It is no surprise that even today cyber attacks attract the maximum attention. In India Also, the corresponding data generated by the large population makes us a goldmine for cyber criminals. How do we go about handling this?
J Kesavardhanan, Founder and CTO, K7 Computing, tells us more. Excerpts from an interview:
DQ: What are the issues on ground regarding cybersecurity?
J Kesavardhanan: NASSCOM and PwC India estimate that the cyber security market in India will grow from $1.97 billion in 2019 to $3.05 billion by 2022 at a CAGR of 15.6%. This forecast paints a clear picture of the ground reality in India with respect to cyber security – Indian organisations are becoming attractive targets for cyber attacks, largely due to rapid digitisation and the corresponding data generated by our large population making us a goldmine for cyber criminals. While there is a proposal to roll out a data protection legislation, this may alone not stop criminals from trying to find and exploit vulnerabilities. The planned laws will definitely increase the responsibility and liability of Indian firms to keep their customers’ data safe.
Unfortunately, many Indian companies are not yet ready to mount an effective cyber defence against sophisticated cyber adversaries. It is not unusual to see a corporate network breached because available security patches had not been applied, or a server was still using the default username and password. We also note that cyber attacks are increasing in Tier 2 cities. While they may not be the primary target of hackers, the trend does demonstrate that cyber threats are not confined to large organisations in large cities. Small no longer means safe.
DQ: SMEs enrich a huge part of the country’s economy but when it comes to security measures policy, what is the situation of SMEs in India?
J Kesavardhanan: Indian policy does not specifically protect or penalise SMEs for cybersecurity incidents. Relevant regulations are usually applicable to all organisations. We do not expect this to change as distinction based on the scale of operations may not be viable, as large organisations may outsource some of their processes to SMEs, and SMEs may serve as the point of entry for a devastating cyber attack that could spread across the nation. The Indian SMEs may also serve global clients, where they may be required to comply with international legislations such as the GDPR. When it comes to cyber security, an SME should operate as if they are a large enterprise.
A Microsoft-led study revealed that a mid-sized Indian firm loses $11,000 on average annually to cyber attacks. In addition to their direct financial loss, SMEs are also coming under pressure to improve their cyber security from large organisations they work with who wish to cyber secure their supply chain.SMEs who wish to avoid penalties, loss of business, and loss of reputation will need to adopt a more aggressive cyber security posture.
DQ: How can SMEs adopt smart strategies for effectively addressing the evolving threats?
J Kesavardhanan: Cyber security is more than just tools and technology. It is, first and foremost, a state of mind. The smart strategy is to cultivate a cybe rsecure culture in the organisation. The first step is to create a cyber security policy which sets standards and lays down every user’s responsibilities. This policy should also cover employees’ use of personal devices for business purposes, which is fairly common in SMEs. User education and training is another essential pillar of cyber security as some cyber attacks, like social engineering, can take place anywhere and an alert user is the best defence.
On the technology side, ensure that all devices have the latest patches applied. This should include equipment like routers that are often overlooked in such exercises. Finally, use a good cyber security solution to defeat threats that slip past other defences.
DQ: How can they be agile and updated in solving the cyber-crimes?
J Kesavardhanan: We have discussed measures that an organisation can implement to be agile in stopping cybercrimes. However, a lack of appropriate resources (such as having a Chief Information Security Officer or cyber security team) is the primary constraint faced by SMEs when they wish to have more dynamic defences.
A business may require a highly skilled cyber defence team to be proactive in cybersecurity, address niche requirements, and respond quickly if a cyber security event occurs. However, investing in such a team may not be practical for SMEs who wish to focus resources on their core operations.
Such businesses may consider contracting with a cyber security provider – allowing them to benefit from the provider’s tools, skills, customised services, and knowhow that has been built across many types of businesses and industries –to build powerful cyber defences without substantial investment.