Ajay Khubchandani, senior IT Security expert at ESS Distribution, says there is no doubt that business today needs strong IT security infrastructure.
The business environments have become more complex and represent a complicated knot of interconnected systems, applications, and services. With cyber threats evolving on a daily basis, the companies are bound to work on strengthening their network security by not only deploying new solutions but also establishing more advanced and more effective security policies in the company.
The main question put before management is how to evaluate the necessary level of information security and to ensure maximum efficiency of these investments. Applying a risk analysis system that allows assessing the existing risks in system and choosing optimal variant of protection that may help increase efficiency and effectiveness with cost reduction or even savings.
It is important to maintain a comprehensive approach to this technology-driven issue. We always argue that technology only cannot secure an IT infrastructure – you have to create policies and practices to secure processes, operations involving human factor. Network can never be secure if the people operating in this network have no security training or understanding, at a more general level, of the risks related to security breach, or understanding the value of data.
In India today we still talk about such security risks posed by Spam and DDOS attacks while more sophisticated activities targeting government and private organization in India like Stuxnet worm or more recent Win32/Bitterbug.
A Trojan and Heartbleed Vulnerability are still topics of discussions in closed circles of IT security experts. However, such type of threats not only exploited system vulnerabilities but “human vulnerabilities” as well. Considering that these sophisticated attacks target not only just IT networks but critical IT infrastructure of government organizations, including defence quarters, financial organizations, oil and gas facilities, the organizations are obliged to take the cyber risks seriously.
Last year witnessed increase in sophisticated attacks with more than half of Indian enterprises and many organizations of government sector attacked at least once. Although we still lack accurate statistics on breaches in India and have to rely on figures and outlooks from private companies or independent research institutions, it is clear that India is on the hackers’ list not only because it is a rapid growing economy but because of its 1.3 billion population, and, therefore, enormous amount of data generated by it.
Despite Indian government is working on strengthening cyber security both from the policy perspective and from the legal framework point of view, we believe the incidents of breach are still highly unreported in India which limits the scope of analysis. Till recently, there were no strict requirements for breach notifications that would require companies, especially the ones that collect, store and operate personal data, to report breaches and conduct risk assessments and audits, neither there are significant penalties for compromised businesses.
However, Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules 2013 (“Cert-in”) impose mandatory notification requirements on service providers, intermediaries and data centers if certain ‘cyber security incidents’ occur, e.g. compromise of critical information/system, unauthorized access, malicious virus or code attacks, identity theft, etc. The Information Technology Act, 2000 (amended in 2008) deals with the issues relating to payment of compensation and punishment in case of wrongful disclosure and misuse of personal data and violation of contractual terms in respect of personal data.
Besides existing legislation, the government is now working on evolving practices and policies regarding cyber-security as a central part of general security doctrine. Some of initiatives include establishing The National Critical Information Infrastructure Protection Centre (NCIIPC) and National Cyber Coordination Centre of India (NCCC) that will screen online threats and coordinate with the intelligence agencies to handle issues related to the national security. Given not only global cyber threats but India’s internal developments in the technology sphere, including such initiatives as Digital India or Aadhaar project, both assuming to accumulate world’s largest personal databases of people, the questions about Privacy Protection and Data Protection and an issue of having reliable and modern Cyber Security Infrastructure to support such projects are yet to be solved.
Creating new policies is definitely an important step for every government, every country not because it can stop cyber-attacks or eliminate the consequences of massive breaches – this is news to impossible and the experience of United States or some European counties where such policies had been adopted much earlier proves that. However, it can help put better security measures in place, predict attacks and their outcomes, because the government organizations and private sector companies will be bound to disclose information. This will help security experts study the cases while it will also increase the accountability of the parties for having strong IT security practices.
At the enterprise level, The Chief Information Security Officer (CISO) culture has been established successfully in India over last decade. However, this varies from industry to industry. While in banking and financial spheres appointing of CIOs was made mandatory and the guideline for banks established some good practices concerning cyber-security risks, it is quite different in, say, education or entertainment or e-commerce sectors that also handle massive people’s data.
In banking sector some of the major benefits of RBI guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds for CISOs are probably the level of independence given to the security officers at banks since RBI requires the CISO to directly report to either the head of risk or the executive director. It allows CISOs be more visible to the management and gives them required freedom to effectively execute their roles and responsibilities.
The situation in non-BFSI sector is quite different despite the risks are similar. From what we have seen so far, it is not just ROI that CISOs are struggling with at the enterprise level. The efficiency of IT security infrastructure depends not just on CISOs and their ability to convince the management to invest in essential security controls but also on the ability of the management to understand and evaluate security concerns as well as build long-term sustainable strategies.
This includes not only policies on cyber security but the ability of the company to identify, evaluate various vendors and their technology solutions available in the market and be able to choose those that will not only protect their IT infrastructure but can be integrated easily, effectively without loading the infrastructure and increasing the operations costs. In India, especially in SME and SMB sectors, companies tend to look for cheaper solutions, often ending up spending for several products from several vendors and suffering from multiple complexities arising from inability to integrate all these solutions.
The whole system eventually becomes non-efficient and brings extra load to the operations urging companies to look out for new solutions again. We believe more comprehensive approach to security as a part of sustainable business, as a part of corporate culture and not just a one-time investment with certain ROI attached to it could do a better job for many companies across sectors. The comprehensive approach to security will also include adoptions of policies and measures overlooking risks related to ‘internet of things’ (IOT) and BYOD challenges to security ecosystem.
Another challenge for building comprehensive cyber security practices at the enterprise level is overall computer literacy in India and further the level of understanding of cyber-security among Indian workforce. Some of the best initiatives or practices implemented by CISOs may be challenged by the lack of knowledge and understanding among employees of the security risks and outcomes of possible breaches. This is something the government and the organizations have to deal at multiple levels. No doubt that security literacy cannot be achieved in such huge and diverse country as India overnight, and it is very inspiring that government is already taking some positive steps in this direction.
Ajay Khubchandani, senior IT Security expert at ESS Distribution