Feedback

Reader's Poll

Which of the following technologies/concepts are likely to witness significant traction this year?
 
Any data to show

Teledata

Tele Data

Mobile Subscribers Yearwise comparision

Combating Cybercrime: Evolving information security framework to check data breaches

July 10, 2017

Recent cyberattacks such as the WannaCry ransomware attack that paralysed thousands of computers worldwide and the data breach in the Indian banking system in 2016 that affected nearly 3.2 million debit cards have exposed the vulnerability of the IT machinery and the massive security gaps in systems. Cyberattacks can lead to large-scale data losses, denial of service, breach of privacy, phishing, etc., thereby causing significant financial losses to business units and distress to users.

With increasing digitisation, cybersecurity challenges are bound to intensify. Emerging technologies like the internet of things (IoT), which require a considerable amount of data flow between automated systems and components, would require stringent cybersecurity measures to ensure the proper functioning of individual components and prevent any kind of disruption. Further, with cyberterrorism emerging as a new field of warfare, cybersecurity has become an integral and strategic component of any security system.

Role of different stakeholders

The cybersecurity ecosystem involves a large number of stakeholders. The major stakeholders on the demand side are the government, which acts as both the legislative authority for cybersecurity and a user of IT systems; public sector units; commercial enterprises; educational institutions; individual users; and internet service providers. These customers either use a customised cybersecurity solution or ask for a generic solution. However, the latter leaves some system vulnerabilities unattended. Usually, large organisations and educational institutions opt for the former, while small business units and personal users select the latter.

On the supply side, there are multiple vendors and solutions available across the cybersecurity ecosystem, covering identity and access management, point security solutions, security analytics and correlation engines.

However, paradoxically, internet service providers (ISPs) are helpless as far as cybersecurity is concerned. This is because under the principle of net neutrality, ISPs are bound to treat all information identically, leading to their inability to stop any cyberattacks. However, this is a small price to pay for net neutrality, and nothing stops the ISPs from informing the user about suspicious files or websites.

Current policy framework

The Information Technology Act, 2000 and the Information Technology (Amendment) Act, 2008 have various provisions for ensuring cybersecurity. These include punishment for indulging in cyberterrorism and identity theft, and penalties for publishing data in breach of a lawful contract and for breaching confidentiality and privacy. They also give the central government the power to monitor data traffic (with reasonable restrictions), block data from being accessed by the public, and declare any system a protected system and take steps to ensure its security. The Information Technology Act also established an Indian Computer Emergency Response Team (CERT-In) to serve as the national agency for the collection, analysis and dissemination of information on cyber incidents, forecasts and alerts to undertake emergency measures for handling cybersecurity incidents, coordinate cyber incident response activities, and issue guidelines, advisories, vulnerability notes and white papers related to information security practices and procedures. The act also applies to any offence or contravention committed outside India, if it involves a computer or computer network located in India.

With the increase in incidents of cybersecurity breaches, a need was felt to bring in a broader cybersecurity policy. To this end, the government released a National Cyber Security Policy in 2013, the first broad policy on cybersecurity. It advocated developing a strong e-governance framework, a 24x7 national-level CERT-In and sectoral CERTs as well as protecting critical information infrastructure and creating cybersecurity awareness.

Several institutions have also taken steps to improve cyber resilience. For instance, the Reserve Bank of India (RBI) issued a circular to banks in June 2016 asking them to put in place a cybersecurity policy, which was to be distinct from the existing IT policy of banks. The circular also instructed banks to report any cyber incident to RBI. Further, RBI established an interdisciplinary standing committee on cybersecurity in February 2017.

In July 2015, the Securities and Exchange Board of India (SEBI) asked all the stock exchanges to set up a robust cybersecurity mechanism. This directive was later extended to the commodity derivatives markets as well. SEBI has recently set up a high-level panel to suggest measures to safeguard cybersecurity for the capital and commodity markets. The Insurance and Regulatory Development Authority of India had released guidelines for cybersecurity in April 2017.

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 also includes provisions for the safety and security of Aadhaar numbers and other core biometric details.

Key recommendations and the way forward

As India moves towards a digital economy, the country’s cybersecurity preparedness has come into the limelight. With the growing instances of cyber theft, there is an urgent need for a well-crafted, national-level cybersecurity framework.

Going forward, enterprises across all verticals need to be more proactive, with an increased focus on predictive rather than reactive cybersecurity measures. According to Arshad Sayyad, managing director, operations and cybersecurity global delivery lead, Accenture, most enterprises still think of cybersecurity as IT security. However, with IoT, wearable and sensor devices coming in, cybersecurity is becoming far more pervasive than just IT security. “Everything that has an internet protocol address, whether it is dynamic or static, is vulnerable to a hack. There are different kinds of hackers in the world, ranging from the immature to the highly sophisticated. Therefore, cybersecurity efforts need to be focused on not just IT systems but also non-IT areas. Enterprises will have to bring about a paradigm shift, to be able to predict where a potential compromise in security is likely to arise. This will require the use of advanced analytics,” says Sayyad. Moreover, enterprises should move away from a simple “buy-and-deploy” approach for cybersecurity and adopt solutions that address their specific industry security profile, business context, risk appetite, threat profile, etc.

The government and regulatory bodies need to make concerted efforts to tighten existing cybersecurity regulations. There is a need to have more granular cybersecurity guidelines in place for different sectors, which should be regulated by their respective governing bodies.

 
 

To post comments, kindly login

 Your cart is empty

Monday morning

BluePlanet