Cybersecurity in India: How prepared are our companies for a cyberattack?
Just this week, the Tamil Nadu Mercantile Bank was attacked by malicious ransomware at a large branch of the bank in Kerala where a sum of money was demanded in exchange for a return to normal service. Unfortunately, this is neither an isolated incident nor is it uncommon, with local Keralan authorities suspecting a connection between the attack and other similar attacks in India and around the world.
It is attacks like these that are forming the general consensus among many in the media that Indian companies are not sufficiently prepared for cyber attacks. It has also been argued that India’s first steps towards a policy on cybersecurity in 2013 is now in desperate need of a further reboot. Amman Thakkar, writing for The Diplomat, argued that ‘In the last four years since the announcement of the Cyber Security Policy, India’s cyber landscape has witnessed growing digitization as part of the Government’s Digital India push, as well as more sophisticated cyber threats, particularly the WannaCrypt and Petya ransomware attacks [links in the original] that hit Indian networks this year.’
On the other hand Ram Levi, founder and CEO of Confidas, a cybersecurity consulting firm that focuses on large enterprises, sees green shoots in India’s cybersecurity landscape. Levi was at the Hyderabad Cybersecurity conference this month and it was his second outing at the event. Over the course of the last 2 years, he has seen improvement in the level of dialogue. He told us that the use of blockchain technology, for example, or other technical means of protecting critical infrastructure, as well as raising awareness among law enforcement officials were just some of the improved conversations he came across at the event.
‘The aim is to create a dialogue between technical and security people and the larger the organisation or more spread around the world the more difficult the task is.’ Levi said of Confidas. This usually involves planning long-term strategies in the event of an attack and making sure that there are processes in place that help them implement that strategy.
‘Generally companies don’t invest in Cybersecurity unless either the CEO cares or they’ve been hacked. I didn’t see a lot of CEOs who wanted to spend a lot of money on it because it’s an expense.’ Levi said of the general attitude amongst companies.
However, Indian companies may be willing to take on increased measures if prodded to do so by international partners. ‘When people know what is expected from them and know what the punishment is if they would not comply, then it’s easier to go down that road.’ Levi said, adding that ‘because India is a democracy, it will by definition be working with European partners. Therefore, in order for them to be able to provide services and to defend them, they will need to build the capacity in order to work with European and American companies. That means India will need over 400,000 professionals in Cybersecurity which is a huge number.’
Many companies are unwilling to take the risk given that it was not really a cost that they previously had to bear. ‘Almost any system can be hacked if the adversary has enough resources and time.’ Levi believes, ‘When the value of your product or service is tied up with the digitisation then you need to invest heavily in cybersecurity as the likelihood of an attack is higher. Around 5% of the IT budget should be spent on cybersecurity.’
Leonardo Cooper of Vaultone also agrees that budgets are the biggest challenge but believes companies will come around when they see value in the product. Vaultone is a cybersecurity firm that prevents unwanted access into company records and specialises in privilege identity. ‘Most companies don’t know how their passwords, keys and accounts are being used and that’s a problem we solve.’ Leonardo said, ‘These privilege accounts make up for 80% of security breaches. We protect these accounts by making sure they are used only by authorised persons.’ Having previously worked for the Brazilian Government, Cooper concluded that ‘most security measures will be ineffective if you can’t protect privileged accounts. You have to protect the keys to the kingdom.’
Telengana state is now looking to beef up security measures in its own kingdom by implementing a new policy that seeks to build capacity on cybersecurity attacks. Confidas, which audited the policy, looks to help companies build layers of security to ensure even legacy systems (machines running on Windows 95, for instance) that are more vulnerable to attack can be adequately defended.
In Mumbai alone there has been a spike of inquiries registered by the police in Maharashtra – who are now logging 3-5 cases of corporate cyber breaches a week. Given the increase in intensity, Ram Levi is certain that companies are aware of the threats that are present. ‘It’s a complex business that’s relatively new and rapidly evolving. Just in Israel we’ve gone from 50 companies to 350.’ Let’s see if the same evolution can take place in India as well.