Cyber Security - What More Can We Do?
Cyber security is no longer an IT team’s problem as it’s implication has seen adverse affects on everything starting from market caps of publicly listed companies to their CEOs being sacked, from heated debates between the government and the supreme court to modification of election results across the world. A cyber breach today has real life implications to individuals, businesses and governments everywhere.
Before we talk about cyber security, let’s spend a little time on cyber. India today has leapfrogged the digital era. In 2016, we jumped from 100 to 220 million smartphones, surpassing the US. Extending to what Elon Musk recently said, 220 million people in India (that’s one out of every 6 Indians) now carry more power in their hands than what was with the president of the US eight years ago. Today, Digital India is no longer a concept vision targeting the next 10 years.
It’s here and now. With on ground examples in adaption of digital payments, smartphones, internet access, Aadhar enablement etc, things are getting very serious on the digital dimension. This shows the seriousness and the push from the top.
There is also a clear push from the regulator side. Today, we see advertisements from bodies like RBI trying to educate people on basic attacks like phishing, vishing, talking about how the banks will never ask for the user’s passwords etc. But such attacks are just the tip of the iceberg. From an end user side, the primary challenge is the lack of cyber awareness and education. Being in the industry, I feel the regulators have a lot more to do in terms of cyber awareness, campaigns around safe usage of cyber and skilling people around the responsible usage of cyber.
Today cybersecurity broadly has the following stakeholders - government, private players enabling services through web/mobile apps, internet service providers and the end users.
Lets start with the government. There are multiple nodal bodies and initiatives like CERT, REBiT, etc which are doing a good job and again this shows the seriousness and push towards digital and cyber right from the top. This year’s budget was a landmark for the cyber industry. The government clearly laid down the importance and need for sector specific CERT’s’, incentivising the usage of digital, especially for the payment industry and our Prime Minister talks regularly about the importance of cybersecurity, the bloodless bath and more.
But the challenge remains on the human resources side. Most of these nodal bodies today are under a lot of pressure when it comes to dealing with the increasing number of cyber-attacks as they have far lesser human resources than what is actually required. India has adopted digital at a very fast pace without receiving formal education or training on how to access the Internet in a responsible manner. What we need from the government is to further empower these nodal bodies (both existing and the upcoming ones) with the right budgets, people and authority to make the right framework for the country's digital usage.
Another very important aspect to this is the law enforcement. We still have a long way to go to have the right infrastructure to address cyber crime. Initiatives such as Cyber Maharashtra is a brilliant initiative wherein every district of the state is setting up it's own cyber lab.
Today, the cyber officers themselves aren’t well trained. At a time when India is pushing the digital borders, we need to get the IPS officers trained on cyber usage and it's security implications. More states need to adopt the Cyber Maharashtra model. Today almost 90% of physical cases have a digital aspect to it plus cyber-crimes are also on the rise. Various reports claim that the overall cost of cybercrime will touch 2 Trillion Dollars by 2019. Organised cybercrime has become a larger industry than drugs and arms & ammunition in certain parts of the world.
Internet Service Providers, another important stakeholder in the entire cyber journey has a big role to play. More than 500 million people in India access the Internet today. The ISPs need to step up and with the help of initiatives like the Botnet and Malware Cleaning centre, can be regulated to block malicious content, do botnet cleaning and provide clean pipe services. The private companies pushing their products and services via the internet are today absolutely un-regulated (except for the wallets and payments space).
The government has a long way to go be able to completely understand and come out with the right set of regulatory framework that can ensure the safety of end users on an e-commerce or social media website.
Here, the big challenge is also the jurisdiction separation as even if our government mandates some policy, as we use most of our time on the internet surfing portals hosted outside of India, it becomes a very big challenge for the law to be enforced in such cases. I believe, the government can further push the need and importance of cybersecurity in the private sector by incentivising spends on cyber security.
Like the government today gives incentives to green buildings etc, it can also start incentivising increased spends on cyber and security. This will further push the cyber spend of companies in India. To give a comparison - One of the largest banks in America - JP Morgan Chase spends USD 350 million annually on cybersecurity, versus the total spend of all the banks combined in India will not even be half of what JP Morgan alone spends annually. This needs to go us exponentially in the near future.
On the consumer side, we are seeing some innovative cyber security initiatives such as AIG launching a private insurance for individuals recently for their personal cyber identity theft. Similarly, as the adoption will go up the hacks will increase. With increased number of incidents, the awareness and the need to learn about cyber security will only increase as we move into the future.
Being in the business of knowing the challenges of the cyber space, I still feel that the advantages of becoming a digital society far outweigh the challenges. But I only hope we can pro actively invest both time and money to reduce the cost of breaches while we transition from a physical to a digital society.