In today’s information economy, ‘data is the new oil’, or so goes the oft-repeated saying. But what if this ‘new-age oil’ is leaking profusely and its safety threatened by nefarious actors who can launch cyber attacks at will? The year that has gone by, bore testimony to the cybersecurity risks that can threaten India’s ambitions of transitioning to a data-driven digital economy.
In 2020, several Indian startups and companies, such as Google-backed hyperlocal delivery platform Dunzo, online grocery delivery store BigBasket, restaurant chain owner Haldirams, edtech platform Edureka, online travel marketplace RailYatri and even the personal website of Prime Minister Narendra Modi suffered cyber attacks, with the data on these websites being subsequently leaked on the dark web where it was available for purchase.
Earlier this month, Inc42 reported that the personal data of 7 Mn Indian cardholders had been leaked on a public Google Drive link. The leaked database contained sensitive information, including cardholders’ names, phone numbers, email addresses, names of employer firms, annual incomes, types of accounts and whether they had switched on mobile alerts or not. The leaked database also included the PAN numbers for 5 Lakh cardholders.
Experts are of the opinion that the spate of cyber attacks this year can be largely attributed to the shift to work-from-home (WFH), where the system of each individual has been exposed to the internet since all working processes have been enabled remotely.
According to Kumar Ritesh, founder and CEO of CYFIRMA, threat discovery and predictive cyber intelligence company, cyber-attacks have risen this year since home networks don’t have the same level of security protection that is accorded to corporate networks.
“Employees working from home are also not sufficiently trained to manage cyber risk, and are highly susceptible to phishing campaigns and other social engineering tactics,” said Ritesh.
Whether the numerous data breaches for India companies this year can be attributed entirely to WFH and ‘untrained’ employees cannot be ascertained. However, the sheer number of cyber attacks begs the question, has India Inc been lax in ensuring a robust cybersecurity posture?
Does India Inc Take Cybersecurity Seriously?
As pointed out by Ritesh, there is a relatively low degree of cybersecurity maturity among Indian companies. An estimated 46% of Indian commercial businesses are operating on legacy systems, which are aged technologies no longer supported by their vendors, and they present cybersecurity vulnerabilities which hackers can exploit to gain entry to corporate networks.
Further, according to data from the ministry of micro, small and medium enterprises, 99.4% of Indian companies are categorised as MSMEs and are not aware of cyber risks and their potential to upend business.
But what of companies with large capital reserves, such as publicly listed Info Edge, which owns and operates matrimony portal jeevansaathi.com and job portals iimjobs.com and hirist.com.
Last month, users’ data from iimjobs.com was leaked on the dark web. Inc42 first got wind of the data breach through cybersecurity researcher Rajshekhar Rajaharia and sought Info Edge’s response to the incident. The company only gave a templated response saying, “We are looking into it”.
While it is understandable that the pressures of being a publicly-traded company must weigh heavy on Info Edge, it also suggests that these companies don’t have the means to detect a breach, and malware can end up residing in their IT environment for a prolonged period. In addition, digital risk and exposure such as exfiltrated data being sold in dark web marketplaces as well as impersonated brands and identities would have gone undetected.
Last week, Rajaharia alerted iimjobs, jeevansathi, updazz and hirist of another data breach, where their APIs (application programming interface) were leaking the personal data of users in real-time. In response, Tarun Matta, founder of iimjobs and hirist wrote on Twitter, “We are looking into it.”
‘Born-in-the-cloud’ Digital Startups Attractive Targets For Cyber Criminals
According to Pankit Desai, cofounder and CEO of Sequretek, a Mumbai based cybersecurity firm, companies operating in sectors regulated by the government have been forced to invest in cybersecurity. However, for those in unregulated sectors, cybersecurity is an afterthought. Further, with a host of born-in-the-cloud tech startups handling their users’ personal and financial information as well as behavioural data, India has emerged as an attractive target for cyber criminals.
“Hackers who can successfully breach the perimeters of these companies could be paid the ransom (ransomware) to gain back control of the systems apart from also gaining access to a prized data pool that can fetch handsome returns on the dark web,” Desai told Inc42.
Besides ransomware, phishing and social engineering, as well as distributed denial of service or DDoS attacks, have witnessed a rise in India this year.
A worrying trend witnessed by Desai this year is that Indian businesses in hitherto safeguarded sectors such as healthcare, pharma, financial institutions and manufacturing have also faced cyber attacks.
CYFIRMA’s Ritesh added that pharmaceutical and healthcare companies have been desirable targets for cyber criminals, as part of corporate espionage for stealing the Covid-19 vaccine research data. Such attempts are understood to have been made by both state and non-state actors.
More worrying is the fact that some of these businesses choose not to acknowledge the data breach after being apprised of the same by independent cybersecurity researchers. All these companies thrive on data and any security breach has a far-reaching consequence.
‘This Is One Country That Doesn’t Listen To Us’, Chinese Hackers On India
Meanwhile, a recent report by CYFIRMA, points out that India’s geopolitical tensions with its neighbours, Pakistan and China, may be to blame for the rise in cyber attacks.
“Based on our research, we have noticed that state-sponsored hackers are particularly keen on India government agencies and Indian companies. Our research showed that the suspected threat actors were mainly sponsored by China, Pakistan and North Korea. The hackers’ objectives were centred around smearing India’s reputation, causing productivity loss, creating operational damage and seeking financial gains,” said Ritesh.
CYFIRMA has recorded conversations in Chinese hacking communities, where participants have talked about “teaching India a lesson”.
Others in the group wrote, “This is one country that doesn’t listen to us”. The participants in one such Chinese hacking group, conversed in Mandarin, about targeting Indian press and media companies, telecommunication firms, government websites including defence-related agencies and Indian pharma companies.
According to IBM Security’s Cost of a Data Breach Report 2020, Indian companies, on average, saw the total cost of a data breach come up to $2 Mn. Further, the report reveals that on average, it takes 313 days to identify and contain a data breach in India, while security automation is deployed in just 53% of all organisations in the country. Given the current scenario, the costliest industry for a data breach is healthcare.
In October this year, India’s National Cyber Security Coordinator Lt Gen (Dr) Rajesh Pant said cybercrimes in India caused a loss of INR 1.25 Lakh Cr in 2019, when the Indian Computer Emergency Response Team (CERT-In), the country’s nodal agency for cybersecurity, reported 3.94 Lakh cyber attacks. In 2020, that number surged to almost 7 Lakh till August alone.
According to Pant, cyber threats will continue to increase as the country focuses on developing smart cities and rolling out 5G network services.
As for the steps that India Inc can take to ensure a more robust cybersecurity posture, experts told Inc42 that the government must lead from the front since it is better equipped in dealing with cyber attacks.
Steps To Be Taken By India To Ward Off Cyber Threats In 2021
CYFIRMA’s Ritesh said that the Indian government must come up with a cohesive national cybersecurity policy. Further, it should be mandatory for companies to report cyber attacks which targeted their systems so that there’s a body of research data which can provide insights on threats to India and inform the government on strategies it can undertake to improve the nation’s cyber hygiene.
Desai reiterated the suggestion, adding that at a time when India is looking to bring in a personal data protection law, it should be mandatory for companies to report such incidents, in the interest of all stakeholders, including their customers.
The lack of cybersecurity talent remains an ongoing concern in the world, one that is particularly acute in India, given the huge costs that cyber attacks are projected to impose on its companies.
“India faces an urgent need for cybersecurity talents and resources who can help fend off cyber attacks. The tertiary institutions should include cybersecurity training, awareness, and education as part of their curriculum, and this could alleviate the ongoing talent crunch problem,” Ritesh told Inc42.
According to Desai, for Indian startups that work in unregulated sectors, venture capital and private equity firms investing in them should include checking the cyber-health of the startups as part of their due diligence.