How India can offer data protection to SMEs

We can learn from Singapore’s robust Data Protection Essentials framework

Ruchin Kumar | September 9, 2024


#business   #SME   #data   #cyber security   #Cyber attacks   #technology   #Singapore  
(Illustration: Ashish Asthana)
(Illustration: Ashish Asthana)

Cyberattacks have become a daily phenomenon around the globe, especially in India. In the first half of 2024 alone, India has witnessed 593 cyber incidents, comprising of 388 data breaches, 107 data leaks, and 39 ransomware attacks.

With an average of 3,201 cyberattacks per week in Q2 2024, a 46% increase from last year, India is now the second-most targeted country in the Asia-Pacific region, after Taiwan.

As threat actors continue to bypass organisations’ cybersecurity defence mechanisms with seeming ease, the message is clear: India must urgently strengthen its cybersecurity framework to stay ahead of the evolving cyber threats.

The current cybersecurity framework in India
After years of debate and consultation, India took a major step in August 2023 with the enactment of the Digital Personal Data Protection (DPDP) Act.

This legislation marks a crucial advancement in safeguarding Indian citizens’ personal data, defining it as *any* information that can identify an individual. The DPDP Act emphasises the need for explicit consent before collecting or processing such data, while granting individuals the rights to access, correct, and erase their personal data at any given point in time.

Along with the DPDP Act, industry-specific regulators such as Reserve Bank of India (RBI), Unique Identification Authority of India (UIDAI), Securities and Exchange Board of India (SEBI) and Insurance Regulatory and Development Authority of India (IRDAI), have their unique cybersecurity regulations for the regulated entities that fall under their ambit.

While these guidelines provide a robust cybersecurity framework for regulated entities, what about unregulated small and medium enterprises (SMEs) that constitute most of the Indian industry?  

Unique data protection challenges faced by Indian SMEs
India boasts a vibrant ecosystem of over 63 million micro, small, and medium enterprises (MSMEs), which play a crucial role in contributing approximately 30% to India’s GDP.

Given their significant economic impact, the increasing prevalence of cyberattacks on SMEs pose a serious risk. Many SMEs underestimate the importance of investing in robust cybersecurity, believing they can manage without it. This complacency often leaves them vulnerable to attacks that compromise sensitive data and erode consumer trust.

Budget constraints further complicate the situation, limiting the ability of Indian SMEs to invest in modern technologies, and an over-reliance on legacy systems significantly increases the risk of data breaches.

With no universal cybersecurity framework that addresses the specific data protection needs of SMEs, there is an urgent need for government intervention to introduce a comprehensive policy to protect these small businesses.

Lessons from Singapore’s Data Protection Essentials (DPE) programme
India could benefit from adopting Singapore’s Data Protection Essentials (DPE), which has effectively safeguarded the digital landscape of small businesses. The introduction of similar guidelines by the Indian government would empower Indian SMEs to  demonstrate a commitment to responsible data handling, which is increasingly crucial as consumers become more vigilant and wary about their personal information.

Understanding Singapore’s Data Protection Essentials (DPE) Programme
Spearheaded by the Infocomm Media Development Authority (IMDA) and Singapore’s Personal Data Protection Commission (PDPC), the DPE programme was launched specifically to ensure that SMEs in Singapore can effectively safeguard their sensitive data and recover from data breaches.

The DPE framework comprises several key components. It offers foundational security solutions, such as encryption and backup options, particularly useful for newly incorporated SMEs or those beginning to collect sensitive data.

The framework also includes a holistic one-stop professional service, with a curated panel of service providers who assist SMEs in implementing basic data protection and security practices, especially for those handling personal data more intensively.

Accountability is another critical aspect of the DPE, as SMEs are encouraged to designate a data protection officer and establish policies and procedures to ensure responsible data handling. The framework emphasises on critical data security practices, including access control, encryption, backup, and physical security, all aimed at protecting sensitive information.

A call for government action: DPE guidelines for Indian SMEs
It's crucial for the Indian government and regulatory bodies to introduce comprehensive Data Protection Essentials (DPE) guidelines tailored tothe unique needs and challenges faced by Indian SMEs.

These guidelines should focus on two critical aspects of data protection: threat mitigation and remedial measures for data recovery in case of a breach.

1. Threat Mitigation

The DPE guidelines should provide clear, practical steps for SMEs to prevent data breaches and mitigate their impact. Here's what these guidelines should include:

1. Data protection: Encourage SMEs to encrypt sensitive data, both at rest and in transit, to protect it from unauthorised access or interception. Additionally, encourage the use of key management platforms to efficiently secure and manage the encryption keys throughout their lifecycle.

2. Access controls: Educate SMEs to implement robust access controls to ensure that only authorised personnel can access sensitive information. This could include measures like multi-factor authentication and role-based access.

3. Incident response planning: Guide SMEs to develop detailed action plans to quickly identify, manage, and reduce the effects of security incidents.

4. Data Backups: Handhold SMEs to implement a robust data backup strategy to ensure that critical data can be quickly restored in the event of a breach or system failure.

2. Remedial Measures in case of a Breach

In the unfortunate event of a data breach, the DPE guidelines should provide a clear roadmap for SMEs to quickly recover from the incident.

The guidelines should include the following steps that every SME should adhere to:

1. Incident response activation: Immediately activate the incident response plan and assign a dedicated team to manage the data recovery operations.

2. Containment and eradication: Take immediate steps to contain the breach, identify the root cause, and eradicate any malware or unauthorised access.

3. Forensic investigation: Conduct a thorough forensic investigation to determine the extent of the breach, identify any compromised data, and gather evidence for potential legal action.

4. Regulatory compliance: Ensure compliance with the prevalent data protection regulations, such as promptly notifying the affected individuals and regulatory authorities.

By following these guidelines, SMEs can minimise the impact of a data breach, restore operations quickly, and protect their reputation and customer trust.

Summing Up

Adopting the DPE framework can significantly benefit SMEs in India. By implementing DPE guidelines, they can enhance their data security, making them less vulnerable to cyber threats.

Furthermore, integrating DPE guidelines will help SMEs build consumer trust by demonstrating a commitment to responsible data handling and comply with industry-specific data protection regulations.

Ultimately, by enforcing DPE guidelines as an integral part of its national policy, India can strengthen itsoverall cybersecurity postureand foster greater confidence among its discerning citizens.

Ruchin Kumar is VP – South Asia, Futurex

Comments

 

Other News

"Insurance companies can`t change policy at whim"

An insurance policy cannot be changed at the whims and fancies of the insurance company, noted consumer rights advocate Jehangir Gai has said, against the backdrop of an increasing number arbitrary rejection of insurance claims due to vague policy clauses, unilateral changes to policy terms without obtaini

ATF likely to come under GST: Hardeep Puri

Aviation turbine fuel (ATF) is likely to be brought under the Goods and Services Tax (GST) in the near future, petroleum and natural gas minister Hardeep Singh Puri has said, signalling a potential change in aviation fuel taxation.   Speaking to the press in Mumbai on Friday ahead of In

Budget 2025: Meeting the expectations of youth and middle class

The new year brings with it a mix of hope and expectations, especially among the youth and middle class who have placed their trust in the Narendra Modi government. The upcoming Union Budget is being eagerly awaited by these two groups in particular, in the hope it addresses the very real concerns of a gen

This book on Gujaratis is like a sumptuous ‘thaali’…

The Gujaratis: A Portrait of a Community By Salil Tripathi Aleph Books, 744 pages, Rs 1,499 “As the l

At Davos, Maharashtra inks MoUs worth Rs 15.70 lakh crore

The Maharashtra government has signed 54 memorandums of understanding (MoUs) worth Rs. 15.70 lakh crore at the ongoing WOrld Economic Forum in Davos. The highest ever investment proposals of the state government are expected to generate 15.95 lakh jobs. The largest MoU was inked with Relianc

How Renewable Energy revolution is sweeping across India

As India accelerates its transition towards a sustainable future, its renewable energy (RE) sector has witnessed unprecedented growth. In 2024, the country made significant strides in solar and wind energy installations, policy advancements, and infrastructural improvements, setting the stage for ambitious

Visionary Talk: Amitabh Gupta, Pune Police Commissioner with Kailashnath Adhikari, MD, Governance Now



Archives

Current Issue

Opinion

Facebook Twitter Google Plus Linkedin Subscribe Newsletter

Twitter