers highly susceptible to cyberattacks due to increased interconnectivity among devices. As a result of higher connectivity, voice and data transported via carrier networks is also vulnerable to interception. This data can be used by foreign governments, terrorist cells and hackers to create an environment of panic and unrest in the country. Cloud technology, which has emerged as a cybersecurity solution, is not free from limitations either. There have been a few instances of data leaks on the cloud, which continues to pose a challenge as it is a centralised service.
The way ahead
While digitalisation has been a boon for many, it has also attracted cyberattackers looking to steal confidential and sensitive information. To this end, companies across all industry verticals need to understand that cybersecurity is far more complex than IT security. Cybersecurity efforts need to be directed at all departments in the organisation. There is a need to focus more on areas that are most vulnerable to such attacks by adopting a predictive approach. Further, there is a growing need to deploy highly advanced analytics tools to prevent and manage potential threats. Organisations need to engage tools and systems specific to their industry to manage these specialised threats. With stricter laws and greater awareness, we can expect to see wider deployment of cybersecurity solutions.
Net, net, the cybersecurity space in India is poised to scale greater heights in the coming years. As per NASSCOM estimates, the increasing incidents of cyberattacks and the following data protection efforts will create a revenue opportunity worth $35 billion and provide employment to about a million professionals in India by 2025. However, to capitalise on these opportunities, the Indian cybersecurity industry needs to come up with a clear and organised roadmap that involves a strong cybersecurity framework as well as a regulation that focuses on capacity building both at the government and industry levels. Further, adequate incentives must be provided to ensure continued research and development, and enhancement of skills and expertise in the field of cybersecurity. Start-ups operating in the cybersecurity space also need to be promoted. Concerted efforts should be made to bring together the industry, academia and strategic institutes to devise strategies and solutions that can benefit the entire digital ecosystem.
By Kuhu Singh Abbhi