The series of cyberattacks in the last few years have showed how hackers can disrupt companies and harass users by breaking into their systems
Several surveys have showed that employees and sometimes CXOs are not fully aware of the repercussions of their actions
The Cambridge Analytica scandal, which exposed the lacklustre attitude of big tech giants like Facebook towards user data, was only the tip of the iceberg. Most tech companies, developers and service provides are scrambling for user data. Some need to feed their machine learning platforms, gain new insights and serve customer better, while some are using them to sell to advertisers. The most sinister one's use it to influence voters. The series of cyberattacks in the last few years have showed how hackers can disrupt companies and harass users by breaking into their systems.
During a round table with Mint, Rama Vedashree, CEO of Data Security Council of India (DSCI), Vikram Mehta, CISO of MakeMyTrip and Dhruv Khanna, CEO of Data Resolve shed light on how companies and governments in India are dealing with these issues. Edited excerpts:
Impact of GDPR
The rollout of the General Data Protection Regulation (GDPR) in Europe in May 2018 has inspired several countries to lay down their own privacy laws. The government of India, too, has proposed a data protection bill to reign in custodians of such data. “Even as GDPR was getting ready and the draft bill discussions were happening, we found that both user enterprises and IT companies were evaluating them to ramp up their privacy programmes," said Vedashree. Mehta believes “cases of data breaches have gone up significantly in the last few years. In general there is a lot of attention from top down to invest in further and more in cybersecurity. After GDPR, companies have started preparing for enhanced privacy and security controls not just from compliance standpoint, but also from a basic hygiene perspective."
Another interesting development that the industry has seen with GDPR and the draft bill coming around the same time, is that management of large enterprises in the industry are beginning to realise that a security breach and a privacy breach and the obligations and the readiness to be able to deal with them have to be different, according to Vedashree.
Khanna agrees there is a lot of awareness. People never used to talk beyond the standard control and processes. But because of this bill, there's a lot of work happening. Even those who are who don't fall into the ambit of GDPR are talking about it.
But can GDPR like regulations stifle growth for companies?
Vedashree believes GDPR was rolled out only a year ago and there is no study yet that shows that it is a success. “I think we should have our own Bill, but definitely meet the global expectations too, because in a digital economy, where the cross border data flows are all interlinked, we cannot have a unique law, which does not meet the expectations of global stakeholders," adds Vedashree.
At the same time, Vedashree advises that a thoughtful approach to readiness is required, to make sure that the burden of compliance does not hit the macro, small enterprises and they young startups, which are actually cracking global markets earlier.
Mehta notes that we cannot hold all enterprises at par for the level of security controls that they might have to implement. For instance, an organisation with a consumer base of a lakh, as opposed to a million, will be very different in terms of the impact of privacy violation there.
“There is also a huge gap in terms of demand and supply with respect to cyber security and data privacy as a skill set. Without it we cannot expect a small medium enterprise or the public sector to go all out with implementing high end security controls," adds Mehta.
Regulation and role of data localisation
The draft intermediary guidelines by MEITY mandates intermediaries to furnish data to government agencies when required. Vedashree argues that there are different types of intermediaries and they all can be put into the same bucket and we cannot bucket all of them and make some guidelines. Many of the intermediaries don't own the data.
“I think the most critical element is enforcement. Across sectors, one of the problems which I've seen, while interacting with customers is how to segregate private and corporate data. There are controls, which allow us to club what falls under what category. If we are able to identify those 30 to 40 categories and decide which data is private and will not be touched, then enforcement becomes easy," advises Khanna.
With so many foreign companies from US and China doing business in India, there have demands for stronger regulation. Many see data localisation as the magic wand that will give power to government when it comes to regulating them. Vedashree concurs, that the overall digital supply chain ecosystem risks and threats to the country are real. In cyberspace domain, it is not just organised cyber crime for financial gain that we have to worry about. There are also nation states that are indulging in cyberattacks.
"Every country has a right to be able to deal with the risk and mitigate it. India is one of the fastest growing digital economies. So the question for government is whether they have enough control over the economic interests of that data. That is the key narrative that is pushing policy towards data localization," adds Vedashree.
Khanna is of the opinion that data residency is also an important element. There are a lot of cases in which data is sitting in other part of the world, and to pull that information government has to go through treaties, which slows down the enforcement process. He adds, "as far as many international companies are concerned, they don't care whether the data is sitting in Singapore or India. As long they are able to access the data and it's encrypted they are okay with it."
Several surveys have showed that employees and sometimes CXOs are not fully aware of the repercussions of their actions and are too casual when it comes to abiding with security practices. The fact that personal devices have gained more acceptance at workplace has complicated things. Khanna points out, a lot of companies have started segregating their BYOD employees in to various risk buckets. The risk posture of a guy who is the custodian of information which is very critical to the company will be different from the guy processing the information. Use case has to change from person to person with respect to what kind of access they have.
"Most enterprises are now looking at insider risk mitigation, both with awareness, employee policies, better partnership with law enforcement for the investigations, and also technology solutions for end users," adds Vedashree.
Touching upon the casual attitude of some CXOs, Mehta notes, a combination of policies is required to protect them. In some cases we have seen companies enforce social media guidelines, telling CXOs how to behave and what to post on social media. In some organisations if the CXOs are using a personal device for work, they are made to create separate digital identities.
Role of ML and AI in cybersecurity
Enterprises are increasingly turning to emerging technologies such as AI (artificial intelligence) and ML (machine learning) to add more teeth to cybersecurity initiatives. Some feel there is more hype than reality.
Mehta emphasises, that machine learning is already playing an important role. AI will come into the picture later as it needs a lot of data to build intelligence. A lot of product companies have started building semi supervised ML model and will then move to the actual ML or even AI.
He adds, “as of now the focus is more on detecting more and more sophisticated threats using machine learning tools. In the security space, I think automation is already playing a key role in terms of remediation, because the adversaries on the other side are no longer humans. They are actually powered by a lot of compute power."
Vedahsree concludes by pointing out how DSCI has been advocating the need to allocate 10-12% of IT projects by government to cybersecurity as currently the budget for such projects is very low. A lot more needs to be done in terms of end user awareness and for that more citizen awareness campaigns are required.