We may not talk about it much, but theft of data is not new to India. In fact, India was a central player and a huge beneficiary of one of the world’s earliest recorded instances of business espionage. In the mid-1800s, Robert Fortune, a British botanist, at the behest of the British East India company, disguised himself and infiltrated the heart of China to steal the secret of growing Camellia Sinensis. You may, of course, have heard about this plant by its more popular name, tea.
It was a time when opium and tea were among the most valuable commodities in the world, with India being the source of opium, while China had a near monopoly on tea. Fortune was paid £500 every year by the company for his troubles. Inflation adjusted, that works out to £47,000 in 2016 money. That may not sound like much, but at that point in time, dominion over trade of spices and ore was instrumental in the creation of empires. It is a fascinating story, and American writer sarah Rose’s For All the Tea in China is a page turner where the author recounts Fortune’s journey to China to steal the secrets of growing the tea plant.
Think about it. There is a little bit of data theft at the bottom of every glass of tea that India drinks.
A century and half later, we are living in a time when conversations on securing data have started in earnest in India, catalysed by the extensive media coverage of digital India, the ransomware attacks as well as questions around the integrity of Aadhaar database.
A connected populace is a great idea, but without a far larger emphasis on digital literacy and cybersecurity, the hundreds of millions of people will be like sitting ducks for any number of cyberattacks. The year 2017 was when cyberattacks finally became front page fodder for Indian news media. It is a little surprise that this coincided with the country becoming the second largest smartphone market. The lure of India for cybercriminals has never been as high, and with the government embarking on its massive digital transformation project, it will become even more of a low hanging fruit for malicious actors in the days to come. Businesses as well as individuals will have to double down to bring overall levels of preparedness.
Here are a few basic things that must be kept in mind to create a more secure workspace.
Build awareness
A secure workspace starts with an aware individual. Human error is generally regarded as the number one cause of breaches. Take passwords for example. In the battle between the inconvenience of remembering a complicated but safer password and the ease of recalling, far too many opt for the latter. This has been a source of headache for security professionals in many companies and has resulted in a rather shocking statistic. According to the 2017 Verizon Data Breach Investigation report, 63% “of confirmed data breaches involve using weak, default or stolen passwords”. Many employees also instal programmes into their work computers that can compromise security. One of the most incisive decisions that can be made by any business hoping to reduce the odds of being breached would be to ensure that employees are aware of exactly how to handle technology securely.
Invest in technology
The Federal Communications Commission of the United states says, “The latest security software, web browser and operating system are the best defences against viruses, malware and other online threats.” In a country like India, where the menace of pirated software is still high, particularly among small- and medium-sized companies, this assumes even more importance. Companies must make sure that they use original software and instal the latest version as and when they are updated to counter threats. This was a major reason for the spread of ransomware like WannaCry and Petya earlier this year. Along with these it is also crucial to run firewalls which keep an eye on traffic from the outside and other programmes which help maintain cybersecurity hygiene.
Define security perimeter
One of the basic tenets of cybersecurity is to have well-defined walls around different kinds of data which are put in different buckets, with access permitted only to those who must have access to that data. Not every employee needs to have access to every part of a company’s data and limiting access can go a long way in reducing risks. There is also a need to make it difficult for nefarious elements to access data even if they have breached the outer walls. This mandates thinking beyond passwords. Businesses should think about implementation of multi-factor authentication.
Back-up everything
Among the simplest of things you could do to protect yourself against malware like ransomware, which “kidnaps” your data, is to save a copy of everything. This way you are not at the mercy of nefarious elements. This could prove invaluable in the days to come as many security experts expect ransomware attacks to spike up in 2018.
Plan ahead
Time and effort that goes into defining and documenting cybersecurity policies is where all the best practices start. These policies must detail the security practices for the business and also encompass an incident response plan which details how to react in case things do go awry. Knowing how to react saves valuable time. Business continuity planning is another important facet. When natural disasters happen, there are many business continuity plans that are put in place. This needs to be a standard operating procedure for breaches as well.
The demand for security is only going to go up as technology seeps further into our lives. Internet of things (IoT) and its philosophy of connecting everything is going to increase complexities and challenges. In a few years, we will be taking for granted living in a world of connected cars and homes. This future would be underpinned by rivers of data flowing from every device we own, and often from devices we don’t.
How we take to protecting the integrity of this flow will determine if we can limit the dangers that lurk. The security of all of that data will continue to depend on a combination of human and technological factors. The human factor is dependent on adopting simple, commonsensical practices including not biting the bait offered by black hats in the form of malicious links or by making sure that their software runs updated versions. The technological factors would include establishing well-defined security protocols and ensuring periodic audits are undertaken.
Companies need to invest in advancements in technology along with adding to their teams. With the sheer volume of data at stake, detection of and reaction to breaches will be dictated by machines. Artificial intelligence is going to redefine the arsenal we have to play with. As mentioned earlier, AI is going to be used by malicious actors as well. But the widespread adoption of AI-led security will likely enhance the pace at which threats will be detected and countered.
In terms of creating businesses that cater to the demand around better solutions for cybersecurity, India has the opportunity to not just try and leapfrog existing ideas and technologies, but also to help define the way of the future. Questions may be asked about the real world skills of a vast majority of coders India churns out every year, but there is no doubt that there are plenty of coders who are absolute masters of their domain in the country. Indian entrepreneurs must move fast and capitalise on that advantage.
Excerpted with permission from Breach: Remarkable Stories of Espionage and Data Theft and the Fight to Keep Secrets Safe, Nirmal John, Penguin Random House India.