04:17 GMT +319 June 2019
Listen Live
    A hooded man holds a laptop computer as cyber code is projected on him in this illustration picture taken on May 13, 2017

    Data Localisation No Panacea for Cyberattacks, Claims Data Forensic Expert

    © REUTERS / Kacper Pempel/Illustration
    Opinion
    Get short URL
    0 10

    One of India’s top data forensic experts, Sanjay Kaushik, is of the opinion that India should focus on the robust enforcement of data protection law rather than imposing data localisation because in doing so, other countries may impose reciprocal data localisation policies on Indian companies, leading to legal conflicts and trade disputes.

    New Delhi (Sputnik): News reports of a recent data breach of American Express (Amex) credit card customer information, which was discovered by Hacken.io director of cyber risk research Bob Diachenko, unleashed panic in India. The database remained accessible to anyone on the internet for five days in October via an unsecured MongoDB server before Diachenko stumbled upon it. Sputnik spoke to Sanjay Kaushik, managing director of data security and cyber forensics at Netrika consulting firm, who is of the opinion that the case highlights how organisations can leave critical corporate and user data exposed, and serves as a reminder to implement robust security measures.

    Sputnik:  What does the leakage of data of 70,0000 Amex India customers mean in terms of data security? 

    Sanjay Kaushik: This kind of security breach signifies that basic security practices were not followed by IT system administrators and security policies were not adequately enforced, which gave the attacker easy access to critical resources. In this case, it is evident that the motive of the attacker was not to cause direct financial loss, but the fact is someone was successful in getting his hands on a large volume of data at one go, which could be a good resource to execute a spam campaign or targeted attack by anyone with an ulterior motive. 

    Sputnik:  What are the potential damages that this data breach might have caused? What options do customers have when they share personal data with entities, trusting that it will be kept safe?

    Sanjay Kaushik: Such data exposure may or may not have a direct financial impact but it can affect one's brand identity and customer confidence, which is key for any organisation to maintain its competitive edge. There is an immediate need for enactment/regulation of encryption of data, otherwise such breaches will continue to happen.

    READ MORE: 'Digital India' in Dire Need of Safety Policy Reboot — Cybersecurity Experts

    Data Security is a big problem in India and the way we see it, it is only going to grow. In 2016, around 3.2 million debit cards were compromised: from State Bank of India, HDFC Bank, ICICI Bank, YES Bank, and Axis Bank. Recently, cyber-criminals hacked the systems of Pune-based Cooperative Bank Ltd. and siphoned off a whopping Rs 944.2 million. The criminals stole the money and transferred it to foreign and domestic bank accounts across 28 countries over the weekend.

    Recently, we released a report on cyber-security which revealed that 53% of Indian businesses don't know whom to contact in case they experience a data breach/cyber-attack. About 62% of organisations (withstood) an IT breach in the form of a virus attack, malware, phishing, or ransomware while only 32% said they did not suffer any breach in the past 12 months.

    Sputnik:  What are the security measures that companies should implement to protect against such data breaches?

    Sanjay Kaushik: There are several steps one can take in a situation like this. One option is to enable access control and enforce authentication and configure/enforce role-based access control. Second is to encrypt and protect data. Third is to limit network exposure and allow only trusted clients to access network interfaces and ports on which the database is available. Other measures could be to conduct a vulnerability assessment and configuration audits from time to time, monitor for any activity that deviates from authorised activity, and immediate real-time response to any abnormal or suspicious behaviour to minimise the risk of attack. Last but not the least, is to employ database forensics after an incident has taken place to determine the scope of the breach and to identify appropriate changes to systems and processes.

    READ MORE: India’s 5G Rollout Not to Have Chinese Firms Participating Amid Spying Concerns

    Sputnik:  How do you see the future in terms of data security against the backdrop of such incidents?

    Sanjay Kaushik: It is clear from such incidents that a cyber-attack does not necessarily imply a sophisticated attack strategy adopted by criminals. Cyber-attacks can be carried out by simple techniques, by exploiting a common or known vulnerability left open/unpatched due to inadequate enforcement of basic hygiene in IT Security. Cyber-attacks are inevitable and companies have no option but to prepare themselves to respond to the attacks appropriately. It is high time we should realise that when it comes to cyber-security, complacency is our biggest enemy. Today there is hyper-awareness surrounding cyber security but still, we have been hearing breaches and their effects on our organisations and thereby the country's economy.

    We should be moving from passive approaches towards cyber security to more active approaches of threat hunting, knowing our enemy, or go one step ahead towards thinking like criminals if we've got to really match up with them.

    However, while doing so, basic hygiene towards security should not be compromised as we have seen the biggest of cyber-attacks were caused due to very small or basic technology errors or unintentionally; people giving away vital information due to inadequate awareness towards security.

    READ MORE: India Launches Formal Probe of Illegal Data Mining by Cambridge Analytica

    Sputnik: What should be the role of the Government? What are your thoughts on data localisation plans by the RBI and the Indian government? How far do you think this will be helpful?

    Sanjay Kaushik: Unless India has a data protection law and demonstrates robust enforcement of that law, it's difficult to see how storing user data in India would be useful.

    Rather than creating a new law, emphasis should be on implementing a legal framework for surveillance with appropriate protections for users' data. This enforcement to mandate the storage of data locally may really become taxing for companies who aspire to go beyond Indian boundaries for business expansion.

    This will cost them additional dollars to maintain the legal and technical regimes of multiple jurisdictions, which will impose an additional burden on several start-ups.

    The views and opinions expressed by the speaker do not necessarily reflect those of Sputnik.

    Related:

    US DOD Has Become Overconfident in Its Cybersecurity Protocols – Security Expert
    ‘An Investigation Into Google Has Started Already’ – Cybersecurity Specialist
    Low Priority of Cybersecurity Gives Hackers Access to US Weapons Systems – Audit
    China Announces New Cybersecurity Regulation Letting Police Copy ISP Info
    Tags:
    data protection, criminals, cyberattack, regulations, cybersecurity, American Express, India, United States
    Community standardsDiscussion
    Comment via FacebookComment via Sputnik