The increasing cybersecurity threat to organisations due to the migration of workloads to the cloud has encouraged organisations to take the required steps in order to secure their infrastructure.
But what are the initiatives taken by the government to tackle such situations? Delivering the keynote at W.Media’s ‘South Asia Cybersecurity- The Weakest Link’, Narendra Nath Gangavarapu, Joint Secretary, National Security Council Secretariat said: “When it comes to running a business, there are various things that one needs to keep in consideration amongst which cybersecurity might not get the required attention would lead to a huge loss considering the importance of cybersecurity.”
He further added that due to the COVID-19 pandemic, large-scale digitisation has taken place and most organisations are bringing their business under the digital platform. There are various security issues that organisations face and most of them have reached a level of maturity in terms of physical security, screening of people before onboarding them.
Cybersecurity requires a lot of work to be done and many organisations are unaware of the way in which a system works and put in place a system that might not meet the security requirement of the organisation and might not have the required security design, functionality is one thing which they concentrate on.
“A lot of companies, when you see, are focused on getting the functionalities in place and getting to the market, security is something which comes later.
We have been having lots of incidents and they have been reported in the media and in most cases, their critical infrastructure was affected and with the current ransomware attacks, you can see that even the smaller organisations are getting affected and that is when they wake up. There has been a lot of wake-up calls that have been happening from the last few years and people are also becoming aware of it,” added Gangavarapu.
He further added that in the corporate sector there is awareness and at the board level many companies have come up with guidelines that cybersecurity should be taken up at the board level.
In many companies the CISO or the person who looks after the cybersecurity reports to the person at a board level, there are presentations and agendas where cybersecurity-related areas are discussed. This is a practice that is followed by most companies and it is important as cybersecurity is critical to an organisation.
There could be a disruption in the function if the cybersecurity is compromised, there could be a problem of theft of data. It is important for organisations to take this seriously as negligence could seriously hamper the business and the brand image.
“From our perspective, we work at the National Security Council Secretariat and then we take a national view of the whole thing. There are national aspects of cybersecurity, there are also aspects of security of enterprises and organisations within the country and there are also security-related issues that pertain to individuals.
Starting with individuals you will see that there are a lot of phishing attacks that are happening and also financial frauds. We keep hearing the news of people losing money. When we talk of digital India and Jan Dhan Yojna and people having bank accounts and starting to use smartphones without realising the consequences of lack of awareness regarding cybersecurity due to which a large number of people are being affected,” said Gangavarapu.
One of the aspects is how do you tackle this? “There is a cybercrime portal on which the ministry of home affairs of India has actively been working. They have launched a cybercrime portal where people can report cybercrime-related incidents and the portal has the ability to take the issue to the appropriate jurisdiction so that the cybercrime can be handled and this is a work in progress,” Gangavarapu pointed out.
He further explained that it is a good infrastructure that has been created and based on feedback it is being enhanced in terms of capacity and capabilities. Another aspect is focused on cybersecurity awareness. There is a program of the Ministry of Electronics and Technology of India called the ISEA Information Security Education and Awareness.
This is a program that has been running for a decade now, it started on the academic community and the government level. The focus was on creating cybersecurity programs at the graduate, undergraduate and doctoral levels. You will see that a lot of cybersecurity-related programs have started in the academic community.
The other aspect of the program is cybersecurity awareness in which we have the training of school students on cybersecurity best practices for normal citizens to practice. The third pillar of the program is the training of government officials in cybersecurity practices. These are the things under the ISEA program for cyber hygiene practices.
Making cybersecurity a part of the school curriculum is also important and cybersecurity has become a basic life skill and schools provide the basic life skill. The new education policy, the NCERT, and the CBSE have incorporated IT courses and cybersecurity into the school curriculum. So children at the school level themselves will get aware of cybersecurity.
Pandemic & Cybersecurity
“The pandemic has brought fresh challenges with the current situation of work from home and people migrating to a hybrid model of working. There are some challenges here as well as to how one can secure the infrastructure. Earlier in offices there used to be firewalls that could protect the infrastructure, but with people working from home, it is a challenge to protect the infrastructure.
The private sector has taken various initiatives in this area in order to secure the infrastructure even while working from home. Last year when the Data Security Council of India got together and the CISO’s of various companies used to meet on a weekly basis and discuss the issues that they were facing and how each of them was handling them and there was a lot of exchange of information and best practices that happened during that time and that helps the organisations to cope up with their respective situations.
Indian companies quickly understood the situation and coped up. The telecom companies’ played an important role in providing the infrastructure due to an increase in traffic and with minimum disruptions we found that the networks were augmented and fine-tuned to see that people could run their businesses and personal life,” said Gangavarapu.
He further pointed that when an organisation requires visibility in terms of the practices and the implementation of cybersecurity is the CISO, they found that the job of the CISO was a head-on job and in some organisations the person did not have the required skills, it was someone who was an expert in some other area but was told to handle the job of a CISO it is not possible for them to do that job or understand the criticality of the situation.
We started to explore what is the skillset and the experience that a person should have to become a CISO. We also spoke to the NCIPC which is the National Critical Information Protection Centre to see if something can be worked out especially for the critical information sector.
“There is a Rashtrya Raksha University in Gujarat, they have started a Bharat CISO program and I hope they collaborate with the industry and come up with a good syllabus.
NESSCO has come up with a skill set required for cybersecurity and they have started some training programs. For the critical information infrastructure we have talked to NCIPC and they have boarded QCI the Quality Council of India and there is a work they have started there which is defining the definition of the security architecture and different components of that.
The different types of tasks and the kind of skill sets required to handle the architecture. The idea is to have a framework based on the specifications so that we have cybersecurity professionals in the country who can be a part of organisations,” added Gangavarapu.
He also underlined that there are other initiatives like having a national malware repository, national cyber coordination centre. These are some of the initiatives taking place at the national level to protect the country from cyber threats. There are also a few challenges pertaining to IoT security and a framework is required there as well.