When you think of cyber attacks, what is the first image that springs to mind? Chances are, it’s a rogue engineer from a Western country writing complex code that can take down an entire government. But this representation of a hacker has been rendered completely irrelevant by the rise of digitisation.
Consider the small town of Jamtara, which lies 250 km North East of Kolkata, in the tribal region of Santhal Pargana. You’d never know from looking at it, but this sleepy town in Jharkhand has the dubious honour of being India’s cyber crime capital, to which more than half the attacks in the country can be traced back.
Jamtara is proof that while widespread connectivity can usher in a world of progress, it also increases the vulnerability of enterprises and individuals. Vulnerability that is only going to grow as the Internet of Things (IoT) enters the mainstream. In fact, according to a report by McKinsey, “In the past, a large corporate network might have had between 50,000 and 500,000 endpoints; with the IoT, the system expands to millions or tens of millions of endpoints.”
The same report posits that the IoT may comprise of as many as 30 billion devices by 2020, many of which are older models with inadequate or no security, with some not even being supported by their makers anymore.
Combine this knowledge with that of the damage caused by ransomware like WannaCry and NotPetya, and it’s no surprise that cyber security is now a crucial part of a business’ strategy. And though over 300,000 computers across the world were affected by WannaCry, India was one of the countries that felt its impact the most. It’s no surprise, then, that Symantec recently unveiled their largest global Security Operations Centre (SOC) in Chennai. Equipped with Threat Intelligence, along with their Managed Security and Incident Response Services, these SOCs analyse over 150 billion security logs each day to provide enterprise-wide protection to organisations around the world.
Some of India’s leading executives were present at the grand opening, where they shared their thoughts on the future of cyber security, emerging technologies and everything in between.
Swayan Chaudhuri, Managing Director & Chief Executive Officer, Imagine Panaji Smart City Development Ltd., on mitigating cyber threats in ever-connected smart cities:
Awareness is the key. Along with that, we also need to build good capacity. And while we can work with a lot of good companies, I think cities need to involve their own citizens in the process. We tend to forget that not everything has to be about technology; there’s a big human factor to it. We should not forget this human factor.
Rajesh Uppal, Chief Information Officer, Maruti Udyog Ltd., on making sure that employees prioritise cyber security and information privacy:
The only way to do this is to communicate, communicate and communicate. The cyber security rules need to be taught to every employee as part of the induction process, with refreshers at regular intervals. In case of an incident, top leadership should also talk to the team and explain what happened, how it could have been prevented or why it was unavoidable.
Sanjay Kotha, Joint President & Group Chief Information Officer, Adani Group, on the importance of imbibing security in a company’s culture:
To me, the most important thing is spreading the awareness that security is not only an IT job. Most security breaches today are attributed to the exploitation of user naivety. Ergo, if leaders in the system are able to drive a security-focused culture, our vulnerabilities will be covered to a large extent.
Vishal Salvi, Chief Information Security Officer & Senior Vice President, Infosys, on how emerging technologies are changing cyber security:
AI and machine learning are now being used to look at usage patterns, and flag up any anomalous activities, so they can be investigated. Anti-spam is a great example of this kind of supervised learning. On the flip side, if the software starts thinking, then it can be ‘poisoned’ to think in a negative way, to cause a disruption or to challenge the integrity of information
Sameer Ratolikar, Executive Vice President & Chief Information Security Officer, HDFC Bank, on the evolution of an information security executive’s role:
The role of a CISO until recently was more of a technologist and guardian of information, than a strategist. But with the new technological trends in an evolving legal, regulatory and threat landscape, where business resiliency has become a key and infosec risk has become a business risk, I think the role has become that of an Information and Resiliency Expert where information security, risk management, privacy and business continuity are important facets. At the same time, the role also requires sound leadership, business understanding and effective communication skills.
Ramachandra Hegde, Vice President, Global Information Security and IT Compliance, Genpact, on the tenets of cyber security:
The broad philosophy we follow at Genpact is building it on four pillars – people, process, technology and partnerships. This way, everybody understands what security is about, and serves as a human firewall. While technology is very important, it’s equally integral to make sure that it is deployed properly, utilised optimally, and that you have the right processes to run it. Doing security right is also knowing that you can’t get infinite resources, but if you have the right relationship with partners, you can tap into them to scale up and get additional specialised skills from them, as needed.
Puneet Kaur Kohli, Chief Technology Officer, Manappuram Finance Ltd., on the ideal way to approach cyber security:
There needs to be an awareness that the data or the companies that you represent are assets that belong to you. You cannot share them with outsiders. So, that kind of awareness and context setting have to be in place. If that is absent, nothing can build up your information security. Moreover, securing an organisation should not be a top-down approach, but one that is bottom-up, which means that everyone from the branch officers up to the director of the company should be held accountable for it.
Anubhav Rajput, Vice President & Head Information Technology, Max Bupa Health Insurance Co. Ltd., on using AI & machine learning to secure the perimeter:
They are the biggest boons that identity management could have asked for. Today, AI & machine learning can be leveraged to create comprehensive profiles of each employee, which can be used to identify threats if a server starts sending suspicious amounts of data to an unknown URL. Furthermore, the machine will learn from this data and be able to identify malpractices in the future.
Samir Kapuria, Executive Vice President & General Manager, Cyber Security Services, Symantec, on the methods and motives behind cyber attacks:
The objectives are evolving. The creativity, monetisation, and power that can be wielded by the attackers has changed. In the economic landscape, we understand B2B is business to business and B2C – business to customer, and together there is a fusion to the business model flow with B2B2C – business to business to customer. As such, I think we’re seeing attackers develop their own business model flow with the rise of what I am calling A2B2C or ABC – attackers to businesses to consumers. This has emerged because it’s a lot harder for an attacker to get one victim at a time, but if he/she is able to attack an organisation and use them as a conduit, they get access to all their customers. This is a fascinating space to be in because cyber security is the only battle where you’re armed with a shield.
Gaurav Agarwal, Managing Director, India & SAARC, Symantec, on cyber maturity in the C-suite:
More and more executives are acknowledging the need for protecting their organisations’ data, email and web assets. The landscape has drastically improved over the last seven to eight years, and an increasing number of organisations want to step up their cyber security. It is now up to us to articulate to businesses the right measures for the industries that they operate in.