In at this time’s info financial system, ‘information is the brand new oil’, or so goes the oft-repeated saying. However what if this ‘new-age oil’ is leaking profusely and its security threatened by nefarious actors who can launch cyber assaults at will? The yr that has passed by, bore testimony to the cybersecurity dangers for India’s ambitions of transitioning to a data-driven digital financial system.
In 2020, a number of Indian startups and firms, equivalent to Google-backed hyperlocal supply platform Dunzo, on-line grocery supply retailer BigBasket, restaurant chain proprietor Haldirams, edtech platform Edureka, on-line journey market RailYatri and even the non-public web site of Prime Minister Narendra Modi suffered cyber assaults, with the info on these web sites being subsequently leaked on the darkish internet the place it was obtainable for buy.
Earlier this month, Inc42 reported that the private information of seven Mn Indian cardholders had been leaked on a public Google Drive hyperlink. The leaked database contained delicate info, together with cardholders’ names, telephone numbers, electronic mail addresses, names of employer companies, annual incomes, kinds of accounts and whether or not they had switched on cell alerts or not. The leaked database additionally included the PAN numbers for five Lakh cardholders.
Consultants are of the opinion that the spate of cyber assaults this yr will be largely attributed to the shift to work-from-home (WFH), the place the system of every particular person has been uncovered to the web since all working processes have been enabled remotely.
In keeping with Kumar Ritesh, founder and CEO of CYFIRMA, a risk discovery and predictive cyber intelligence firm, cyber-attacks have risen this yr since dwelling networks don’t have the identical degree of safety safety that’s accorded to company networks.
“Staff working from dwelling are additionally not sufficiently educated to handle cyber danger, and are extremely inclined to phishing campaigns and different social engineering techniques,” mentioned Ritesh.
Whether or not the quite a few information breaches for India firms this yr will be attributed fully to WFH and ‘untrained’ workers can’t be ascertained. Nevertheless, the sheer variety of cyber assaults begs the query, has India Inc been lax in guaranteeing a strong cybersecurity posture?
Does India Inc Take Cybersecurity Significantly?
As identified by Ritesh, there’s a comparatively low diploma of cybersecurity maturity amongst Indian firms. An estimated 46% of Indian business companies are working on legacy techniques, that are aged applied sciences now not supported by their distributors, they usually current cybersecurity vulnerabilities which hackers can exploit to achieve entry to company networks.
Additional, in line with information from the ministry of micro, small and medium enterprises, 99.4% of Indian firms are categorised as MSMEs and will not be conscious of cyber dangers and their potential to upend enterprise.
However what of firms with giant capital reserves, equivalent to publicly listed Data Edge, which owns and operates matrimony portal jeevansaathi.com and job portals iimjobs.com and hirist.com.
Final month, customers’ information from iimjobs.com was leaked on the darkish internet. Inc42 first bought wind of the info breach via cybersecurity researcher Rajshekhar Rajaharia and sought Data Edge’s response to the incident. The corporate solely gave a templated response saying, “We’re trying into it”.
Whereas it’s comprehensible that the pressures of being a publicly-traded firm should weigh heavy on Data Edge, it additionally means that these firms don’t have the means to detect a breach, and malware can find yourself residing of their IT atmosphere for a chronic interval. As well as, digital danger and publicity equivalent to exfiltrated information being offered in darkish internet marketplaces in addition to impersonated manufacturers and identities would have gone undetected.
Final week, Rajaharia alerted iimjobs, updazz and hirist of one other information breach, the place their APIs (utility programming interface) have been leaking the non-public information of customers in real-time. In response, Tarun Matta, founding father of iimjobs and hirist wrote on Twitter, “We’re trying into it.”
‘Born-in-the-cloud’ Digital Startups Engaging Targets For Cyber Criminals
In keeping with Pankit Desai, cofounder and CEO of Sequretek, a Mumbai based mostly cybersecurity agency, firms working in sectors regulated by the federal government have been compelled to put money into cybersecurity. Nevertheless, for these in unregulated sectors, cybersecurity is an afterthought. Additional, with a number of born-in-the-cloud tech startups dealing with their customers’ private and monetary info in addition to behavioural information, India has emerged as a beautiful goal for cyber criminals.
“Hackers who can efficiently breach the edges of those firms might be paid the ransom (ransomware) to achieve again management of the techniques aside from additionally having access to a prized information pool that may fetch good-looking returns on the darkish internet,” Desai informed Inc42.
Apart from ransomware, phishing and social engineering, in addition to distributed denial of service or DDoS assaults, have witnessed an increase in India this yr.
A worrying pattern witnessed by Desai this yr is that Indian companies in hitherto safeguarded sectors equivalent to healthcare, pharma, monetary establishments and manufacturing have additionally confronted cyber assaults.
CYFIRMA’s Ritesh added that pharmaceutical and healthcare firms have been fascinating targets for cyber criminals, as a part of company espionage for stealing the Covid-19 vaccine analysis information. Such makes an attempt are understood to have been made by each state and non-state actors.
Extra worrying is the truth that a few of these companies select to not acknowledge the info breach after being apprised of the identical by unbiased cybersecurity researchers. All these firms thrive on information and any safety breach has a far-reaching consequence.
‘This Is One Nation That Doesn’t Hear To Us’
In the meantime, a current report by CYFIRMA, factors out that India’s geopolitical tensions with its neighbours, Pakistan and China, could also be guilty for the rise in cyber assaults.
“Based mostly on our analysis, we’ve got seen that state-sponsored hackers are significantly eager on India authorities companies and Indian firms. Our analysis confirmed that the suspected risk actors have been primarily sponsored by China, Pakistan and North Korea. The hackers’ targets have been centred round smearing India’s popularity, inflicting productiveness loss, creating operational injury and searching for monetary beneficial properties,” mentioned Ritesh.
CYFIRMA has recorded conversations in Chinese language hacking communities, the place individuals have talked about “educating India a lesson”.
Others within the group wrote, “That is one nation that doesn’t take heed to us”. The individuals in a single such Chinese language hacking group conversed in Mandarin about focusing on Indian press and media firms, telecommunication companies, authorities web sites together with defence-related companies and Indian pharma firms.
In keeping with IBM Safety’s Value of a Information Breach Report 2020, Indian firms, on common, noticed the entire price of an information breach come as much as $2 Mn. Additional, the report reveals that on common, it takes 313 days to establish and comprise an information breach in India, whereas safety automation is deployed in simply 53% of all organisations within the nation. Given the present situation, the most expensive business for an information breach is healthcare.
In October this yr, India’s Nationwide Cyber Safety Coordinator Lt Gen (Dr) Rajesh Pant mentioned cybercrimes in India triggered a lack of INR 1.25 Lakh Cr in 2019, when the Indian Laptop Emergency Response Group (CERT-In), the nation’s nodal company for cybersecurity, reported 3.94 Lakh cyber assaults. In 2020, that quantity surged to nearly 7 Lakh until August alone.
In keeping with Pant, cyber threats will proceed to extend because the nation focuses on growing sensible cities and rolling out 5G community companies.
As for the steps that India Inc can take to make sure a extra strong cybersecurity posture, specialists informed Inc42 that the federal government should lead from the entrance since it’s higher outfitted in coping with cyber assaults.
How To Ward Off Cyber Threats In 2021
CYFIRMA’s Ritesh mentioned that the Indian authorities should give you a cohesive nationwide cybersecurity coverage. Additional, it ought to be obligatory for firms to report cyber assaults which focused their techniques in order that there’s a physique of analysis information which might present insights on threats to India and inform the federal government on methods it may undertake to enhance the nation’s cyber hygiene.
Desai reiterated the suggestion, including that at a time when India is trying to usher in a private information safety legislation, it ought to be obligatory for firms to report such incidents, within the curiosity of all stakeholders, together with their prospects.
The dearth of cybersecurity expertise stays an ongoing concern on the planet, one that’s significantly acute in India, given the massive prices that cyber assaults are projected to impose on its firms.
“India faces an pressing want for cybersecurity abilities and sources who may help fend off cyber assaults. The tertiary establishments ought to embody cybersecurity coaching, consciousness, and training as a part of their curriculum, and this might alleviate the continued expertise crunch drawback,” Ritesh informed Inc42.
In keeping with Desai, for Indian startups that work in unregulated sectors, enterprise capital and personal fairness companies investing in them ought to examine the cyber well being of the investee as a part of their due diligence.