The past year has been a testament to how cyber can threaten India’s ambitions to transition to a virtual economy.
Many Indian startups, such as Dunzo, BigBasket, Haldirams, Edureka, RailYatri, and iimjobs, have faced cyberattacks this year.
India is being attacked by cybercriminals sponsored across China, Pakistan and North Korea, who seek to “teach India a lesson. “
In today’s data economy, “data is the new oil,” as the saying goes. But what if this “new-age oil” spilled abundantly and your security was threatened by nefarious actors capable of launching cyberattacks at will?dangers to India’s ambitions to transition to a data-driven virtual economy.
In 2020, several Indian businesses and startups, such as Google-backed hyperlocal delivery platform Dunzo, online grocery delivery store BigBasket, restaurant chain owner Haldirams, edtech platform Edureka, online marketplace RailYatri, and even Prime Minister Narendra Modi’s private internet site suffered from loss of knowledge. infringements, and knowledge of some of those Internet sites filtered to the dark web, where it could be acquired.
Earlier this month, Inc42 reported that the non-public knowledge of 7 million Indian cardholders had been leaked on a public Google Drive link. The leaked knowledge base contained sensitive information, adding cardholder names, phone numbers, email addresses, names of employing companies, annual reports. earnings, account types, and whether they had enabled mobile alerts. The leaked knowledge base also included the PAN numbers of five Lakh cardholders.
Experts say this year’s wave of cyberattacks can be largely attributed to the shift to running from home (WFH), where each and every individual formula was exposed to the web as all painting processes were enabled remotely.
According to Kumar Ritesh, founder and CEO of CYFIRMA, a risk detection and predictive cyber intelligence company, cyberattacks have increased this year because home networks don’t have the same security coverage point as corporate networks.
“Employees who work from home are also adequately trained to manage cyber threats and are highly vulnerable to phishing campaigns and other social engineering tactics,” Ritesh said.
The question is whether the numerous knowledge violations in Indian corporations this year can be attributed entirely to the WFH and “untrained” employees. However, the sheer number of cyberattacks begs the question: Has India Inc been negligent in ensuring a strong cybersecurity posture??
As Rish points out, the level of cybersecurity maturity is low among Indian companies. An estimated 46% of Indian trading companies run on legacy systems, which are superseded technologies that are no longer supported by their vendors and have cybersecurity vulnerabilities that can be exploited by hackers. exploit to gain access to corporate networks.
Moreover, according to data from the Ministry of Micro, Small and Medium Enterprises, 99. 4% of Indian companies are classified as MSMEs and are unaware of cyber dangers and their potential to disrupt business.
But what about corporations with capital reserves, such as publicly traded Info Edge that owns and operates the marriage portal jeevansaathi. com and the iimtasks. com and hirist. com task portals?
Last month, iimjobs. com user data was leaked on the dark web. Inc42 first learned of the data breach from cybersecurity researcher Rajshekhar Rajaharia and asked Info Edge’s reaction to the incident. The company just gave a slick response that said, “We’re hunting on it. “
While it’s understandable that the pressures of being a publicly traded company weigh heavily on Info Edge, it also suggests that those corporations don’t have the means to stumble upon a breach and that malware will possibly end up living in their IT environment for a while. . extinct period. In addition, virtual dangers and exposure, such as exfiltrated knowledge being sold on dark web marketplaces, as well as stolen brands and identities, would not have been avoided.
Last week, Rajaharia alerted iimjobs, updazz, and hirist to another data breach, where their APIs (application programming interface) were leaking non-public knowledge from users in real-time. In response, Tarun Matta, founder of iimjobs and hirist wrote on Twitter: “We’re on this. “
According to Pankit Desai, co-founder and CEO of Sequretek, a Mumbai-based cybersecurity company, corporations operating in government-regulated industries have been forced to invest in cybersecurity. However, for those operating in unregulated industries, cybersecurity is an afterthought. Moreover, with a large number of tech startups born in the cloud processing their users’ monetary and private data as well as behavioral data, India has an attractive target for cybercriminals.
“Hackers who manage to break into the perimeters of those corporations can simply get a ransom (ransomware) to recover the systems, as well as gain access to a valuable body of knowledge that can lead to significant returns to the dark web,” Desai told Inc42.
In addition to ransomware, phishing and social engineering, as well as distributed denial-of-service or DDoS attacks, they have noticed an increase in India this year.
A worrying trend observed through Desai this year is that Indian corporations in previous sectors such as healthcare, pharmaceuticals, monetary institutions, and production have also faced cyberattacks.
CYFIRMA’s Ritesh added that pharmaceutical and healthcare corporations are targets for cybercriminals, as part of commercial espionage aimed at stealing data from Covid-19 vaccine studies. These attempts appear to have been made through state and non-state actors.
More troubling is the fact that some of those corporations fail to acknowledge the security breach after being notified through independent cybersecurity investigators. All of these companies thrive on knowledge, and any security breach has far-reaching consequences.
At the same time, a recent report by CYFIRMA notes that geopolitical tensions between India and its neighbors, Pakistan and China, may simply be the accumulation of cyberattacks.
“Based on our studies, we have found that state-sponsored hackers prefer government agencies and Indian companies. Our studies showed that the alleged risk-takers were sponsored primarily through China, Pakistan, and North Korea. The hackers’ goals were to smear India’s reputation, cause lost productivity, create operational damage, and seek monetary gain,” Ritesh said.
CYFIRMA recorded conversations in Chinese hacker communities, participants talked about “teaching India a lesson. “
Other members of the organization wrote, “This is a country that doesn’t pay attention to us. “Participants in one such team of Chinese hackers discussed in Mandarin the attacks on news and media companies, telecommunications companies, Indian government websites, and added defense. related agencies and Indian pharmaceutical companies.
According to IBM Security’s 2020 Cost of a Data Breach report, Indian companies saw the total cost of a knowledge breach at an average amount of $2 million. In addition, the report shows that it takes an average of 313 days to identify and engage a knowledge breach. in India, while security automation is implemented in only 53% of all organizations in the country. In today’s environment, the industry where knowledge leakage occurs is healthcare.
In October this year, India’s National Cybersecurity Coordinator, Lieutenant General (Dr. ) Rajesh Pant, said that cybercrime in India caused a loss of INR 1. 25 Lakh Cr in 2019, when the Indian Computer Emergency Response Team (CERT-In), the country’s central body. cybersecurity company, reported 3. 94 Lakh of cyberattacks. In 2020, this number increased to about 7 Lakh only until August.
According to Pant, cyber threats will continue to pile up as the country focuses on creating smart cities and deploying 5G network services.
As for the steps India Inc can take to adopt a stronger cybersecurity posture, experts told Inc42 that the government wants to take the initiative as it is better equipped to deal with cyberattacks.
CYFIRMA’s Ritesh said the Indian government wants to expand a coherent national cybersecurity policy. In addition, it deserves to be mandatory for companies to report on cyberattacks targeting their systems in order to have a set of studies that can provide insight into the threats facing India and inform the government about the methods it can adopt for the country’s cyber hygiene.
Desai reiterated this suggestion, adding that as India seeks to pass a private data coverage law, it will be mandatory for companies to report such incidents, for the benefit of all stakeholders, including their users.
The lack of cybersecurity remains a constant fear around the world, especially acute in India, given the huge toll cyberattacks are expected to impose on businesses.
“India faces a pressing need for cybersecurity skills and resources that can help it defend against cyberattacks. Higher education institutions include cybersecurity training, awareness, and education in their curriculum, which could alleviate the existing problem of skills shortages,” Ritesh told Inc42.
According to Desai, in the case of Indian startups operating in unregulated sectors, the venture capital and personal equity firms that invest in them check the company’s e-health as part of their due diligence.