How India can offer data protection to SMEs

We can learn from Singapore’s robust Data Protection Essentials framework

Ruchin Kumar | September 9, 2024


#business   #SME   #data   #cyber security   #Cyber attacks   #technology   #Singapore  
(Illustration: Ashish Asthana)
(Illustration: Ashish Asthana)

Cyberattacks have become a daily phenomenon around the globe, especially in India. In the first half of 2024 alone, India has witnessed 593 cyber incidents, comprising of 388 data breaches, 107 data leaks, and 39 ransomware attacks.

With an average of 3,201 cyberattacks per week in Q2 2024, a 46% increase from last year, India is now the second-most targeted country in the Asia-Pacific region, after Taiwan.

As threat actors continue to bypass organisations’ cybersecurity defence mechanisms with seeming ease, the message is clear: India must urgently strengthen its cybersecurity framework to stay ahead of the evolving cyber threats.

The current cybersecurity framework in India
After years of debate and consultation, India took a major step in August 2023 with the enactment of the Digital Personal Data Protection (DPDP) Act.

This legislation marks a crucial advancement in safeguarding Indian citizens’ personal data, defining it as *any* information that can identify an individual. The DPDP Act emphasises the need for explicit consent before collecting or processing such data, while granting individuals the rights to access, correct, and erase their personal data at any given point in time.

Along with the DPDP Act, industry-specific regulators such as Reserve Bank of India (RBI), Unique Identification Authority of India (UIDAI), Securities and Exchange Board of India (SEBI) and Insurance Regulatory and Development Authority of India (IRDAI), have their unique cybersecurity regulations for the regulated entities that fall under their ambit.

While these guidelines provide a robust cybersecurity framework for regulated entities, what about unregulated small and medium enterprises (SMEs) that constitute most of the Indian industry?  

Unique data protection challenges faced by Indian SMEs
India boasts a vibrant ecosystem of over 63 million micro, small, and medium enterprises (MSMEs), which play a crucial role in contributing approximately 30% to India’s GDP.

Given their significant economic impact, the increasing prevalence of cyberattacks on SMEs pose a serious risk. Many SMEs underestimate the importance of investing in robust cybersecurity, believing they can manage without it. This complacency often leaves them vulnerable to attacks that compromise sensitive data and erode consumer trust.

Budget constraints further complicate the situation, limiting the ability of Indian SMEs to invest in modern technologies, and an over-reliance on legacy systems significantly increases the risk of data breaches.

With no universal cybersecurity framework that addresses the specific data protection needs of SMEs, there is an urgent need for government intervention to introduce a comprehensive policy to protect these small businesses.

Lessons from Singapore’s Data Protection Essentials (DPE) programme
India could benefit from adopting Singapore’s Data Protection Essentials (DPE), which has effectively safeguarded the digital landscape of small businesses. The introduction of similar guidelines by the Indian government would empower Indian SMEs to  demonstrate a commitment to responsible data handling, which is increasingly crucial as consumers become more vigilant and wary about their personal information.

Understanding Singapore’s Data Protection Essentials (DPE) Programme
Spearheaded by the Infocomm Media Development Authority (IMDA) and Singapore’s Personal Data Protection Commission (PDPC), the DPE programme was launched specifically to ensure that SMEs in Singapore can effectively safeguard their sensitive data and recover from data breaches.

The DPE framework comprises several key components. It offers foundational security solutions, such as encryption and backup options, particularly useful for newly incorporated SMEs or those beginning to collect sensitive data.

The framework also includes a holistic one-stop professional service, with a curated panel of service providers who assist SMEs in implementing basic data protection and security practices, especially for those handling personal data more intensively.

Accountability is another critical aspect of the DPE, as SMEs are encouraged to designate a data protection officer and establish policies and procedures to ensure responsible data handling. The framework emphasises on critical data security practices, including access control, encryption, backup, and physical security, all aimed at protecting sensitive information.

A call for government action: DPE guidelines for Indian SMEs
It's crucial for the Indian government and regulatory bodies to introduce comprehensive Data Protection Essentials (DPE) guidelines tailored tothe unique needs and challenges faced by Indian SMEs.

These guidelines should focus on two critical aspects of data protection: threat mitigation and remedial measures for data recovery in case of a breach.

1. Threat Mitigation

The DPE guidelines should provide clear, practical steps for SMEs to prevent data breaches and mitigate their impact. Here's what these guidelines should include:

1. Data protection: Encourage SMEs to encrypt sensitive data, both at rest and in transit, to protect it from unauthorised access or interception. Additionally, encourage the use of key management platforms to efficiently secure and manage the encryption keys throughout their lifecycle.

2. Access controls: Educate SMEs to implement robust access controls to ensure that only authorised personnel can access sensitive information. This could include measures like multi-factor authentication and role-based access.

3. Incident response planning: Guide SMEs to develop detailed action plans to quickly identify, manage, and reduce the effects of security incidents.

4. Data Backups: Handhold SMEs to implement a robust data backup strategy to ensure that critical data can be quickly restored in the event of a breach or system failure.

2. Remedial Measures in case of a Breach

In the unfortunate event of a data breach, the DPE guidelines should provide a clear roadmap for SMEs to quickly recover from the incident.

The guidelines should include the following steps that every SME should adhere to:

1. Incident response activation: Immediately activate the incident response plan and assign a dedicated team to manage the data recovery operations.

2. Containment and eradication: Take immediate steps to contain the breach, identify the root cause, and eradicate any malware or unauthorised access.

3. Forensic investigation: Conduct a thorough forensic investigation to determine the extent of the breach, identify any compromised data, and gather evidence for potential legal action.

4. Regulatory compliance: Ensure compliance with the prevalent data protection regulations, such as promptly notifying the affected individuals and regulatory authorities.

By following these guidelines, SMEs can minimise the impact of a data breach, restore operations quickly, and protect their reputation and customer trust.

Summing Up

Adopting the DPE framework can significantly benefit SMEs in India. By implementing DPE guidelines, they can enhance their data security, making them less vulnerable to cyber threats.

Furthermore, integrating DPE guidelines will help SMEs build consumer trust by demonstrating a commitment to responsible data handling and comply with industry-specific data protection regulations.

Ultimately, by enforcing DPE guidelines as an integral part of its national policy, India can strengthen itsoverall cybersecurity postureand foster greater confidence among its discerning citizens.

Ruchin Kumar is VP – South Asia, Futurex

Comments

 

Other News

Cabinet approves Mobile Phone Manufacturing Scheme

The union cabinet chaired by PM Narendra Modi has approved the Mobile Phone Manufacturing Scheme (MPMS) with a budgetary outlay of Rs 62,500 crore. It aims to further scale up the production, deepen domestic value addition, strengthen supply chain resilience, enhance global competitiveness. It

Building infrastructure is only half the job

Recent stories of stolen railway wires, disappearing communication towers and missing public infrastructure are often treated as bizarre law-and-order failures of India. Yet they raise a more fundamental question. Why does the State often discover the disappearance of a public asset only after it has alrea

New Delhi’s Indo-Pacific strategy enters a new phase

India appears to be investing fresh dynamism in its Indo-Pacific strategy. At the time when the US, under president Donald Trump, has adopted a conciliatory approach towards China and has changed the name of America’s Indo-Pacific Command to just Pacific Command, India has quietly moved towards con

CAG flags major fiscal lapses in Maharashtra

Maharashtra`s fiscal management has come under sharp scrutiny after the Comptroller and Auditor General (CAG) of India, in its State Finances Audit Report for 2024-25, flagged significant budgetary inefficiencies, accounting irregularities, understatement of key fiscal indicators and widespread governanc

The health sector research we are not doing

Some neglect is loud. This kind is quiet. It sits in research never commissioned, data never collected, questions never asked. In South Asia, that quiet has let the region’s worst health problems stay understudied, underfunded, and out of sight of those who could act.  

Study flags accessibility and last-mile challenges on Mumbai Metro Aqua Line

Mumbai Metro Line 3 (Aqua Line), the city`s first fully underground metro corridor and one of its largest public transport investments, represents a major engineering achievement and has been widely welcomed by commuters. However, the overall commuter experience continues to be constrained by accessibili

Upcoming Conferences





Archives

Current Issue

Opinion

Facebook Twitter Google Plus Linkedin Subscribe Newsletter

Twitter