A series of recent reports reveals that the number of cyber attacks in India has risen in the last one year. As a result, Indian companies have started paying special attention to cyber security and taking required steps to safeguard themselves. However, according to Samir Kapuria, Senior Vice President and General Manager, Cyber Security Services and Peter Sparkes, Senior Director, Cyber Security Services, APJ at Symantec, this is not enough. In a conversation with Business Today, Kapuria and Sparkes talk about emerging threats to India because of its exploding smartphone user base. Edited excerpts:
BT: Companies in India are now rising up to the reality of cyber risks and raising budgets. Why this delayed reaction?
Sparkes: You go through a process; you first buy computer systems, you get started with your more critical business functions and then you get to a point where you suddenly realise that security is important. India has got to this point now. India is growing and it has got to a point where digitisation is a critical mission, and that is why security has also become a critical mission.
BT: What vulnerabilities do Indian companies posses when it comes to cyber security?
Sparkes: Talent, especially senior talent from CISOs (Chief Information Security officers), to strong technical skills and things like forensics and incident response is where I certainly see a gap. People understand the business and security and how security impacts a business, but we see a gap when it comes to protecting designs and architecting security solutions rather than just trying to spread it across areas.
What kinds of breaches are happening most in the country?
Sparkes: There are multiple things. On the consumer side, a lot of people are getting their smartphones for the first time and a lot of scams are happening. This is quite interesting because India has let go of technology gap. It is going from very little computerisation to extreme penetration. People have not grown up through all those threats and don't have an understanding about trust. Therefore, when someone from the outside asks them to do something, they do it because they have this initial trust. In this scenario the digital protection of their identity becomes quite critical.
On the business side, we are seeing a lot of threats in India. If there is vulnerability in a system and the company doesn't patch it, it gets affected. We also see Indian companies getting targeted. That targeting is because they have become global giants and have global connections. That is where we are seeing targeted top threats happening in India.
What sectors are being targeted mostly?
Sparkes: All of them are being targeted. But motive changes depending on the industry -- whether it is for money or fraud or information. For example, who would have thought that building industry would be affected by this? But, if you attack the amount of payoffs that are going to sub-contractors, they are actually a great way to get money. You put a fake purchase order, it looks all legitimate and you get money. It is a simple scam to pull off.Kapuria: It depends on what is the target of choice. The target of choice in business is going to be intellectual property or identity information. These are two most common things out there. The sectors which have these assets are healthcare and financial services. When it comes to intellectual property (IP), India is such a hub of IP that the global enterprises partner with them. So, all the IPs from around the world, at some point or another, comes to India. This makes India a rich place for an attacker to steal identities, personal identifiable information, and IP.
However, if we think about the relationships in question here, you have business-to-business relationships, but enterprises have a lot of money and they have a growing appreciation for the type of risks. And then you have the business-to-citizen relationship and I think there is a gap here.
BT: Is there the gap because of large number of first-time internet users in India?
Kapuria: The technology that citizens and the average person are using has come into their lives rapidly. But an understanding and appreciation for the types of risks associated with them has not; fraud, identity theft, crypto mining, all these things are words and terms that the average person doesn't understand. The largest segment of risk is here in a country, which is emerging with such a high populace of tech-savvy, tech-hungry people. With that comes the potential risk of fraud or theft.
Around 5 million people who never had smartphones are going to get them. Internet is being brought to every villager in remote areas. With that comes the potential risk of fraud or theft, and that is where we need to focus.
The next level is to protect the economy. This is where business comes in and the following level is to protect the reputation. That is the way I think of this, but it starts with protecting the people.
BT: Is Internet of Thing (IoT) going to be a problem for India?
Kapuria: You have different types of IoT. You have industrial IoT; so hydraulic systems, renewable energy which is big in India, they are all controlled by new forms of IoT. You have got healthcare IoT. And then you have got the home IoT. There is a myriad of IoT but the one thing that is often missed when people look at IoT, is that they look at it purely from technology's point of view. If any IoT form gets adopted, the sheer volume of the population will make it a surface area that is worth attacking for a bad guy.
Look at cell phones. I remember when you had to make trunk calls in India and today everyone has it. It has leapfrogged the whole landline. The next smart device or smart IoT is going to do the same thing. Once it comes, it will be at a scale that no other country can experience.