As the article ‘Cybersecurity Should Be the Financial Sector’s New Year’s Resolution’ pointed out, the financial sector is under threat of cybercrime every day. Banks worldwide have lost over ₹41.6 trillion ($600 billion) due to cybercrime, with some ₹347 billion ($5 billion) lost due to ransomware alone. These numbers are staggering, and are clear evidence of the necessity to invest in IT infrastructure and cybersecurity in the internet age. This is especially the case here in India, where 76% of Indian businesses were hit by cyberattacks in 2018. Perhaps unsurprisingly, the financial sector was one of the hardest hit, along with the oil and energy industries.
Just as disconcerting is that 97% of IT managers here admit that cybersecurity is “one of the greatest issues in India” yet, many are ill-equipped — either because of expertise or infrastructure — to do anything about it. According to Sophos India Managing Director of Sales Sunil Sharma, IT personnel spend, on average, approximately four months just to investigate security incidents. “It has been found that the visibility is not there,” Sharma said. “We don’t know what kind of attack. We don’t know how many modes it has actually travelled. We don’t know how the attack is damaging, which are the endpoints, where it has actually made damage.” In other words, there is a cybersecurity gap in India, and it needs to be bridged sooner, as any delay might result in more financial losses through lost data, operational disruptions, damaged infrastructure (servers, endpoints, etc.), and damage control.
There are ways though that companies are bridging the cybersecurity gap:
With the Indian government determined to make the country a digital economy (witness the introduction of Digital Locker and the increase in digital payments in the country), India is sure to become an even bigger target for cybercriminals. This imminent threat means businesses must be proactive when it comes to cybersecurity. To this end, many seem to have taken notice. An Open Gov report notes that India ranks second in cybersecurity insurance, behind the UK, with 82% of Indian firms claiming to have it in place. However, only 48% of the businesses reported having comprehensive cybersecurity insurance (well-known providers in India include Bajaj Allianz, Lucideus, Marsh). Curiously, only 40% of firms in the financial sector have comprehensive coverage.
What these figures mean is that only 48% are adequately protected from cybercriminals, especially given India’s thriving IT industry. The rest, however, are still at risk, with those having no comprehensive coverage exposed to advance-level cyber-attacks such as those that employ automation and machine learning. The remaining 18% with no cybersecurity insurance are the most vulnerable. Businesses are therefore advised to at least explore getting cybersecurity insurance, especially with across-the-board expectations that cyberattacks will increase moving forward.
Investing in IT
Right now, 9 in 10 CISOs believe that breaches are near-certainties. The reason for this is digital transformation, which as Frolov explains, “widens the surface of attack,” thus giving cybercriminals “more opportunities to find weaknesses, to creep into systems, and to leak or exploit data.” This fact underscores the need for businesses to invest heavily in their own IT security teams, in conjunction with cybersecurity insurance. Doing so gives firms a multi-pronged mechanism against cyberattacks.
One thing to consider in this regard — again, as Frolov points out — is to shift from the prevention paradigm to the detection and response model. In the latter, the emphasis is to “detect an attack quickly enough, and respond comprehensively and quickly enough to minimise its impact.” This shift in focus is necessary because cybercriminals will eventually find ways to circumvent whatever preventive measures are in place. Case in point is last August’s Cosmos Bank hacking incident, where systems were hacked into by “a more advanced . . . and highly coordinated operation that bypassed three main layers of defence contained in International Criminal Police Organization (INTERPOL) banking/ ATM attack mitigation guidance.” In other words, the attackers were able to bypass several security systems, including the bank’s to illegally transfer funds from Cosmos to 30 different banks globally. With improved detection and response mechanisms, such an attack would have been discovered earlier, and addressed accordingly.
Procure more experts in cybersecurity
As pointed out earlier, India’s IT industry is still developing, but is not exactly clueless when it comes to safeguarding against cybercrime. Cybersecurity adviser Gulshan Rai told The Hindu Business Line that there is a need for experts in the industry, which is expected to reach a market value of ₹2.43 trillion ($35 billion) by 2025. Over a million jobs are due to be created, and cybersecurity experts will definitely be in high demand. This follows a global trend with the top economies also struggling to find enough specialists. The cybersecurity skills gap in the UK was found to be the second worst in the world, despite the country also being the third highest for advertised cybersecurity jobs. The number of jobs vacancies increased by a third between 2014 and 2016. In the U.S, Maryville University’s career evaluation for cybersecurity graduates reports that information security jobs rank third among the vacancies hiring managers are trying desperately to fill. This is despite the industry being one of the most lucrative, with experts earning up to $6,500 more than other IT positions. This is a good indication of how the industry has expanded faster than companies or governments can keep up, and has led to a global skills shortage. If India is to become a global leader in the tech industry it will also have to find a way to fill this gap.
The good news is that India is marching unabated in to the digital age, and cybersecurity is one of the two biggest challenges that the country has to face (the other being data localisation). But companies in the subcontinent are meeting that challenge head-on, and they are making headway.