MSMEs still not prepared as CERT-in cybersecurity compliance extension deadline expires

Representative Image

The extended deadline for micro, small and medium enterprises (MSMEs) to comply with the Indian Computer Emergency Response Team's (CERT-In) cybersecurity guidelines expired on September 25. Industry players have since told Moneycontrol that these companies are ill-equipped to adhere to the guidelines in letter or spirit.

“Many small and medium-sized organisations have thrown their hands up, saying "We don't understand the compliance requirements and what to report in case of which incidents,’” said Zainab Bawa, Chief Operating Officer of Hasgeek.

The April 28 directions issued by CERT-In require entities to maintain logs of all information and communication technology (ICT) systems for a period of 180 days.

Among other directions, they also have to register and maintain personal information of subscribers for five years or longer and provide this data to CERT-In if demanded, in the event of a cybersecurity breach.

Corporate entities also have to report cybersecurity incidents within six hours of noticing them.

Hasgeek, a Bengaluru-based company, has been in contact with small and medium-sized enterprises to ascertain how the directives might affect them since the directions were announced by CERT-In on April 28.

The Ministry of Electronics and Information Technology, under which CERT-In operates, was informed at consultation meetings that SMEs will face an additional burden in complying with the directions.

In a meeting with SME representatives on June 14, Rootconf, a community brand developed by Hasgeek, concluded that 300 days starting June 28 was an acceptable deadline to follow CERT-In's directions.

Based on these discussions, the ministry decided to extend the deadline until September 25 although the CERT-In directives have been in effect for other entities since June 27.

Why SMEs are lagging

Bawa cites three reasons why SMEs are currently lacking in preparedness. “Firstly, they may not have the capacity to identify where the biggest gaps are (in terms of cybersecurity),” she said.

SMEs need to know how to secure their network, Bawa said. “For instance, anyone walking into your premises and connecting to your WiFI is a security breach,” she added.

Second, Bawa stated that SMEs must conduct an asset inventory, which she claims "no organisations have." Asset inventory management refers to the tools and processes needed to keep an up-to-date record of all hardware and software within the enterprise

She stated that finding talent is another issue that SMEs continue to face. Hiring staff that would comprehend security from both a consulting and a product perspective, in addition to affordability, is the other challenge in this regard.

Bawa observed that there was a general feeling of apathy among many SMEs.“There is a sense that, 'if something happens, we shall see what’s the worst, and if we have to pay a fine, we will do that and move on’.”

Lack of clarity

Security researcher Avinash Jain, who works with startups, claims that many people are still unsure of what CERT-In means when it states that all cyber incidents must be reported within six hours.

“What do they mean by all cyber incidents? Every incident can mean a distributed denial of service (DDOS) attack, and it can be a huge data leak,” Jain said.

“In today’s world, at any point in time one’s infrastructure can get attacked, for instance, by automated scanners,” Jain said, indicating the huge volume of cyber incidents an SME would have to report to CERT-In.

CERT-In guidelines have recently been in the spotlight for reasons other than the compliance requirements for SMEs.

On September 22, ProtonVPN joined the growing list of virtual private network service providers who have moved their servers out of India in protest over the country’s cybersecurity guidelines.

ProtonVPN and select other organisations have unitedly opposed CERT-In guidelines' logging requirements, which mandate that service providers such as Proton log consumer information such as IP addresses and names for five years.