Digital India needs a cybersecurity reboot
The Indian government has embarked on a programme to turn the country into a digital economy. It has unveiled a series of initiatives—from introducing Digital Locker, which eliminates the need for people to carry hard copies of documents issued by the government, to demonetization, which has spurred the use of digital payments across the country.
The move towards a digital economy is likely to help trigger a fresh wave of economic growth, attract more investment, and create new jobs, across multiple sectors.
However, it also poses a big challenge, that of cybersecurity. With the move towards a digital economy, increasing amount of consumer and citizen data will be stored digitally and a large number of transactions will be carried out online, by companies, individuals as well as government departments.
That makes India a bigger target for cyber-criminals and hackers. Various stakeholders, especially Indian companies, need to be better prepared to handle this threat.
The cost of cyberattacks in India currently stands in excess of Rs25,000 crore ($4billion). It is important to note that there are many cyberattacks that go undetected and unreported as well, so this number could be much higher.
The losses emanate from operational disruptions, loss of sensitive information and designs, customer churn and impact on brand image, as well as increase in legal claims and insurance premium. The issue is forecast to balloon further in the coming years, reaching as high as Rs1.25 trillion ($20 billion) over the next 10 years, as the business operations of most Indian companies become networked.
One of the biggest reasons behind this is the limited awareness of the impact and importance of cybersecurity currently. Many companies do not treat it as a strategic agenda, but rather as a small issue for their IT departments. In fact, a lot of cybersecurity incidents go unidentified and hence, unreported
As such, there is limited awareness of the need for specialized and customized industry-specific cybersecurity measures which are significantly different from IT security and need to be adapted by the industry. All this is underpinned by the fact that there is low existing capability, or lack of skill sets, to drive cybersecurity agendas. This includes capability both in terms of people, cybersecurity strategies, as well as actual implementation of security measures.
Time to reboot
One of the biggest misconceptions about cybersecurity is that cyberattacks are restricted to the financial services and banking sector. It is important to note that industrial companies are equally vulnerable. At the same time, it has become clear that conventional IT systems and firewalls are increasingly becoming ineffective in preventing sophisticated hackers from creating havoc.
As a result, companies in India need to be proactive to ensure they foster efficiency and efficacy in cybersecurity management. The vision for this has to come from the very top. It is important that the chief executive officers make this a high priority on the management agenda and build clearly defined security road maps to have a more structured implementation in line with their security strategy.
Companies also need to assess the assets that are most at risk. This will differ from sector to sector and company to company. It is important to identify the most valuable assets, the ones which will “hit you the most”, narrow down all possible attack avenues and proactively prepare mechanisms and procedures to address those risks.
It is also important that companies run regular stress tests, which simulate real-life attacks. This can help identify places in the environment (systems, data, etc.) which will be affected the most in case of attacks and assess the company’s detection and response preparedness. Further, companies need to start cooperating with peers to learn from each other’s experiences—identify potential attack scenarios, identify hidden threats and co-develop a security framework.
Organizations also need to enlist their employees in the fight against breaches. There is a need to change the perception of cybersecurity from being a passive agent, to an active business enabler. It is a must to ensure active participation across the organization.
Finally, the regulators need to ensure they are covering all aspects at their end. This includes regulations that set minimum standards on cybersecurity for companies across the country. Maybe, even some rating system that classifies companies based on their preparedness on this front. At the same time, tough laws are needed to be put in place for perpetrators of cybercrime to ensure such criminals are deterred effectively.
India is sitting on the cusp of digital evolution. The government has overcome its detractors with an eagle-eyed focus to achieve this goal for the country. It is now up to companies to ensure they are ready and prepared to harness and exploit the opportunities this evolution will bring. The only way to do that is to ensure that cybersecurity finds its way into the boardroom agenda.
It’s time for a reboot.
Abhishek Poddar and Anchit Goel are, respectively, partner and manager at AT Kearney India.