The Centre’s impetus to digital payments after demonetisation, announced on November 8, has propelled several sectors to increase their focus on cyber-security, which several industry experts believe should have been in place well before time considering the growing proliferation of internet services in various sections of the economy.
This is highlighted by the fact that out of the 27 cyber risk advisories issued by the Indian Computer Emergency Response Team (CERT-In), 9 pertained to modes of digital payments such as mobile banking, electronic wallets, micro-ATMs and Unified Payments Interface.
However, during the whole calendar year 2016, there were no advisories about digital payment tools. CERT-In’s advisories are issued to inform users about the possible risks and precautions needed to be taken while using any of the tools.
“Regardless of the demonetisation policy, our lives, including our financial lives are steadily moving to a digital environment and so we need to have trust in our institutions — government and private organisations — while recognising there are bad actors out there who can do anything to circumvent any protection that will be put up … But I think, this whole issue is a huge wake up call for India and for the financial sector and the broader economy,” said Jared Ragland, senior director, policy (Asia-Pacific), The Software Alliance, also known as BSA.
“I think the Asia-Pacific region generally is behind Europe and North America in having basic cyber security framework and laws in place, but the entire world is struggling with some of these issues. Probably, India is a little behind some of the other countries at a global level in terms of cyber-security preparedness. It is also a little bit behind countries like Japan and Australia perhaps, in part because Japan and Australia have taken more efforts to identify what is working, with the private sector, to bolster cyber-security,” Ragland added.
According to the Asia-Pacific Cyber-Security Dashboard prepared by BSA: “While India does have an early warning system and a national computer emergency response team, there is no clear national incident management structure for responding to cyber-security incidents.”
Notwithstanding the topical preparedness put in place to counter cyber threats, experts have also indicated potential risks based on lack of awareness among individuals and organisations concerning security of their information technology infrastructure.
One the one hand, during the past year, 70 per cent of organisations were compromised in some way or the other by a successful cyber attack, other the other hand, nearly one-third of organisations do not have a written information security policy, Nitin Sachdev, vice-president technology, Chi Networks said.
The recently published Global Information Security Survey 2016-17 by consultancy firm EY highlighted the fact that cyber risks do not get appropriate top management attention at business organisations. “Cyber resilience is a critical boardroom imperative. The likelihood of operational, financial and reputational damage is growing as criminals exploit organisations’ enhanced attack surface as a result of their online presence, automated operations, and use of social media, mobile devices and cloud devices,” said Nitin Bhatt, national head and partner — risk advisory, EY.
The EY survey also shows that 38 per cent of its respondents, which include IT executives, managers, of large and globally recognised organisations as well as key government entities, have said that boards of their organisations are not “fully knowledgeable” about cyber risks. According to the survey, more than half of the respondents do not have a formal, threat intelligence programme, while 44 per cent do not have capabilities to identify vulnerabilities.