Challenges in Cyber Security

Challenges in Cyber Security

Cybersecurity in its early avatar was more about protecting people and organizations from traditional threats such as malware, social engineering attacks, website defacing, hacktivism, etc. In the early days the hackers were also not evolved but with changing technology and emergence of cybercriminal network in the last few years cybercrime has witnessed increased sophistication and intensity in cyber-attacks. The new cyber-attacks are oriented towards financial crime, industrial espionage and have even targeted governments and critical infrastructure from time to time.

The cybersecurity landscape has changed over time and we are living in a complex environment where cybercriminals are more evolved than the cybersecurity professionals. In order to remain relevant in the era of Industry 4.0, traditional business and the government departments are increasing their digital footprints, adapting technology and engagement. In such a scenario, the cybersecurity landscape is also undergoing a paradigm change. Cybersecurity should lie at the heart of any digital transformation initiative and should never be an afterthought but built-in by design.

Industry 4.0 can be the catalyst of changes in different fields like governance, management and administration of smart cities and other applications which are driving the vision of Digital India. But at the same time, it also presents a very lucrative opportunity to the cyber criminals who find many more easy and insecure entry points into networks and devices. Cyber-attacks on critical infrastructure and strategic industrial sectors have become more frequent and sophisticated

In the international water navy encounters enemy warships, large merchant vessels, small merchant ships, fishing boats and guised surveillance ship from all directions. For navy, there are no defined border, everything around the navy warship belongs to enemy. Though there are Sea-Lanes-of-Communication (SLOC), but two ports are on connectionless service and no ship is bound to follow SLOC. The cyberspace is no exception, any asset that is not part of your safe and owned cyberspace is a possible threat to your cyber ecosystem. It is therefore necessary to identify the cyber assets positively in any cyber-conflict. It is important to understand that as a nation, we are facing complex geopolitical issues and state-sponsored attacks targeting our businesses and government on an enormous scale. Cybercrime has become more intense, sophisticated and potentially debilitating for any business and government department.

Industry 4.0 has pushed cybersecurity to the next level of sophistication. Moreover, cyberspace has no physical boundaries, thus ubiquitous nature of cyberspace, pervasive cyber network and internet connectivity makes the data of organizations, key government documents, critical banking and financial transactions, digital assets of armed force, etc. vulnerable to cyber-attacks from anywhere. There are several kinds of cybersecurity challenges like hacking, identity theft, phishing and spear phishing, scamming, computer viruses, ransomware, botnets, denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks, mMan-in-the-middle (MitM) attack, drive-by attack, password attack, SQL injection, cross-site scripting (XSS), eavesdropping attack, etc. faced by government, business and individual every day.

It is widely believed that the large organizations are the easy victim of cyberattacks, but it is observed that small companies are more prone to cyber-attacks as they are often ignorant about the possible threats. In the case of the small organizations even if they are aware of the data breach, most of the times they are technically or financially not equipped to fight the battle of cyber security. It is also observed that most of the small companies are serious about data security, but they don’t have the budget for proper cyber security infrastructure.

“Ransomware, data breaches, phishing and security exploits are the top threats to cyber security. The future lies in cloud services in order to ensure better security and performance. Smaller businesses, including state and local municipalities, mom and pop shops, and others, will be targeted due to their lack of security solutions and limited budget. SMBs should look for solutions that are paired towards their small budgets and limited staffing resources to ensure compliance, network security, and peace of mind.”  Dirk Morris, Founder & Chief Product Officer, Untangle

The cybercriminals attack public, private or hybrid cloud technologies to get hold of trade secrets, customer data or other confidential information which can put the company, government agencies, or individual in deep trouble. In the absence of a structured cyber security framework it has become easy for any cybercriminal to walk into our system and walk out with the information. This vulnerability is a function of technology, policies, and education. The cybersecurity vulnerability, in India, is sumtotal of many elements including,

One, In India most of the critical government IT infrastructure is owned by private sector players. There is no national security architecture that unifies the efforts of all these agencies to be able to assess the nature of any threat and tackle them effectively. Furthermore, in the absence of National regulatory policy for cybersecurity there is a lack of awareness at both company level as well as individual level.

Two, companies often face big cyber security issues due to lack of capable people managing the cyber security solutions. This vulnerability increases when organizations engage with vendors that don’t follow cyber security protocols and don’t value the importance of data. In the absence of the cyber security protocols it is very difficult to protect netizens from the cyber-attacks. Moreover, in the absence of any legal framework, cyber espionage has become a norm in the connected world.

Three, data produced by the ever-growing number of online transactions be it customer information, results of product surveys, or generic market information create treasured intellectual property that is an attractive proposition for any cybercriminal. Data is critical for business and any breach brings in tremendous loss to business. There is a need of strong data protection policies and effective implementation of the same.

Four, businesses should have a complete inventory of all the IT assets present in their network. It is observed that one who fails to have an IT asset audit at regular interval get into deep trouble. In absence of the IT audit the organizations will fail to identify the gap in their system, and potential threats.

Five, it is also observed that the people inside a business are the biggest security loopholes. In 2016 Cyber Security Intelligence Index, IBM found that 60% attacks in an organization are carried out by the insiders. As the threats come from trusted users and systems, they are very difficult to detect. It is important to have well-developed cybersecurity training centers that are designed to answer the requirements of government, business, and individuals.

 The future of cybersecurity will be led by a workforce that intentionally studied cybersecurity, rather than fell into it as a default. We are just now beginning to see this generation of truly cybersecurity-trained students enter the workforce, and as they continue to do so, we will begin to solve some of the systemic problems that have been caused by the lack of a skilled workforce. – Mike Stamas, Co-founder of GreyCastle Security

Cybersecurity race is on to secure systems, devices, network from cyber criminals. The government, business, and individuals can do their part by strategically working with cybersecurity experts and investing in solutions and infrastructures that protect their key digital asset, data, etc. This task is not easy, as the cybersecurity challenges are evolving every moment and that is keeping the cyber security experts constantly on their toes. The amount of financial and reputational damage a data breach can cause is huge and can affect small as well as large companies. It is a known fact that the challenge of cybersecurity is bound to increase over the near future and it is important for us to be prepared for any eventuality. In our mind the question that remains unanswered and needs an answer – Is India Cyber Security Ready?

Cybersecurity needs an immediate attention not only because as a nation we need to have a strong cyber security roadmap but also as it offers us a huge business opportunity. According to a NASSCOM, Data Security Council of India & PwC Report, India’s cybersecurity market for products and services will grow up to $35 billion in 10 years from the present $4.5 billion. Cybersecurity offers an opportunity to established IT players to increase its market presence and creates an environment for start-ups to make maximum out of it and establish themselves in the market.

The immediate opportunity for the cybersecurity experts and players includes – data protection framework for Aadhar and similar other initiatives, data protection framework for all e-commerce players, digital banks, ML/AI-enabled solutions, IoT-enabled solutions to achieve automation and efficiency, cloud-based security model, blockchain based security model, etc. The cybersecurity experts and players who will focus on these areas of development will not only build a global business for themselves but will also help the Indian cyber security ecosystem to grow and mature. This journey must be managed by professionals and supported by the government.

Small organizations are finally realizing that they need to be as prepared as large organizations when it comes to cybersecurity, making it no longer an IT problem but a larger business challenge within every organization. Additionally, we will see small businesses’ approach to cybersecurity impacting larger organizations through the supply chain vector. Hackers will take advantage of smaller organizations, which often fuel larger business’ supply chains, because they typically have security vulnerabilities that can be more readily exploited than larger ‘targeted’ companies – Brian NeSmith, CEO and co-founder, Arctic Wolf Networks

The need of cyber security is eminent for both small and big organizations. It is important to understand that most of these small organizations are a part of the large organizations value chain. Any vulnerability at the small organization level may end up reflecting in the large organization’s security. Hence, the progressive organizations are not only answering their cybersecurity needs, but also reworking on their cybersecurity framework and architecture to support the business more effectively and efficiently. The organization that have shown commitment toward cybersecurity are progressively using artificial intelligence, robotic process automation, machine learning, and analytics to increase the security of their key assets and data. These organizations are aware of the fact that the cybercriminals are becoming more intelligent, networked and agile in their operations. They understand that their price of failure is high.

Also Published at

Bring robust cybersecurity policy

Bring robust cybersecurity policy

It’s also time to establish cyber defence organisations that lead the country into a secure and resilient digital future

People are increasingly shopping, banking and entertaining online, which requires them to share their personal information – phone numbers, addresses, credit card details, and so forth. This makes both people and businesses vulnerable to cyberattacks. In times to come, managing privacy and securing data will be the new normal while paying electricity bills, taxes, etc.

Given this, it’s time for the government to build a holistic cybersecurity policy and establish cyber defence organisations to ensure and lead the country to a safe, secure, and resilient digital future. Here’s what the government should focus upon to place India in the highest echelons of cyber leaderships, globally:

Focus Areas
• The first step towards building a holistic cybersecurity strategy is to amend the IT Act, 2000, commonly known as the Cyber Law, as some of its provisions have become redundant and cannot address the issues arising from the evolving threats.

• The government, to protect critical information like personal data, business information and financial information must look to enact data protection laws on the lines of European Union’s General Data Protection Regulation.

• Cyber threats have put governments, citizens and businesses at risk. Our cybersecurity must be robust to intercept and block any such cyberattack attempts. The government must make the Cyber Defence Agency, which is entrusted with the responsibility of securing the cyberspace, functional.

• Computer Emergency Response Team (CERT) handles cybersecurity incidents and provides guidelines based on research to improve cybersecurity systems. CERT also conducts public awareness campaigns. The Central government must replicate CERT at the State-level to ensure speedier incident response.

• The country needs an elite cyber commando force that can neutralise any cyber enemy. Therefore, the government must look to establish a National Defence Academy that provides rigorous training to cyber cadets.

• Cyber cells in the police forces are limited in terms of capabilities. The government must lay emphasis on empowering these cyber cells by deploying specialised cyber police cadres in all State police departments.

• The government must consider investing in building a business ecosystem that can leverage artificial intelligence and robotics to improve operations and enhance productivity.

• It must ensure that the cyber defence infrastructure is built only on qualified and trusted telecom and security equipment. The government must establish testing labs in India that will certify the equipment after rigorous tests.

cybersecurity policy

Major Initiatives
Understanding the need of emerging cybersecurity, the government of India has worked on the National Policy on Electronics (NPE), 2019. This is just one of the first steps that government, organisations and regulatory bodies have taken in recent times to strengthen the ecosystem. To optimise the cybersecurity business opportunities and build a strong cyber-safe nation, we have witnessed multiple initiatives by the government, including data protection regulations like the General Data Protection Regulation, California Consumer Privacy Act, etc, which was the demand of the business for long.

The government has reserved 10% of the IT budget for cybersecurity, and various State governments — Andhra Pradesh, Telangana and Haryana — have also announced a policy of reserving budget for cybersecurity. It has announced the development of Cyber Security Framework for Smart Cities under the guidance of National Cyber Security Coordinator in association with the industry. There’s also a sharp focus on cybersecurity by regulators. Some of the key initiatives by regulatory bodies include cyber security framework in banks by the RBI, guidelines for information and cybersecurity for insurers by IRDAI, cybersecurity & cyber resilience framework for registrars to issue/share transfer agent by Sebi.

Cybersecurity for business, government and individual is a must but one that concerns all is the cybersecurity of defence. It is a known fact that legacy systems simply do not have the capabilities to keep up with the evolving security threats and relying solely on human oversight will not serve the purpose. The need of the hour is capable automated systems that can monitor, detect, manage and prevent cyber-attacks in real-time. Understanding the growing concern, the MHA has developed National Information Security Policy & Guidelines (NISPG), which sets up requirements for the protection of information generated in government departments and bodies.

Lucrative market
A report by Nasscom, Data Security Council of India & PwC also suggests that the Indian cybersecurity market is forecast to grow at a CAGR of over 19% during 2018-23. Growth in the market is expected to be driven by multiple forces, including rising number of government initiatives towards digitising; increasing awareness of business and individuals towards cybersecurity; rapid adaptation of security initiatives in healthcare, BFSI, education and other vital sectors; rapid adoption of social, mobile, analytics, cloud and IoT technologies by business, government, and individuals.

The projection of the exponential growth is based on basic facts that the Indian market comes with certain competitive advantages, which makes it a preferred destination for global Security Operations Centres (SoCs); mature security practice of Indian IT services companies; security services operations by MNCs; preferred destination for security R&D; existing GIC (Global In-house Centre) security operation centres; competitive IT product ecosystem, existing network of 100-plus security companies, availability of skillsets – over 1,50,000 experienced security professionals; and trust factor that IT industry brings to the global IT players.

As of now, India’s cybersecurity landscape is passing through a transformational phase and it is too early to say that the joint efforts of the government, regulators and industry are showing results, but the Indian cybersecurity industry is doing good and projected to do better.

Also Published at


Brace for a battle of alliances

Nitish Kumar is eyeing a fourth term amidst waning popularity, growing anti-incumbency and rise of Tejashwi-led coalition

The tenure of the Bihar Assembly ends on November 29 and in an ordinary situation, a new Assembly should be elected before that date. Going by the character of the State, had it not been corona times, Bihar would have been witnessing huge election rallies, mass political movements, political realignment, cross-party movements, political allegations, counterclaims, etc.

Not that the political drama has not started already, but it is not at the scale Bihar generally witnesses. The game of jumping parties too has started. This season, the game started when five Rashtriya Janata Dal (RJD) MLCs joined the Janata Dal (United) or JD(U). In response to it, the RJD snatched JD(U) leader and former Industry Minister Shyam Rajak. In the next level, the JD(U) responded by onboarding four RJD MLAs. As of now, this game is in its initial level and will mature as elections get nearer.

Game of Jumping
This political equation will not only be played by jumping parties, we will also witness cases of jumping alliance. On the one hand, the Lok Janshakti Party (LJP) chief in the NDA is angry with Chief Minister Nitish Kumar and on the other, Jitan Ram Manjhi, upset with the RJD-led Grand Alliance, has switched over to the JD(U)-led ruling alliance.

If I am not wrong, the chief political strategist of the Bharatiya Janata Party (BJP) in the initial days will play a very silent game in Bihar and ignite the voters without playing any active game of onboarding candidates from other parties or forging a fresh alliance. He will change his strategy only when the Election Commission announces the election dates. I believe he will play all his moves when the game reaches the matured level.

The political equations will change with each level and the last final levels are likely to throw up a complex political equation.

Dynamics of Date
The sentiment of political parties tells that the opposition in Bihar wants the Assembly election deferred but Nitish Kumar wants it on time. If the election is deferred, Bihar would be voting under President’s rule, and that will be advantage opposition. The main opposition parties are not in favour of holding an election till the threat of coronavirus is neutralised.

The principal opposition parties — RJD, Indian National Congress (INC), and the CPI — have written to the Election Commission seeking a deferment. The opposition wants President’s rule in the State for some time before elections. Interestingly, even the LJP has called for deferring the Bihar polls. It is important to understand that the LJP has never accepted JD(U) as its natural partner and the JD(U) also treats the LJP as one of the extended partners of the NDA.
The most critical player of all, the BJP, has not shared its view on the question. The BJP maintains that it will go by what the Election Commission decides.

Political Equation
It is a known fact that Nitish Kumar has more control over the government while the BJP has more loyalist voters. This political combination — of a clean image of Sushasan Babu and the loyalist voter base of the BJP — is the most potent political equation in the political landscape of Bihar. The major partner of the alliance is the JD(U) and the BJP is playing the role of a strong secondary party. Yet, it’s the JD(U) that is the weak part of the strong equation and not the BJP.
The political situation in Bihar is more like Maharashtra rather than Punjab. This is yet another State where the BJP is stronger than the alliance partners but has still opted to play second fiddle. Bihar is also one of the States where the combined might of the opposition can make a difference to the electoral outcome.

It is important to ponder what role the BJP will play in Bihar. Will it follow the Punjab model, or will it experiment with the Maharashtra model. Irrespective of the political stand the BJP takes, it is going to play a key role. The future political play of the BJP in Bihar is a function of the local leader it can project in the State.

The BJP cannot take an independent stand as it does not have a leader, who is acceptable to all. It is known to all that till Nitish Kumar is at the helm of affairs, it will be difficult for the BJP to announce an alternative. A few months of President’s rule may give the BJP a window, and Nitish Kumar knows it.

Fading Charisma
Nitish Kumar is known for his clean image and non-corrupt governance. This has helped him gain the image of ‘Sushasan Babu’. He, in his first two terms as Chief Minister, restored governance and law and order in the State. He extensively worked on infrastructure, women empowerment and education for girls, and other must-to-have things for a progressive State. But he could not deliver the same in the third term. His is now widely seen as an ineffective government.

There is a popular belief that the magic of Sushasan Babu is waning. Nitish Kumar eyes a fourth term as Bihar’s Chief Minister with receding popularity, rising anti-incumbency, changing caste equations, depleting voters’ confidence, rising corruption, new criminal networks, rise of parallel economy, unemployment, reverse migration, and rise of Tejashwi Yadav-led coalition.

On top of these challenges, there is hardly any new reform that has been pushed or proposed by him to improve the current status of education, healthcare, infrastructure, investment, industrialisation, employment, etc. This creates a perfect scenario for Tejashwi Yadav to pitch this election against him.

The political equations are changing rapidly. The voters of Bihar have started to believe that Nitish Kumar managed the governance of State well but failed to bring in development. The charisma of Sushasan Babu is fading and it is being aggressively challenged by Tejashwi Yadav. In this scenario, if the NDA fails to stitch an intelligent alliance, the result may surprise all of us.

Also Published at

Cyber Security Ecosystem

Cyber Security Ecosystem

In the last two decades, technology has undergone a paradigm shift. The new age technology has played the role of an enabler in improving the way business is performed. We all know that technology in all shape and size has its own set of advantages and challenges. On the one hand it enables businesses like health care, transportation, communication, education, entertainment, banking, etc that improves our living standards, and life expectancies of the end user; but on the other hand, it comes along with inherent challenges of cybersecurity. A compromised cybersecurity can cause major damage to business. It can affect the bottom line as well as your business’ standing and consumer trust.

According to one estimate, cybercrime damages are projected to exceed a staggering $6 trillion by 2021. It’s obvious that business – banks, tech companies, hospitals, government agencies are investing in cybersecurity infrastructure; but are they investing in the right product, resources, and strategy? Is their cyber security framework designed to protect their business practices and the millions of customers that trust them with their data? Do they understand that the impact of a security breach can be broadly divided into three categories: one, cyber-attacks often result in substantial financial loss arising mostly from the theft of corporate or financial information, loss of business or contract; two, cyber-attacks can damage your business’ reputation and erode the trust customers have for you; and three, data protection and privacy laws require you to manage the security of all personal data you hold. Furthermore, many of the cyber security issues are a function of three key elements – one, rapid growth in Internet user – government, businesses, individuals and societies; two, new age applications and tools in use; three, how these new users are using these new set of tools and applications.

Cybersecurity breaches can devastate even the most resilient of businesses. It is extremely important to manage the risks accordingly. This task is not easy as cyber criminals have mastered the art of driving cyber-crimes such as frauds and thefts by manipulating technology-controlled devices to their advantage. These cyber criminals are not only using the best of the technologies, and cyber infrastructures but have also developed a well-oiled cybercrime network. This dark network of cyber criminals works together and offer services on contract. This new form of collaborative, and cloud-based cybercrime ecosystem is not easy to counter. It needs a holistic approach to solve the unseen, unexplored and yet to encounter the cyber security problem. It is important to understand that any piecemeal efforts to address cybersecurity issues including the Internet’s inherent flaws, identity and data veracity, vulnerabilities from the Internet of Things (IoT), and increasing digital fragmentation have failed in past and may fail again.

It is the need of the hour to create a cyber security ecosystem that includes the culture of cyber security, and most importantly awareness around cyber security. The cyber security breach is not always by design but most of the time it is caused by the basic human error. IBM suggests that 27% of data breaches are caused by human error. It only means that more than a quarter of cyber security breaches could have been easily prevented with better education. Though cyber security education is important and critical element to prevent cyber thefts, but a robust cyber security framework is the need of the hour as anyone can be a victim of the weak link in their cyber security framework.

We all know that one of the most powerful and influential political leaders of our times Hillary Clinton was a victim of email phishing attack during her 2015 presidential election. This cyber breach helped hackers’ access to about 60,000 emails from John Podesta, chairman of Hillary Clinton’s campaign, private Gmail account. The information leak from the John Podesta email created an environment of confusion and distrust. This email phishing attack can be attributed as one of the major reasons why Hillary Clinton lost the US Election to Donald Trump. This was not a failure of technology or system but a classic case of human error.

This growth in cyber-attack is largely attributed to poor awareness level of the end users, increased reliance on technology, compromised skillset of the cyber security workforce, underdeveloped cyber security architecture, compromised software hardware and telecom infrastructure. The sumtotal of all these adds to company’s vulnerability. Verizon conducted a year-long investigation into the leading causes of data breaches, publishing its findings in its 2018 Data Breach Investigations Report. As per the report following are the key source of cyber-attacks and their contribution: Physical actions (11%), Privilege misuse (12%), Social engineering (17%), Human error (17%), Malware (30%), and Criminal hacking (48%). The cause of data breach may not change over time but their contribution percentage may change.

The overall cyber security ecosystem and cybercrime ecosystem is evolving and both side of participants are working hard to win their respective games. Hackers will continue to be more sophisticated, using new methods and tools to gain access to private information. To defend against such cyberattacks, companies will need to use more effective security solutions with innovative approaches. For instance, companies will assess their cybersecurity as seen from the hacker’s point of view. The goal will be to not only increase cyber resilience internally within their specific company, but also across the company’s supply chain.

Also published at