With personal information, passport, and credit card data being compromised, the cyberattacks have come as a rude awakening for businesses in the country.
Indian enterprises are not in a unique position compared to enterprises across the world, but the country needs to focus on regulatory frameworks and statutory bodies need to build privacy laws that protect identity and data, experts tell DH.
Raja Ukil, SVP, Enterprise Business of cybersecurity solutions firm ColorTokens says, “We lack a reporting mechanism of breaches and cyberattacks which must be mandated as a part of the Company Law. This will drive accountability which organisations have towards their customers, employees, and shareholders.”
Recently, RBI penalised a couple of Indian Banks for not complying with specific provisions of directions on a cybersecurity framework for banks, Ukil mentions, saying these frameworks must be widely communicated and used across industries.
According to Pankit Desai, Co-founder and CEO, cybersecurity startup Sequretek, India continues to have a fairly lax approach towards an overall understanding of the cybersecurity landscape. Specifically, in the non-regulated industries, there is no pressure for these companies to adhere to any guidelines.
“There is no financial penalty for companies that suffer a breach. In fact, their businesses will continue to run. Incidentally, none of the companies come out and mention their data breach, the fact is that they don’t know or don’t care. Other than an apology, there needs to be accountability and heavy penalty, however, such policies are difficult to implement in India.”
Companies all around the world continue to have cyberattacks and India is no different from that perspective. However, he adds, globally we have seen governments and even companies getting proactive in data privacy and security.
“Even the biggest of global tech firms have been penalised. But in India, as there is no accountability attached to companies in the event of a cyberattack, they continue to operate in their la la land without understanding the impact of repeated cyberattacks on their brand reputation, business operations, and trust with the customers,” he explains.
While companies, which fail to protect the personal data of users, can be held accountable under Section 43A of the IT Rules 2011, there has not been any such instance in India so far, where a company was held accountable.
Investment in cybersecurity
The investment in cybersecurity depends on the size of the enterprise and the percentage of cybersecurity spends allocated within their IT budgets. Industries like BFSI, IteS & Pharma tend to invest more in cybersecurity.
Global research and advisory firm Gartner has predicted a 9.5% increase in cybersecurity spends in India in 2021. Experts suggest, companies last year re-prioritised their IT budgets to enable remote working and the impact of the economic downturn. In the financial segment, because there is a regulatory framework in place, a reasonable amount of investment takes place for security. Typically, it is 4-6% of the IT budget. In a non-regulatory industry, that number is a pittance. This year, it is estimated to go up to the tune of 10% on average.
Anurag Sinha, Co-Founder & Managing Director, Wissen Technology says, for Indian entities, it is now high time they focussed on cybersecurity if they are not already doing it. “If we look around the western world, most multinationals have already started spending a significant amount of budget on security and many appoint dedicated Chief Security Office (CSOs) with sizable teams focusing on cybersecurity.”
As per the Data Security Council of India (DSCI), a NASSCOM affiliate non-profit organisation, the cybersecurity market in India is expected to grow from $1.97 billion in 2019 to $3.05 billion by 2022, at a compound annual growth rate (CAGR) of 15.6%.