CISOs Warned of Cybercrime SurgeTime to Focus on Partnerships, Securing the Ecosystem
India is expected to see an alarming rise in cybercrime this year, according to a new study by the Associated Chambers of Commerce and Industry of India and Mahindra Special Services Group. By their estimates, India in 2015 is likely to see more than 300,000 cybercrime incidents, versus 150,000 in 2014.
It is time, then, for security leaders and their organizations to carve out a secure cyber-ecosystem by - among other tasks - building an incident response team within their organisations, and by participating actively in the government's public-private partnership model.
"The economic growth of any nation and its security, whether internal or external, and competiveness depends on how well its cyberspace is secured and protected," says D S Rawat, secretary general of Assocham.
Cyberspace fundamentally is not as complex as we think it to be, adds Dinesh Pillai, chief executive officer of Mahindra Special Services Group. "What makes it complex is its nature, i.e., cyberspace is borderless, which goes beyond jurisdiction, and actions in the cyberspace can sometimes be anonymous and dangerous."
Understanding the Threats
According to the Assocham/Mahindra SSG study, cybercrime in India weighed in at an estimated 149,254 incidents in 2014, and is likely to cross 300,000 by the end of 2015 - a compounded annual growth rate (CAGR) of about 107 percent. Nearly 12,456 cases are registered in India every month, the study concludes.
Credit and debit card fraud cases top the charts. There's been a six-fold increase in such cases over the past three years. Some 2,277 complaints of online banking/credit/debit card fraud were reported in 2014. The report also cites 191 Facebook-related complaints (morphed pictures/cyber-stalking/cyber-bullying). Other major complaints were cheating through mobile (61), hacking of e-mail ID (59), and abusive/offensive/obscene calls and SMS (55).
Financial attacks tend to be launched via phishing attacks of online banking accounts, or by cloning of ATM/debit cards. The increasing use of mobile devices for online banking/financial transactions has also largely increased vulnerability.
What's worrying to Indian leaders is that many of these crimes originate externally, from countries including China, Pakistan, Bangladesh and Algeria, among others. Hence, the call to create a more secure cyber-ecosystem.
"[Organizations] must realize cybercrime is not just an IT threat, but has an adverse impact on the business itself," Pillai says.
Securing the Cyber-Ecosystem
In light of these reported threats, security experts say it is imperative for CISOs to have the best security standards and practices in place to detect and respond to these incidents. And because security is increasingly a boardroom topic globally, what's needed is a top-down approach where organizations' leaders are responsible for a creating a secure culture.
Pillai advises business heads to create a 24x7 computer emergency response team within their organizations. "These CERT teams should create a mechanism to regularly interact with the Indian Computer Emergency Response Team, New Delhi," he says.
Other security experts recommend regular penetration testing and advise CISOs to regularly conduct cybersecurity drills.
"This will help CISOs assess their level of security posture and emergency preparedness," says Chennai-based cyber law expert Sundaram Prabhu, advisor and strategic planner for the government and chairman of ConsulSys (India) Pvt. Ltd.
Further, CISOs must develop information security policies integrated with business plans and implement such policies as per international best practices, and in line with India's legal system.
Kochi-based Anup Narayan, founder and chief executive officer of Information Security Quotient, believes it's important for security leaders to understand how an attacker thinks, then respond accordingly.
"One must accept that security is implemented using technical controls, but do not forget these are effective only with efficient use - and it is people who manage it," he says.
And while no one argues against such fundamental advice, some security experts do see challenges to implementing government initiatives and the involvement of businesses in the security process.
And it starts with educating boards about the reality of today's threat landscape - and how vulnerable their organizations are.
"While business houses are asked to design their strategies to combat cybercrime, the boards are just not clued in to do anything of the kind," Prabhu says.
Security leaders argue that the public-private partnership model as prescribed under the National Cyber Security Policy of 2013 exists only in name. There has not been any real progress in organizations joining together to combat cybercrime or build skills.
Ramesh Bhashyam, secretary of Chennai Cyber Security Association, says that cybersecurity programs that must be created in coordination with the public-private partnership model exist only on paper; the government has made no effort to make it a reality.
"Private players or corporates are never involved in creating standards or framing cyber policies, testing or in evolving certification methodologies," laments Bhashyam.
But Prabhu also sees an unwillingness among top private-sector entities to invest in R&D. The reason: Government authorities have not created enough room to justify the investment made by R&D to develop the process and technological skills necessary, Prabhu says.
"The government has to give the IP status to the investing group, a huge cost the government is not prepared to shell out," he says. "It has to tap the right partnerships and understand the nuances of investments and related business outcomes and consider funding.
Another challenge is that the IT Act of 2001, amended in 2008, is not adequate or effective for technical and operational security control measures implemented in IT system and networks.
Still, despite these challenges, Assocham's Rawat says organizations should consider investing in R&D initiatives for enhancement of skills and expertise in cybersecurity.
Mahindra SSG's Pillai suggests that organizations enlist outside help. "[They] should appoint independent agencies as cybersecurity auditors to conduct security audit, vulnerability assessment and penetration testing periodically or as and when they upgrade their IT infrastructure."