The Indian economic juggernaut powered by digital public infrastructure (DPI) has established itself as a leader in the world of digital economy. The collaborative environment ‘India Stack’ has transformed our digital ecosystem within a decade. However, this digital ecosystem also carries its inherent vulnerabilities and challenges. The biggest of them being cybersecurity. Whether it is data privacy or data protection, both the public and private sectors have struggled to ward off threat actors.
With every passing day, petabytes of new data are being generated. Today, the world generates more data in a day than it has generated once in a decade. Once we factor in the rapidly increasing digital services, advancements in communication technology, and affordability of high-speed internet, this number will only increase. From financial transactions to personally identifiable information (PII) to non-sensitive data, data is being generated, collected, transferred, stored, and processed in unprecedented quantities. Service providers have complete access to critical personal and financial information of end-users. Consequently, any vulnerability in their IT systems can make this data an easy target for threat actors.
The Digital India story has disrupted both markets and market regulations. Developing and deploying necessary checks, balances, and controls over data have unfortunately lagged. The regulatory arbitrage around data privacy and protection was a key reason for the introduction of the Digital Personal Data Protection Act, 2023. While the DPDP Act intends to limit the amount and type of data collected and ensure its limited use, the concerns around data security remain. For instance, the lack of central data encryption standards makes sensitive data extremely vulnerable to threat actors.
Even at an organisational level, the lack of cybersecurity measures can end up causing significant damage to the business. From financial records and proprietary information to personally identifiable information (PII), a huge amount of data can be pilfered. Ransomware, phishing attacks, and advanced persistent threats (APTs) pose continuing challenges for IT teams. While the regulatory framework around cybersecurity can act as a guardrail to direct organisational behaviour, the ecosystem can only work ‘reactively’ as cybercriminals keep adapting and innovating. As a result, it is up to corporations to be proactive in implementing cutting-edge security technologies, undertake regular audits, and conduct employee training programmes to build resilience and awareness.
Businesses must begin by building capacity in their internal IT teams and infrastructure. A strong, resilient, and secure IT infrastructure ensures data protection and breach prevention. For instance, the internationally adopted NIST 800-53 framework ensures comprehensive coverage across key domains. Corporations can adopt a 5 step approach towards developing their cybersecurity framework. These steps can aid the organisation in aligning its security architecture with international standards.
Identify
1. Asset Management: Inventory and manage hardware and software assets to ensure only authorised devices and software are given access.
2. Risk Assessment: Conduct regular risk assessments to identify potential threats and vulnerabilities in the organisation’s infrastructure.
3. Business Environment: Understand the organisation's role in the supply chain, critical functions, and critical infrastructure to prioritise cybersecurity efforts.
Protect
1. Access Control: Implement policies and controls to restrict access to sensitive information and systems to authorised users only.
2. Data Security: Encrypt sensitive data both at rest and in transit to protect it from unauthorised access and breaches.
3. Maintenance: Perform regular maintenance and updates on systems and applications to ensure they are secure and up-to-date with the latest patches.
Detect
1. Anomalies and Events: Establish baseline behaviours for network operations and data flows to detect anomalies and potential security incidents.
2. Continuous Monitoring: Implement continuous monitoring of systems, networks, and applications to detect unauthorised access and vulnerabilities.
3. Security Alerts: Utilise automated tools to generate alerts for potential security incidents, ensuring timely detection and response.
Respond
1. Response Planning: Develop and implement an incident response plan outlining procedures for handling various types of cybersecurity incidents.
2. Mitigation: Execute measures to contain and mitigate the impact of cybersecurity incidents to prevent further damage.
3. Communication: Establish protocols for communicating with internal and external stakeholders during and after an incident, including regulatory bodies and affected parties.
Recover
1. Recovery Planning: Develop and implement a recovery plan to restore operations and services after a cybersecurity incident.
2. Improvements: Analyse incidents to identify root causes and implement improvements to prevent recurrence and enhance the overall cybersecurity posture.
3. Backup and Restoration: Maintain regular backups of critical data and systems, and test restoration processes to ensure data can be recovered efficiently after an incident.
They must also invest in security measures, such as data masking and encryption, into product and service offerings. Extra controls like firewalls and network security also need to be installed. As industry benchmarks, third-party certifications like ISO 27001 and SOC2 must be established, and outdated, end-of-life technologies must be phased out. Penetration testing and additional certifications must become regular exercises. Infrastructure vulnerabilities will have to be patched promptly along with vulnerability testing, remediation processes, risk registers, access management and review, and segregation of responsibilities between infrastructure, development and testing organisations.
Another risk factor affecting a firm's cyber security is its remote working environment. Employees are expected to work with reduced oversight and use their personal communication and computing resources. The reliance on home Wi-Fi networks and personal devices that lack necessary security controls makes them vulnerable to cyber-attacks. Enforcing mandatory Virtual Private Network (VPN) usage can protect sensitive data when using unsecured/ vulnerable WiFi networks. Similarly, implementing Two-Factor Authentication (2FA) can create a framework for privileged access to information. Cyber Security teams can conduct periodic security awareness training and regular security audits and deploy Data Loss Prevention (DLP) tools to control data that an employee can transfer. Creating an incident response plan tailored to remote work scenarios is also necessary.
International cybersecurity compliance frameworks also lay down obligations for businesses that affect their compliance burden. In India, for instance, the Companies (Management and Administration) Rules, 2014 requires companies to ensure that electronic records and systems are secure from unauthorised access and tampering. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (SPDI rules) requires companies to institute managerial, technical, operational and physical security control measures. The rules are also subject to ISO/IEC 27001 international standards. The Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code Rules, 2021) requires companies to implement reasonable security practices and procedures to secure their computer resources and information and report cybersecurity incidents to the CERT-In (Indian Computer Emergency Response Team).
While cybersecurity, in itself, is an area that requires significant resources to ensure compliance, a business organisation needs to deal with numerous other regulations. The business regulatory ecosystem is made up of over 1,500 acts and rules and more than 69,000 compliances. As such, each enterprise needs to figure out the regulatory requirements applicable to their business. The complexity of the compliance framework is such that businesses are often lagging behind their compliance timelines. Take, for instance, a single-entity MSME with a single-state operation involved in manufacturing automotive components. Even such an operation requires the employer to keep up with 624 unique compliances. These requirements can reach close to 1,000 for a pharmaceutical enterprise. Persisting with manual compliance methods while technology has taken over every other business operation has become the root cause of delays, lapses, and defaults.
While businesses are investing in the best possible technological solutions for cybersecurity issues, they are disregarding the impact of technology on their compliance functions. Technology-based solutions, such as Regulatory technology (RegTech) platforms, give business owners better visibility and control over compliance functions. Unique features, including customised checklists, real-time regulatory updates, automated alerts and reminders, and periodic analytics, can allow enterprises to manage their compliance workflows better. The push for digitalisation has been widely accepted thanks to DPI and the JAM (Jan Dhan, Aadhaar, Mobile) Trinity. Consequently, regulatory compliance has become the next destination for this digital revolution. The march towards the goal of a $10 trillion economy requires robust digital solutions that can enable ease of doing business. Allowing for the free flow of information between private enterprises and the regulatory authorities will enable businesses to innovate and the regulators to keep up with the dynamic market conditions.
Author: Rishi Agrawal, CEO & Co-Founder, TeamLease RegTech