Cyberattacks have become a daily phenomenon around the globe, especially in India. In the first half of 2024 alone, India has witnessed 593 cyber incidents, comprising of 388 data breaches, 107 data leaks, and 39 ransomware attacks.
With an average of 3,201 cyberattacks per week in Q2 2024, a 46% increase from last year, India is now the second-most targeted country in the Asia-Pacific region, after Taiwan.
As threat actors continue to bypass organisations’ cybersecurity defence mechanisms with seeming ease, the message is clear: India must urgently strengthen its cybersecurity framework to stay ahead of the evolving cyber threats.
The current cybersecurity framework in India
After years of debate and consultation, India took a major step in August 2023 with the enactment of the Digital Personal Data Protection (DPDP) Act.
This legislation marks a crucial advancement in safeguarding Indian citizens’ personal data, defining it as *any* information that can identify an individual. The DPDP Act emphasises the need for explicit consent before collecting or processing such data, while granting individuals the rights to access, correct, and erase their personal data at any given point in time.
Along with the DPDP Act, industry-specific regulators such as Reserve Bank of India (RBI), Unique Identification Authority of India (UIDAI), Securities and Exchange Board of India (SEBI) and Insurance Regulatory and Development Authority of India (IRDAI), have their unique cybersecurity regulations for the regulated entities that fall under their ambit.
While these guidelines provide a robust cybersecurity framework for regulated entities, what about unregulated small and medium enterprises (SMEs) that constitute most of the Indian industry?
Unique data protection challenges faced by Indian SMEs
India boasts a vibrant ecosystem of over 63 million micro, small, and medium enterprises (MSMEs), which play a crucial role in contributing approximately 30% to India’s GDP.
Given their significant economic impact, the increasing prevalence of cyberattacks on SMEs pose a serious risk. Many SMEs underestimate the importance of investing in robust cybersecurity, believing they can manage without it. This complacency often leaves them vulnerable to attacks that compromise sensitive data and erode consumer trust.
Budget constraints further complicate the situation, limiting the ability of Indian SMEs to invest in modern technologies, and an over-reliance on legacy systems significantly increases the risk of data breaches.
With no universal cybersecurity framework that addresses the specific data protection needs of SMEs, there is an urgent need for government intervention to introduce a comprehensive policy to protect these small businesses.
Lessons from Singapore’s Data Protection Essentials (DPE) programme
India could benefit from adopting Singapore’s Data Protection Essentials (DPE), which has effectively safeguarded the digital landscape of small businesses. The introduction of similar guidelines by the Indian government would empower Indian SMEs to demonstrate a commitment to responsible data handling, which is increasingly crucial as consumers become more vigilant and wary about their personal information.
Understanding Singapore’s Data Protection Essentials (DPE) Programme
Spearheaded by the Infocomm Media Development Authority (IMDA) and Singapore’s Personal Data Protection Commission (PDPC), the DPE programme was launched specifically to ensure that SMEs in Singapore can effectively safeguard their sensitive data and recover from data breaches.
The DPE framework comprises several key components. It offers foundational security solutions, such as encryption and backup options, particularly useful for newly incorporated SMEs or those beginning to collect sensitive data.
The framework also includes a holistic one-stop professional service, with a curated panel of service providers who assist SMEs in implementing basic data protection and security practices, especially for those handling personal data more intensively.
Accountability is another critical aspect of the DPE, as SMEs are encouraged to designate a data protection officer and establish policies and procedures to ensure responsible data handling. The framework emphasises on critical data security practices, including access control, encryption, backup, and physical security, all aimed at protecting sensitive information.
A call for government action: DPE guidelines for Indian SMEs
It's crucial for the Indian government and regulatory bodies to introduce comprehensive Data Protection Essentials (DPE) guidelines tailored tothe unique needs and challenges faced by Indian SMEs.
These guidelines should focus on two critical aspects of data protection: threat mitigation and remedial measures for data recovery in case of a breach.
1. Threat Mitigation
The DPE guidelines should provide clear, practical steps for SMEs to prevent data breaches and mitigate their impact. Here's what these guidelines should include:
1. Data protection: Encourage SMEs to encrypt sensitive data, both at rest and in transit, to protect it from unauthorised access or interception. Additionally, encourage the use of key management platforms to efficiently secure and manage the encryption keys throughout their lifecycle.
2. Access controls: Educate SMEs to implement robust access controls to ensure that only authorised personnel can access sensitive information. This could include measures like multi-factor authentication and role-based access.
3. Incident response planning: Guide SMEs to develop detailed action plans to quickly identify, manage, and reduce the effects of security incidents.
4. Data Backups: Handhold SMEs to implement a robust data backup strategy to ensure that critical data can be quickly restored in the event of a breach or system failure.
2. Remedial Measures in case of a Breach
In the unfortunate event of a data breach, the DPE guidelines should provide a clear roadmap for SMEs to quickly recover from the incident.
The guidelines should include the following steps that every SME should adhere to:
1. Incident response activation: Immediately activate the incident response plan and assign a dedicated team to manage the data recovery operations.
2. Containment and eradication: Take immediate steps to contain the breach, identify the root cause, and eradicate any malware or unauthorised access.
3. Forensic investigation: Conduct a thorough forensic investigation to determine the extent of the breach, identify any compromised data, and gather evidence for potential legal action.
4. Regulatory compliance: Ensure compliance with the prevalent data protection regulations, such as promptly notifying the affected individuals and regulatory authorities.
By following these guidelines, SMEs can minimise the impact of a data breach, restore operations quickly, and protect their reputation and customer trust.
Summing Up
Adopting the DPE framework can significantly benefit SMEs in India. By implementing DPE guidelines, they can enhance their data security, making them less vulnerable to cyber threats.
Furthermore, integrating DPE guidelines will help SMEs build consumer trust by demonstrating a commitment to responsible data handling and comply with industry-specific data protection regulations.
Ultimately, by enforcing DPE guidelines as an integral part of its national policy, India can strengthen itsoverall cybersecurity postureand foster greater confidence among its discerning citizens.
Ruchin Kumar is VP – South Asia, Futurex