Cyber-attacks are not limited to a specific sector. Every industry is vulnerable to cyber-attacks, be it the crypto industry, banking, healthcare, retail, manufacturing or even the government.
India has seen a significant uptick in the number of data breaches, ranking third in the world. In 2021, five major data breaches alone resulted in the data of 113 million users being leaked. Apart from being a privacy concern, this is also an economic concern.
The manufacturing industry is a critical driver of a nation’s economy and therefore, sees a fair bit of attention from cyber attackers. As the domain pivots to Industry 4.0 and adopts 5G, IoT, and more, enterprises have seen an uptick in attacks with a majority of them coming from the software supply chain.
According to Gartner, 45 per cent of organisations worldwide will have experienced attacks on their software supply chains by 2025, a three-fold increase from 2021. The world is already seeing evidence of this trend in the manufacturing industry as cyber attackers are taking advantage of pre-existing security flaws from the supply chain network, infiltrating systems to spread malicious payloads throughout the organisation’s software, and using exfiltrated data to launch ransomware attacks.
Such layered attacks, says Huzefa Motiwala, Director – Systems Engineering for India & SAARC, Palo Alto Networks are leading to disruption and long downtimes for manufacturing companies which is resulting in them losing millions of dollars over and above ransom payouts. What’s more, growing enterprise IoT networks are further complicating this scenario. “As per Palo Alto Network’s Annual IoT Survey, 84 per cent of organisations in India saw an increase in the amount of non-business IoT devices connected to their business networks in 2021. This adds to an already extensive launchpad for cyber attackers to put their nefarious intentions into action.”
The concerns with data security were raised in 2020 with organisations being forced to depend on remote workers due to pandemic restrictions. According to the 2021 Global Threat Intelligence Report (GTIR), data breaches have increased by 300 per cent within a year. From the manufacturing industry standpoint, downtime adversely affects hundreds and perhaps thousands of workers resulting in downtime costs being potentially catastrophic. However, organizations are rapidly adopting the concepts of Industry 4.0. Data privacy can be strengthened by making the mandate of compliances such as ISO27001, CCPA and Cyber security IoT act.
“With the recent announcement by the Government of India on the emergence of the Data Protection Bill, India has taken a cautious approach to build a strong data privacy regime. However, there is an immediate need for creating awareness and educating digital users across sectors,” feels Anupam Kulkarni, CEO & Director, iauro Systems Pvt. Ltd.
Within the Industrial Internet of Things, there is a lot of valuable information stored. The digital transformation of the manufacturing industry requires a network of equipment, sensors and other devices that will further help to constantly analyze and collect data from their production processes. The data will enable to improve cost-effectiveness and efficiency in the manufacturing industry. Systems that use machine learning (ML), artificial intelligence (AI) and other emerging technologies will help businesses consistently improve their overall productivity. However, the huge data becomes a target for competitors and hackers, thus creating a need for better data security.
“It is, therefore, paramount that manufacturers leverage a centralized, integrated Cyber Fusion Centre-based approach that encompasses not only their IT systems but also their Operational Technology (OT) systems that are critical to the manufacturing processes,” said Akshat Jain, CTO & Co-founder, Cyware. “This would give them complete visibility and control over all the security risks that exist in their infrastructure and enable them to implement the right processes for strengthening their data privacy,” Jain added.
M&A Deals and Data Security
Organisations must make cybersecurity a key focus during the entirety of the M&As process. When conducting their due diligence pre-merger, emphasis should be laid on understanding how secure the target company’s environment is and how it approaches security controls, behaviours, and practices. When the M&A is put in gear, the focus should shift to include vigilance as, during this stage, risks multiply due to open networks, external threats from competitors, increased attention from cyber attackers, and more. The environment needs to be secured during the integration process and constant round-the-clock monitoring is essential to keep the organisation secure. Finally, in the post-M&A stage, the focus must grow to include security, vigilance, and resilience. Even though the acquisition is now complete, and it is business as usual, IT teams must be on constant threat watch to ensure the security of company networks, data, and assets.
According to Sudip Pal, Business Head, Dev IT Group data privacy regulations and mandatory breach disclosure laws have the potential to significantly impact post-merger valuations. With operations in transition, high-value data is often vulnerable. “Threat actors target M&A activities because they offer the potential for short-term and long-term rewards. Chief Information Security Officers (CISOs) are key to protecting the assets and brand reputation of acquirers. CISOs should play a significant advisory role in all activities of the M&A lifecycle. More than one in three said they have experienced data breaches that can be attributed to merger integration,” he added.
That said, Vijay Pravin Maharajan, Founder & CEO, bitsCrunch thinks that it is always better to have privacy and data security as an integral part of decision-making. “Things get complicated when these data privacy and security & risk management are seen as separate technical or legal constraints.”
For Vishal Shah, Co-founder, and CEO, Synersoft Technologies Pvt. Ltd in M&A deals, the level of cybersecurity practices and internal threat mitigation practices would be different organisation-wise. “If M&A happens for horizontal integration, more or less, the nature of liabilities will remain the same. The idea-Vodafone merger can be a good example. If M&A happens for backward or forward integration, the nature of liabilities will be different. It needs careful analysis and a strategic perspective,” he explains.
In this new age of the digital revolution, new risks emerge every hour of the day. Reputational and monetary risks are high if businesses don’t have an appropriate cyber security plan. When creating a security management strategy, there are numerous best practices that businesses can consider preventing incidents and be prepared for any cyber-attacks. A comprehensive cyber security program is the key to modern-day business survival.
To improve cybersecurity and data privacy organisations are focusing on managing, automating, and prioritising their cybersecurity journey. One step an organisation must focus on is gaining total asset visibility – because you can’t manage what can’t be found. Utilising an automated platform to discover connected devices and software will enhance the visibility of overall assets and aid in data protection.
To maximize user privacy while maintaining secure corporate data, according to Liam Ryan, Vice President-Sales & Marketing APAC, Ivanti, businesses should implement unified endpoint management (UEM) approach that fully supports all devices accessing your network. UEM architectures usually include the ability to establish device hygiene with risk-based patch management and mobile threat protection.
Subha Lakshmi, Product Marketing Manager, ManageEngine draws a five-point agenda for the industry. Here they are:
• Only collect and store necessary information.
• Inform the customer beforehand about what data you collect.
• Don’t store critical data like credit card or payment information without the consent of the user.
• Disclose security breaches to affected customers immediately.
• Perform internal and external audits to streamline processes and procedures and align security
“When it comes to medium to large brands in the Indian ecosystem we see a fair bit of maturity when it comes to ERPs and CRMs being used – in tandem with a data security architecture, policies and procedures. These are often led by the big international ERP providers who have led the awareness for security policies. So the awareness and the seriousness this topic is getting at the board room level is heartening,” concluded Murali Balan, Co-Founder, Tenovia.
Data Protection Bill
For the past five years, India has been on a journey to create a comprehensive data protection law. Despite these efforts, no laws have been passed. The current version of the bill has been modified to address a host of economic, nationalistic, and privacy-related concerns or objectives. Creating a law that addresses all these issues while also effectively regulating India’s rapidly changing technology landscape may be too gargantuan a task. There may be merit in first creating a privacy or data protection law, and then addressing other concerns and objectives in subsequent legislation or policies.
That said, India has seen a significant uptick in the number of data breaches, ranking third in the world. In 2021, five major data breaches alone resulted in the data of 113 million users being leaked. Apart from being a privacy concern, this is also an economic concern. A recent report by IBM Security and Ponemon Institute estimated the average total cost of a data breach in India in 2021 was Rs. 16.5 crores ($2.17 million).
In the absence of a law, companies are free to indiscriminately collect data. Having a data protection law would protect citizens’ privacy, while also creating greater consequences for data breaches. This would aim to prompt companies to better protect the data they possess.
The Indian government has also increasingly begun to collect data to be used in connection with newly developed technologies, in efforts to improve governance and facilitate better delivery of services. Some of the major examples include Aadhar, a unique identification number issued by the Indian government; e-Sign and e-KYC, services that allow users to digitally authorise official documents; and the digital health infrastructure—the Unified Health Interface—created under the National Digital Health Mission.
For citizens to avail the benefits of these government initiatives or even be willing to participate in them, they first must trust the systems being created. This trust will only be generated when they know that their data is protected by law and that appropriate checks and balances exist to prevent misuse of their data.
Aside from the privacy-related issues, feels Sudip Pal, Business Head, Dev IT Group there are a few other factors that must be kept in mind. He says, “The current situation is fraught with regulatory uncertainty, as it is still unclear which form this law will take. This has its own cost. Aside from a lack of clarity around legal and compliance measures, such policy uncertainty also acts as a deterrent to entering the Indian market, which will in turn reduce competition and may affect consumer welfare, stifle research and development, and more.”
The creation of the law also will not mean that it will be implemented immediately. India will still need time to set up the proposed Data Protection Authority, the cross-sectoral regulator outlined in the recent bill. The DPA will then have two years to implement the law, as per the current timeline.
Lastly, India needs to be clear on its internal framework for the treatment of data before it can look to exert its influence in this sphere externally. This is especially important because India will assume the presidency of the G-20 in December and having a clear stance could help position it to be a leader in this space, rather than a follower. It is in India’s best interest to create a data protection law sooner rather than later.
Rahul Kamat, Editor, B2B Division, World Wide Media