With the increase in cyberattacks over the past years, many companies have started focusing on their cybersecurity strategy. They are now deploying various technologies to protect themselves from cyberthreats. Governments across the world are formulating a robust policy and regulatory framework to deal with cybersecurity issues. Over the past year, the number of cyberattacks has grown exponentially, resulting in huge losses worldwide. Malware like WannaCry ransomware and Petya ransomware, along with data breaches, disrupted the functioning of several organisations.
In India, Kolkata, Delhi, Bhubaneswar, Pune and Mumbai were among the top cities that were affected by WannaCry in May 2017. The ransomware attack hit both enterprises and individual customers. The affected computers were locked down and could not be accessed until the hackers were paid a ransom for it. India ranked seventh amongst the countries hit by the NotPetya ransomware attacks in 2017. In July 2017, Bharat Sanchar Nigam Limited’s broadband network in the Karnataka circle was hit by a malware attack reported to have affected 60,000 modems, which could not be used to connect to the internet. Zomato and Reliance Jio Infocomm Limited also experienced data breach incidents in the past year.
Cybercrime in India is rising exponentially due to gaps in new technologies, the proliferation of smartphones, growing use of social media and increased digitalisation. In the Norton Cyber Security Insights Report, in 2017, India was ranked second globally among countries with the highest number of spamming and phishing incidents. The global percentage of complex cyberattacks such as ransomware, distributed denial of service (DDoS) and network attacks in India has increased. As per the KPMG Cybercrime Survey Report, about 43 per cent of organisations in India reported at least one ransomware attack during 2017. Cyberattacks in India have resulted in financial losses amounting to $500,000 in the past 12-18 months, according to the Cisco 2018 Annual Cybersecurity Report. Unfortunately, these incidents not only have a financial impact but also result in serious disruption of business processes and substantial leakage of sensitive data and cause grave damage to reputation. Email-based attacks are one of the most common threats at present.
Given the increasing vulnerability of organisations to cyberattacks, the demand for security solutions is at an all-time high. Vendors are offering different security solutions for different verticals. Products and solutions such as next-generation firewalls, DDoS protection, web application security, data security, breach prevention, disaster-recovery-as-a-service, endpoint protection, authentication suites, network sandboxing, deception technology and response tools are being deployed by private and government organisations to dodge potential attacks.
Organisations are adopting a preventive approach rather than taking remedial measures. With predictive solutions, the problem of data theft can be identified and nipped in the bud. Companies also need to monitor and evaluate the activities of suppliers and third-party vendors, which may have access to their sensitive information. With the growing popularity of the bring-your-own-device policy in companies, there is a need to keep a check on employees at all levels to avoid the problem of internal data theft.
Further, the advent of 5G, internet of things (IoT), artificial intelligence and machine-to-machine is expected to have a significant impact on the data privacy, protection and cybersecurity ecosystem in India. Everything with an internet protocol (IP) address is vulnerable to an attack; and with the increased adoption of these technologies, the susceptibility to threats has gone up. This has led to greater demand for specialised security solutions to protect against potential attacks. Since IoT is a wide-ranging technology, it is challenging for lawmakers to formulate policies for cybersecurity and privacy protection.
Regulatory and policy framework
To address the cybersecurity threat, the government has rolled out the National Cyber Security Policy, 2013 and the Framework for Enhancing Cyber Security, 2013, implemented the Information Technology [IT] Act, 2000 and its amendment in 2008, and set up the CERT-In (Computer Emergency Response Team-India) and the National Critical Information Infrastructure Protection Centre under the IT Act, 2000. Further, in order to promote cybersecurity, the Reserve Bank of India, the Insurance Regulatory and Development Authority, the Securities and Exchange Board of India, the Department of Telecommunications and the Central Electricity Authority have issued circulars and guidelines for the financial services, non-banking financial company, insurance and critical infrastructure sectors, as well as for stock exchanges, clearing corporations and depositories, issuers and share transfer agents.
However, an overarching law for cybersecurity and data privacy is lacking. India needs to draw on the benefits of cybersecurity regulations across the globe to formulate its own policy and framework, while taking into account its constraints and limitations. India can leverage the European Union’s General Data Protection Regulation, which is a comprehensive privacy-focused regulation, to draft its own policies. It can draw insights from privacy regulations in countries like China, the US, Australia, Singapore and Canada. The government can also benefit from partnerships with private firms that have global expertise in cybersecurity.
One of the key cybersecurity challenges faced by organisations in India is the shortage of skilled workforce to analyse and respond to cyberthreats. Owing to a skill shortage, governments and organisations are ill-equipped to deal with sophisticated attacks.
Companies and individuals also lack the requisite knowledge on various policies and guidelines leading to lower compliance and under-reporting of attacks. There is also a lack of awareness about security solutions. Many small-sized organisations are unable to implement the guidelines and invest in costly cybersecurity solutions.
New technologies such as IoT have made consumers highly susceptible to cyberattacks due to high level of interconnectedness among devices. Voice and data transported via carrier networks are also vulnerable to interception. These can be used by foreign governments, terrorist cells and hackers to create an environment of panic and unrest in the country. Cloud technology, which has emerged as a cybersecurity solution, is not free from limitations either. There have been a few instances of data leaks on cloud, which continue to pose a challenge as it is a centralised service.
Outlook and the way ahead
Digitalisation has been a boon for many businesses. While it has led to a spurt in online transactions, it has also attracted cyberattackers looking to steal confidential and sensitive information. There is a growing need to deploy highly advanced analytics tools to prevent and manage potential threats. Organisations need to engage tools and systems specific to their industry to manage these specialised threats. Organisations across all verticals need to understand that cybersecurity is far more complex than information technology security. Cybersecurity efforts need to be directed across all departments in the organisation and need to focus more on areas that are most vulnerable to such attacks by adopting a predictive approach. With stricter laws and greater awareness, we can expect to see wider deployment of cybersecurity solutions.
Securing cyberspace needs to be on the high priority list of the government and sufficient incentives must be provided for continued research and development (R&D) to develop and enhance skills and expertise in the area of cybersecurity. Currently, R&D is being carried out in areas such as cryptography and cryptanalysis, network and system security, monitoring and forensics, and vulnerability remediation and assurance. In 2018-19, R&D activities will focus on promoting the development of indigenous cybersecurity solutions, proof of concepts and prototypes, and skilled manpower in the areas of cybersecurity, with a special focus on mobile device security, cloud security and cloud forensics, intelligent traffic analysis, predictive intelligence based on big data analytics, malware detection and advanced cyber forensics.
There is a need to raise awareness regarding cybersecurity among individual consumers and educate them about the potential risks of using IT services. Cybersecurity is a shared responsibility and hence, both the public and private sectors need to make concerted efforts to create a more safe and secure cyber landscape in India.