Can no longer look at cybersecurity as just ‘server room’ issue: EY's Kartik Shinde
This widespread use and increasing dependence on technology no doubt has its benefits but it also brings along challenges in terms of data security.
A 'Digital India' driven by a 'cashless economy' is a noble crusade to formalise India's unorganised sector, weed out black money and drive growth from grass-root levels.
This widespread use and increasing dependence on technology have their benefits but they also bring challenges in terms of data security.
As large volumes of data and private/personal information is exchanged over networks, the risk attached to data leakage, data theft and cyber attacks increases gradually and poses as a grave threat to the adoption of sophisticated technologies.
Ignoring or not adequately addressing these concerns can hurt the digitization movement in India and also make companies worldwide deter from operating in the country.
In a study conducted by business intelligence firm Kroll, when the participants of the survey were asked whether they had been dissuaded from operating in a particular jurisdiction because of fraud concerns, notably 19 percent of the respondents stated they were dissuaded from operating in India, which was the second most mentioned jurisdiction after China (25 percent).
Speaking to Moneycontrol News, Kartik Shinde, Partner – Cyber Security, Financial Services, EY, outlined his thoughts on how resilient India is in tackling cyber attacks and what more needs to be done for enhanced security and response against such threats.
Q: There were major hacks in India’s PSBs last year and in light of the Digital India initiative is the government prepared to fight cybercrime and protect data and privacy? Also, how much are mobile wallets and banking apps vulnerable to data theft, hacking?
A: Yes, there have been major incidents in India and something that makes us rethink on how we can no longer look at cyber security as a ‘server room’ issue. It is a critical subject that needs the attention of the Boards of India Inc. We cannot afford to be complacent in an industry which is changing at a fast pace and where cybercriminals are thinking far ahead for motives that go beyond monetary benefits. We definitely need to redesign and rethink our cyber security architecture.
The banking industry has been more adept at adopting cybersecurity measures.
As we see mobile wallets and banking apps replacing the physical wallets - the government and the individual users should be cautious of the risks evolved. Attacks take many different and increasingly complex forms.
While executing standard cyber control measures in an organization’s corporate shield may work against simple Distributed Denial of Service (DDOS) attacks or viruses, it may not work as well against the sophisticated, persistent attacks that organized cyber criminals launch against their targets every day. Increasingly DDoS attacks are hampering applications layer instead of the network one. That basically translates to the fact that more often cyber criminals are attacking the unsuspected mobile users!
Q: Apart from the increased expenditure to curb cybercrime, on what aspects should corporate India focus on to provide better data safety?
A: With governments and enterprises increasingly leveraging the internet for mission critical applications – from managing smart cities and operating power grids to conducting banking transactions and manufacturing connected vehicles, cybersecurity continues to remain a top imperative across the world.
India ranks third globally as a source of malicious activities and its enterprises are the sixth-most targeted by cybercriminals. Despite investments in high-end security products, the cyber-breach prevention, detection and incident-response capabilities of most organizations are yet to mature.
Organizations need to enhance their cyber resilience. They need to sharpen their senses on seeing when the cyber attackers approach their perimeter.
Secondly, they need to upgrade their resistance to attacks. What if the attack is carried out with a new, more sophisticated technique that one hasn’t experienced before? They need to build defenses which would be able to resist something new and more powerful.
Third, is to react better. In the event of a cyber-attack, the companies needs to chart out what is the organization’s plan and what is their role in it. What would be their first step and at what point should they disclose the attack.
Q: There is a lot of talk on the benefits of blockchain technology and one of them was providing the next line of defense for cyber security. What are your views on it?
A: Bitcoin hasn’t really set the world on fire and its contribution to the massive financial services market has been miniscule. However, the underlying technology, blockchain, and the fundamental idea of a tamper-proof distributed ledger created by computers is pretty powerful in itself.
Businesses are now getting interested in unwrapping the underlying technology and using the core blockchain network protocol concept without any cryptocurrency attached to it. This is giving rise to a world of private, permissioned blockchains that replace the trust-less aspect of bitcoin blockchain with a closed, trusted set of participants.
So, rather than a completely ‘distributed database’, it becomes a ‘shared database’.
Financial institutions are investing heavily in the private blockchain projects as it promises great cost benefits where institutions can save billions in areas like clearing and settlement, trade finance and automated contracts.
It has the potential to change the social and economic behavior of the populace. We believe that the policymakers need to do a critical examination of these digital currencies which will be the first step in taking it towards the next stage.
Q: In a report released by EY earlier this year, it was mentioned that corporates should move from a 'fail-safe' approach to a 'safe to fail' environment. Can you elaborate on that?
A: Organizations are correct when they say their focus lies in building a robust, sturdy and resilient fail-safe operation that can withstand an uncalled-for cyber-attack.
However, in a scenario of unpredictable and unparalleled cyber-threat, it’s risky to merely rely on a fail-safe approach. There need to be other options as well. The aim should lie in designing a system that is safe-to-fail.
Future cybersecurity, needs to be smarter as well as stronger, with a soft-resilience approach. This means that on sensing a threat, there are mechanisms that have been designed to absorb the attack, reduce the velocity and impact of it, and accept the possibility of partial system failure as a way to limit damage to the whole.Follow @shukla_05sid