Cybersecurity solutions have gained greater significance with a growing number of digital transactions and the dependency of businesses and individuals on technology. SMEs, which run on limited capital and resources, often lack appropriate and affordable solutions to tackle cyber breaches.
Thankfully, the cybersecurity businesses today are not only successfully helping these SMEs and large corporates in safeguarding confidential data but also implementing solutions to defend against threats to their networks and computer systems. Milind Mungale, Managing Director and CEO, Protean InfoSec Services Limited, aims to focus on the important aspects of the cybersecurity industry in India.
- How is the cybersecurity landscape changing and evolving in India?
Considering the present state of India, we are progressing on multiple fronts. While Digital India and Make in India are at the helm of business affairs, our nation’s huge population is contributing to digital initiatives by choosing to transact in the digital medium. We have a large millennial population inclined towards e-commerce as compared to traditional ways. All in all, it appears that India is progressing not only in online technology systems but also in terms of the adoption and usage of such initiatives. This speaks a lot about the cybersecurity opportunities and concerns of our country. On one end, entrepreneurs are mushrooming with startup ideas and attracting substantial funding from everywhere. On the other end, the number of people adopting online ways is adding to the huge repository of PII in various databases. India is a fertile land for cybersecurity on both sides i.e. the enterprises hosting it as well as the threat actors attacking it. Threat actors have the motivation to put in their efforts and resources and at times risk themselves as they can achieve their malicious intentions. Hence, we witness their advancement and evolvement with every successful attack attempt. On the other hand, enterprises that are custodians/ owners of data are also seen keeping up their pace with the changing attack vectors based on the study of reported incidents.
- What are the emerging cybersecurity threats in today’s interconnected world?
Cybersecurity threats are multifold in the interconnected world. Cloud migration takes such threats to the next level because sometimes it is not a well-thought move. However, when it comes to individual targets, phishing attacks continue to emerge with much more sophistication and advancement. Nowadays, simple tricks used earlier in phishing are replaced with highly customized, genuine-looking targeted attacks. Sometimes, even the professionals working in security/law enforcement, etc. get duped by such attacks. Population scale percolation of UPI and innocence of users lead to unfortunate events of siphoning out their hard-earned money. On the other hand, for business houses, small or large, the primary threat of ransomware continues to emerge further along with data theft. Not to forget, concerns around insider threats are also on the rise, according to some reports. The path or penetration into organizations has opened up multiple fronts because of interconnected operations. All entities in a supply chain connect with each other. Anyone of them having a weakness of control or more liberal access without proper monitoring becomes a gateway. Most of the time must be lost in finding such an opening, after that probably it becomes party time for threat actors. For them, the icing on the cake would be if they can identify anyone from inside to collaborate with them. Hence, insider threat is prominently emerging in this fast-paced life of an overburdened workforce with little consideration for work-life balance and frustration building in the minds of people.
- What are the key factors organizations should consider for ensuring data protection and cybersecurity?
We have been talking about cyber/information security awareness for a long time now. Organizations have self-mandated and regulatory bodies have given directions regarding spreading awareness of cybersecurity among the stakeholders. Nowadays, the sensitivity has increased so much that the entire board carves out a couple of hours periodically from their busy schedule to sit through such awareness sessions. HR has added this as part of a compulsory training program. However, what is still missing in the cyber/information security culture demonstrating the perpetual maturity of stakeholders is understanding the nuances of cybersecurity. Awareness programs are ample but the initiatives to develop such a culture are yet to be seen in all the organizations uniformly. It has not reached the level of maturity that we see in Accounting, Auditing, and HR practices, regardless of the size of any organization. Even a mismatch of Rs. 10 in the accounts is not forgiven. However, at times incidents of information missing or successful security breach is pardoned. A majority of the organizations have done their best in adopting technologies in implementing practices and procedures (some as compliance matters and others in spirit) and introduced initiatives to educate their stakeholders. They now need to move towards building the mindset of stakeholders (including customers) and help everyone to be alert and sensitive towards their information assets. Data protection would be possible only if people change their way of handling the data. No technology can compensate for the innocent errors of human nature that cause larger issues.
- What are the different elements of cybersecurity?
Cybersecurity is a vast topic with hundreds of elements. By itself, it would be a failed attempt to list or even summarize them here. However, we will consider the most important elements. The first and foremost element is People. If we have appropriate alertness on this element, many mishaps of cybersecurity breaches can be easily avoided. The second most important element is the Infrastructure. In the physical world, it is not enough to have a strong door that is open all the time or even those where hinges are weakly fixed. The infra strength does not come out of technology alone, the crux of the matter is in how it is configured. If there are lapses or loopholes, they are bound to be exploited. The third most important element is Access – The Right to Information. Trust may be the basis of a harmonious social foundation. When it comes to information and data, it can be ensured only by mistrust. Organizations must have no trust in anyone while giving access to information. That is why they call it as Zero-Trust Architecture nowadays. The final and fourth element is Monitoring. Consider the digital assets as a small country of yours and have a monitoring mechanism the way any country would deploy to protect their borders.
- What are the various challenges faced during the implementation of cybersecurity solutions?
Cybersecurity adoption challenges come first, implementation challenges follow, and finally, maintaining the cybersecurity adopted and implemented is a perpetual challenge that every organization has to overcome. In India, cybersecurity challenges vary with the size of the organization and the tone at the top. A small organization has budget and skill challenges whereas midsize organizations face speed and posture sustenance challenges. Larger organizations are better in terms of budget allocation. They are also able to attract the requisite skills but they face challenges in retaining such skills. Due to the budget and skills, they have no challenge in adopting the necessary technology of cybersecurity. But the challenge is in keeping it effective and fully functional in the fast-paced changes happening within the service/product offerings of their organization. Most of the time, post-facto regularization of security posture opens a small exploitable window which can be harmful if an insider decides to shake hands with external threat actors. Hence, the challenge of insider threats for such an organization would be very prominent. On top of it, all the organizations face the challenges uniformly concerning mending and adapting to fast-changing enhancements – obsolescence of deployed security technologies amidst changing regulatory requirements.
- How are SMEs evolving and adapting to cybersecurity solutions?
SMEs, except for a few, are at a nascent stage of adopting cybersecurity solutions. It is not that they have reluctance or resistance. They have enough understanding of the necessity of cybersecurity. However, the challenges they face include budget, at times. If the budget is available, considering the size of the organization, the ability to allocate it would always be limited. Getting appropriate solutions and services of quality for cybersecurity within a budget is what leads them to be laggards. Secondly, as mentioned, the tone at the top sometimes is compliance-oriented. Therefore, as long as the compliance is met, they consider their cybersecurity adoption sufficient. Recently, there is a shift observed in SME thinking. They are getting the gist of the issues and learning about real-life consequences faced by others. They are becoming serious about cybersecurity and showing positive signs toward its adoption. The SME segment is making a promising march toward its cybersecurity posture.
- What are the opportunities and challenges in the InfoSec sector?
Almost every segment, sector, and size of the organization, regardless of the type and capacity of its digital footprint, needs cyber/information security. At the same time, they lack proper direction and advice in this domain. If we look at the SME numbers in our country, it goes in lakhs. Hence, there is tremendous potential. Even if a single-digit percentage materializes in terms of a serious outlook toward cybersecurity posture, substantial employment and business opportunities will open up for the InfoSec sector. However, the challenge is in being able to make them realize the fact. They have been operating for a very long time and are satisfied with limited growth as compared to their existence in business. The next generation, if they join the family SME, are looking towards such things seriously due to their exposure, education, and modern way of business thinking. They are more ambitious and ready to leap ahead as the sky is the limit for their potential. The second challenge for the InfoSec sector is being able to provide them with appropriate quality of service within a budget. Unless there is a delivery model which brings in a reduction in cost with an increasing number of entities availing such services, curtailing the cost of service would be a big challenge for the InfoSec Sector.