Now is the crucial time for both government and enterprises to understand how to deal with data privacy and not be vulnerable to future threats and attacks, says Sakshi Grover, Research Manager, IDC India
Describe the Data Privacy regulations in India. How will this standard provide a framework to establish, implement, maintain, and update data privacy management practices?
Data privacy regulations in India were modulated by the India’s Information Technology Act, 2000 (also named as IT Act) and consequently by the Personal Data Protection Bill (PDP Bill). In Q2, 2022 it was cited that the government of India is now in the process of replacing the IT Act and regulations under PDP Bill, considering that they are outdated and does not play its part in the best interests of Indian enterprises and citizen’s data. This was exemplified in July 2022 when Razorpay had to comply and provide customer’s data in a police investigation against Alt News. Data privacy regulations in India have undergone tremendous alterations especially with 2021’s data protection bill, however these dynamic times, calls for dynamic measures and India certainly is on its journey to revising the laws as much as possible, considering it is now one of largest data-centric economies.
The 2021 data protection bill introduced data mirroring and data localisation which raised more questions than answers for enterprises who had to work on revising their data and control flow within their legacy software architectures to comply with the regulations. Keeping everything in mind, India is working on generating the new National Data Governance Framework and Policy, and as per industry corporates and experts, it must cater to the below enlisted elements, for a comprehensive protection coverage:
- Detailing regulations on localisation of critical as well as sensitive data. A mention of scenarios under which personal credentials and data can be accessed by government authorities, keeping user right to data privacy also intact. The regulations must identify which type of data can be shared with the authorities, especially in terms of Aadhar, UAN, UID, financial transactions etc.
2. Must entail how the storage, collection and accessibility of databases and network access of data can be pursued by the Government of India
3. Must put emphasis on the need for data to be localized and stored in India and not transferred to other countries. This also includes, international enterprises conducting businesses in India especially within the IT/ITeS sectors, where data transfers are an act of business-as-usual. It also must consider the cybersecurity risks which are empowered by data localization. International data flows on one hand are important to map the risks and keep the industry-flow working, but at the same time possess a risk on the data leaving the borders
4. Amendments on how to manage cybersecurity services especially in case of international third-party services. Enterprises dealing with cybersecurity services especially threat intelligence needs to map updates on malicious activities and attacks happening in the world and sync them with their databases to provide effective solutions. This is where data sharing becomes vulnerable
5. The regulations must address anonymisation rules, and that they do not permit any de-anonymisation. Individual rights must be balanced with opt-in and opt-out regulatory measures and the control of data must reside with an individual.
The 2021 data protection bill introduced data mirroring and data localisation which raised more questions than answers for enterprises who had to work on revising their data and control flow within their legacy software architectures to comply with the regulations.
In a recent IDC study, Future Enterprise Resiliency and Spending Survey, Wave 12, January 2022, we asked our respondents, which political, social, and economic risks, do you expect will have the greatest impact on your organization’s technology investment plans in the next two years; and we noticed that 44% respondents in India tagged ‘addressing new data sharing and compliance regimes’ as a risk followed by 38% for ‘digital transformation execution gaps’ and 36% for ‘cybersecurity threats and regulations’.
we noticed that 44% respondents in India tagged ‘addressing new data sharing and compliance regimes’ as a risk followed by 38% for ‘digital transformation execution gaps’ and 36% for ‘cybersecurity threats and regulations’.
India is now on the rise to become a digital-first economy with heavy investments in new emerging technologies like 5G and cloud-based services. It is now when it’s crucial for both government and enterprises, to understand how to deal with data privacy and not be vulnerable to future threats and attacks.
Please explain in detail about data as an asset along with cyber concerns.
Data is the new currency. Managing risk in the information age is the new ask. On an everyday basis, enterprises are required to not only engage with their clientele but automate processes as well for seamless delivery of services. Most of the time, the crucial ask is to generate actionable insights as quickly as possible, from the humongous source of data gathered and pre-existing. At the same time, we see cyber criminals pursuing multi-vector approaches to target enterprises. Cyber-attacks on all businesses are becoming more frequent, targeted, and complex leading to enormous rise in ransomware, which eventually not only leads to financial and customer loss, but also tarnishes a brands’ image. In IDC’s Future Enterprise Resiliency and Spending Survey, Wave 6, July 2021, we found that ransomware incidents were significantly higher in India (83%) when compared with incidents in Asia/Pacific (21%). This is the time, where dealing with cybersecurity in a connected ecosystem becomes crucial.
Exemplifying with one scenario, IT/ITeS sector forms a major part of our economy. And it is in these sectors, where data sharing happens every second in all enterprises, across time zones and borders. To be cyber-secured, enterprises partner with third-party cybersecurity experts who in return require that cyber threats, attacks, and malicious acts be mapped to their database globally, so that they can provide better insights. However, this is just one example where data sharing across borders makes us vulnerable. On one side, for the growth of a well-developed economy, investments in these sectors are beneficial, but on the other hand, we need stricter regulations to curb cyber incidents.
Security controls such as multi-factor authentications and identity and access management are improving, including security vis-à-vis increased adoption of wearables, smartphones, and other devices.
Explain the evolution of cyber security trends, solutions, and vertical adoption of security tools in India.
The security market in India, including hardware, software, and services, is projected to be at $2.51 billion for 2022, with the highest market share coming from services, followed by software and hardware respectively according to the International Data Corporation (IDC) Worldwide Security Spending Guide, July 2022. The overall Indian security market is expected to reach $4.16 billion by 2026, growing at a CAGR of 13.8% for 2021-26.
In a recent IDC survey, Asia/Pacific trust and security survey 2022, conducted across B2B enterprises, we asked, “Which of the following roles or functions exist within your organizations?” and more than 50% Indian enterprises.
At the onset, the cyber security trends are accelerated by digital transformations, evolution of hybrid working styles and death of the legacy perimeter. This is where huge investments and stringent cyber security measures and solutions are required. We also see adoption of Internet of Things (IoT) and artificial intelligence on the rise. There is proliferation of security tool sets and platformization which makes us more vulnerable to increasing number of ransomwares. Security controls such as multi-factor authentications and identity and access management are improving, including security vis-à-vis increased adoption of wearables, smartphones, and other devices. Sophistication of cyber miscreants is growing rapidly with multi-vector attack approaches, and at the same time we are dealing with scarcity of qualified information security professionals to deal with the cyber scenarios. This is enhanced by the ever changing and continued growth of compliance regulations.
Enterprises in India are vastly investing in Cyber resilience solution and services including disaster recovery and backup solutions, endpoint security including endpoint detection and response solution, anti-ransomware solutions, threat intelligence solution and services, internet defense solutions powered towards mitigating DDoS attacks, managing web-application firewalls and bot management solutions, security orchestration, automation and response (SOAR) solutions, security information and event management solutions to name a few.
Data and network security are two key driving factors when dealing with massive digital assets, inventories, and transactional traffic flows. But, investing in cyber resilience and threat intelligence solutions along with incidental and log management products, will not only help organizations gain objective insights into their security architecture and data breaches when they occur, but also prepare them to effectively mitigate the situation with minimal downtime.
As per IDC’s 2022 Digital Transformation CIS Survey, we asked industry verticals, “Which of the following security products and services has your organization already implemented and your organization plans to add over the next 12-24 months”, and in BFSI alone we saw more than 77% enterprises that already invested in cyber resilience solutions, identity security and data security vis-à-vis manufacturing wherein the focus lies more towards data and network security solutions. Threat Intelligence was a key area where BFSI, manufacturing, healthcare and professional services wanted to invest followed by internet defense.
What are cyber resilience roles (positions) and how its gaining importance in Indian enterprises? Please explain.
CERT-In’s cybersecurity directives in India, have sparked a lot of conversations amongst enterprises, body corporates and government stakeholders. The rules issued by CERT-In not only mandates the reporting of cyber incidents in India, but also provokes businesses to revamp and rethink their entire IT and network security landscape including the right roles to invest in to manage their cyber-businesses holistically.
In a recent IDC survey, Asia/Pacific trust and security survey 2022, conducted across B2B enterprises, we asked, “Which of the following roles or functions exist within your organizations?” and more than 50% Indian enterprises said, they have Head of Risk, Chief Compliance Officer, Head of Data Privacy, Chief Information and Security Officer, Head of IT Security, and Sustainability Hire already incorporated in their organization. Less than 50% enterprises said that they have Chief Risk Officer, Cyber Risk Management, Head of compliance, Compliance Committee, Chief Data/Privacy officer, Data privacy committee and Head of Sustainability incorporated. It is time, we start investing in roles that can take us forward in our cyber resilience journeys. As per IDC’s 2022 Digital Transformation CIS Survey, we asked industry verticals, “which of the following factors significantly limit your organization’s ability to improve its IT security capabilities” and across all industry verticals, the response came out consensually that the security team spends so much time in maintaining and managing security tools rather than performing security investigations and that there is insufficient integration between security and IT infrastructure teams. During the pandemic, enterprises invested in a lot of pointed security solutions and managing dashboards from multiple vendor solutions becomes tedious and does not provide a consolidated view. This is the time we require specialized cyber security skilled team, that can help enterprises resolve the chaos and generate insights from the information collected.
How to retain ownership of the data and ensure that their database is not stolen?
Compliance regulations exceeded by the nation is aimed towards protecting a user’s data as much as possible, however beyond that as well, there are additional measures one can pursue to proactively retain ownership of their data and ensure it is not susceptible to breaches.
At the onset, it is important to wisely invest in the right storage and management solutions. This includes but is not limited to data storage solutions that have built-in protection with data back-up and disaster recovery mechanisms in place. Enterprises are advised to look for a storage solution that provides replication, snapshots, encryption, data deduplication, data erasure and disaster recovery as the foundational elements. Beyond this, we see enterprises investing a lot in data discovery solutions so that sensitive and critical data can be analysed as per regulations. This is also empowered by data loss prevention or DLP solutions, which consists of measures to protect data from getting lost, and includes tools that can help recover the data, if it does. Over the top, investing in endpoint protection solutions to secure endpoints, multi-factor authentication or identity and access management solutions for authentication and authorization, and firewalls or WAFs can in the true essence be helpful in retaining the data ownership and enabling prevention.
Sakshi Grover
Research Manager, IDC India
By Aanchal Ghatak
aanchalg@cybermedia.co.in