Indian startups and small businesses are staring at a huge cybersecurity problem and as is the case with such an issue, often it’s too late before gaps can be plugged or fixed.
Just this month, user data from two Indian startups — Zoomcar and Unacademy — was found leaked onto the dark web. Of course, this was not the first instance of data leaks among Indian startups — there have been cases of security holes in startups such as Skolaro, Justdial and others — but it comes at a time when India’s cyber-infrastructure is at its most vulnerable.
In a recent speech, Prime Minister Narendra Modi boasted about India’s prowess in the world of IT and the role played by Indian engineers in past crises such as the Y2K problem. As Indian businesses get more digital and move operations online, the risk of cyberattacks leaking sensitive data has also increased. According to the World Economic Forum’s, cyberattacks and data fraud are found to be the most likely technological risks of Covid-19-forced changes in business operations, as well as the wide and sudden adoption of remote working.
With millions of employees working remotely due to lockdown and social distancing rules, workers are accessing company data without the safety of a fortified corporate network. This has made them easy targets for hackers and scammers.
Surendra Singh, Senior Director and Country Manager at Forcepoint noted that according to the company’s three-month trend analysis of the web and email traffic, there has been a 358% jump in the number of malicious emails, in the week of March 23. The company claims to have blocked over 500 Mn spam emails every day, since mid-March. In April, Gmail was every day detecting 18 Mn malware and phishing emails, and over 240 Mn spam messages related to COVID-19.
Similarly, a report by the UK National Cyber Security Centre (NCSC) and the US Department of Homeland Security noted, “Demand for information on the new virus, accompanied by fear, confusion and even the boredom of confinement, has multiplied opportunities for cybercriminals to deliver malware, ransomware and phishing scams.”
Palo Alto-based cybersecurity startup Lucideus’ cofounder Rahul Tyagi noted the lack of information security training and awareness among employees as another major loophole that hackers are exploiting during the lockdown, and which will continue to be a problem with work from home becoming more common.
“Typically, cybersecurity training is treated as a measure of compliance and is only done once during orientations or during a security assessment. With the way that technology is evolving, and cybersecurity training has to become more contextual to an organization’s security objectives, regular, gamified and most importantly mobile,” said Lucideus’ Tyagi.
The Changing Attitude Towards Cyberattacks
Cybersecurity experts have time and again noted that Indian companies consider cybersecurity as an afterthought, making them easy targets for hackers. According to Rajshekhar Rajaharia, an independent cybersecurity researcher, hackers are seeing this as an opportune time to launch new attacks, as the chances of a police complaint are also low right now and many law enforcement resources are also engaged in the Covid-19 response teams.
“Even before the coronavirus, Indian companies have had a sluggish response time to cyberattacks. They hardly ever file a police complaint nor does the government take any action,” Rajaharia said.
However, cybersecurity firms that Inc42 spoke to believe that this attitude is changing and those in charge of business decisions are becoming much more concerned about cybersecurity risks than before.
An online quantitative survey of 100 chief executives and 100 chief information security offices conducted by WSJ Intelligence and Forcepoint found that 76% of the surveyed leaders are losing sleep over the prospect of becoming the next headline-grabbing security breach.
Mumbai-based Sequretek’s CEO Pankit Desai believes that as Indian companies start seeing remote work as a semi-permanent thing, it will fuel them towards investing in cybersecurity solutions that can work in distributed teams. He expects this realisation to set in by the next quarter, and believes it will increase business investments in cybersecurity.
Goldman Sachs-backed cybersecurity firm Cyfirma claims to have already seen a surge in demand for cybersecurity solutions from companies in healthcare and other segments over the last three months.
Growing Demand For Cybersecurity Talent
This increase in cybersecurity demand has also fueled the demand for cybersecurity professionals at companies. According to staffing company TeamLease Services, the coronavirus lockdown has increased cybersecurity demand to 15% of the total IT requirements, as compared to the earlier 10%.
Further, LinkedIn has listed 49,464 cybersecurity jobs globally in the past 30 days including sectors like IT, BFSI, financial services, defence and more. Edtech platform Great Learning also noted that cybersecurity is one of the few technology professions witnessing a significant uptick in interest as all companies go online.
Great Learning Academy claims to have received over 15K enrolments for its cybersecurity courses in the last one month. These enrollments included both recent graduates and working professionals.
“Apart from IT and BFSI, we have seen a huge increase in the demand for cybersecurity professionals in the healthcare and education sector — both of which have seen a lot of the user activity since the lockdown,” said Harish Subramanian, director of Great Learning.
Need For Data Protection Policy
India was one of the first countries to implement cybersecurity policy by bringing in the National Cyber Security Policy 2013 (NCSP 2013). However, things in the IT world and cyber threats have changed dramatically over the past few years and cyber policy needs to evolve with the changing trends. State-backed attacks are also on the rise in India.
At the Sixth Cyber Security India Summit 2020, held in March 2020, Dr Rajesh Pant, national cybersecurity coordinator from Prime Minister’s Office, said that India’s new cybersecurity policy is expected to be launched in the next two to three months. However, the government has made a similar promise in August 2019, claiming that the cybersecurity policy would be launched in January 2020 but it did not happen. The new policy is expected to address various issues related to the cyber ecosystem including standardisation, testing, auditing and capacity development among others.
Ajeet Bajpai, director-general of the National Critical Information Infrastructure Protection Centre, had said in August last year that the budgetary requirements and necessities of this operation are high, and even a small country like Israel has allocated an annual budget of $20 Mn for cybersecurity. “Considering the size and scale of our nation, we need approximately Rs 25,000 crore budget for the same. The biggest question is where this money will come from? Also, there is a need to emphasise on the need to make cybersecurity mandatory as a subject at the university level for high-decibel awareness,” Bajpai had said.
The cybersecurity startups and service providers are not waiting for the policy to start targetting small businesses and traditional enterprises. The policy push would, however, be helpful. Cyfirma founder Kumar Ritesh said, “Enacting the cybersecurity policies will give commercial enterprises a frame of reference and guide them towards building a more resilient business. The government should build a nationwide cyber strategy, policy, and procedure.”