Cyber experts express concern about data security in India
In August, the government passed the Digital Personal Data Protection (DPDP) Act, 2023, marking India's inaugural cross-sectoral personal data protection law amid concerns of heightened surveillance.
SINGAPORE: Digital transformation and development of advanced technologies are progressing at full pace in India but cyber experts have expressed concern about the security of the sheer size of data that the country will have to manage, given its neighbouring adversaries as well as the growing sophistication of scammers.
Indian technologists and business executives will have to collaborate, cooperate and create a comprehensive ecosystem to tackle tech-driven threats, the experts said on the sidelines of Singapore Cyber Week - 2023 held from October 17-19.
In the last six months, the three most impacted industries in terms of weekly attacks per organisation were Healthcare, Education/Research and Utilities. The retail, hospitality, manufacturing and transportation sectors will also have to move fast on cybersecurity, the experts said.
On average, each organisation in India was attacked 2,157 times per week in the last six months, compared to 1,139 attacks per organization globally, according to a recent Check Point's Threat Intelligence Report.
"Cybersecurity is getting very complex, especially in today's evolving threat landscape with increasingly sophisticated cyberattacks, which in some cases is hard to understand and keep up with," says Vivek Gullapalli, Chief Information Security Officer, APAC at the Check Point Software Technologies.
"Very often cybersecurity is mainly left to the responsibility of a company IT team to manage," he said, calling for the involvement of the board and management to ensure that the organisation can survive cyberattack and continue doing business uninterrupted.
Gullapalli suggests a holistic way of looking at threats and attacks rather than delegating to an IT person. "You need to understand the business, the ecosystem and who is coming after you, and work with the board and management to implement a prevention-first cybersecurity strategy for maximum cyber resiliency." Post-COVID, hospitals in India and generally across the world were forced into accelerated digital transformation, with a focus on a zero-touch approach as opposed to paper-based previously.
However, these digital implementations were carried out without a security-first approach, leading them to suffer security gaps, and sealing their current security weaknesses, noted Gullapalli.
In August, the government passed the Digital Personal Data Protection (DPDP) Act, 2023, marking India's inaugural cross-sectoral personal data protection law amid concerns of heightened surveillance.
This has instilled more confidence among Multi-National Corporations (MNCs), though they have been concerned about security in India, says Ashish Thapar, Vice President and Head of cybersecurity, APAC, at NTT Ltd.
The Government, Defence, RBI and SEBI have kept up with robust compliance requirements. Driven by the market and the regulators, banks have also done well in protecting all systems but Thapar feels there is still scope for further improvements.
Noting that businesses are always shy about sharing information that is critical for protecting data, he said that criminals are well ahead and are always raising their bars and increasing the number of scamming networks.
India's participation in the Quadrilateral Security Dialogue (Quad) and G20 forums is good for building cybersecurity but still, it is not enough.
He said that Quad's reportedly ongoing work on a new information-sharing agreement would help its four members – Australia, Japan, India and the US - improve cyber-resilience and their response to critical infrastructure (CNI) threats.
Los Angeles-based Kunal Anand, CTO and CISO of Imperva, echoed a similar sentiment adding that institutions such as RBI are working with the biggest players in the Financial Services Industry on actual security mechanisms to tackle cybersecurity problems directly.
"This isn't about creating regulations for the sake of regulation; rather, it mirrors the government's commitment to fostering a robust and self-reliant digital ecosystem," he told PTI.
"India now has Venture Capital as an industry. Venture funds and sovereign funds are being directly invested in India. With an economic incentive to stay in India, the brain drain India had experienced is no longer happening," says Anand.
Talents are returning home post-studies, contributing to the highly advanced technological architecture being built. They are approaching security as a first principle, Anand observed.
The government is also leading in building data centres to keep data in the country. Some 45 new data centres with a combined 13 million square feet are scheduled to be developed by the end of 2025, says Anand, citing industry data.
But he also warned against complacency, pointing out that challenges around supply chain security need to be tackled head-on. India has done a good job observing what is happening in the East and West and blending the best parts into the country.
"We will see a lot of successful startup surge, with funding running into multi-billion dollars," says Dr Aditya Sood, Senior Director of Threat Research and Security Strategy, Office of the CTO at F5.
However, he highlighted the risks associated with the India growth story as it is not a small market and not an easy place to manage, given that technologists are raising the bar frequently for businesses and individuals.
Sood underlines the urgent need to have a clearer visibility of data at the highest level of cyber security.
"Even if we have solutions in place, the challenge is going to pop up because cybersecurity is going to be the big data problem. And who is going to control the data is going to control the keys to the kingdom," said Sood, who has spent over 15 years in the United States.
Cyber experts feel that even if laws, legislations, policies and mandatory compliance requirements are in place, the question is whether the implementation of cyberattack is borderless and can originate from anywhere in the world.