In a conversation with Milind Mungale, Managing Director, and CEO, Protean InfoSec Services Limited he shares with ET Insights the different concerns plaguing the MSME community, which has hastened its digital transformation process to meet the changing environmental demands.
During the pandemic and post-pandemic, a majority of entities have adopted digital transformation of their businesses. Has this happened thoughtfully?
The pandemic itself had a grave effect on the entire world, resulting in a prolonged halt to the business sector. As usual, everyone had to shut down their physical shops and sit at home. A few of them had advanced digital transformation initiatives and were able to manage, but those who were in the early stages or had not started at all had to hurriedly undertake digital transformation initiatives to survive their business. Obviously, these initiatives could not have been taken with a proper and systematic thought process and the priority was doing it ASAP.
Probably, as it helped the organizations to sail through the lockdown period, they might have got an impression that whatever was done might be the right way and thus continued working in the same manner even after the pandemic passed away. I personally feel that the majority of the emergency business requirements got handled, but I am not sure how seriously information security was considered while these initiatives were hurriedly made operational.
Probably, it is time to check if there are any weak spots that could be exploited. I will not blame anyone as it might have been difficult to put in, which requires extra money and extra effort, and tolerate some delay that would have caused carefully considered information security controls. But now that things are back to normal, revisiting what was done is important. It is the right time to take a step back and check out the requirements of information security controls and if any have been put in and their effectiveness.
What are the considerations that MSME has when it comes to adopting digital transformation of their business?
Primarily, MSMEs, with their available resources, would like to keep up with the fast-moving pace of the business industry. Most of the time, the motivation of any MSME to get into the digital transformation journey would be driven by their customers or their competitors. I have also seen a few MSMEs who have been early starters and have taken up the digital transformation initiatives only because they believed that the future would be brighter and more rewarding with such initiatives. However, being MSMEs, their case studies have not got published to encourage other MSMEs to tread this path. I personally feel that taking up digital transformation should be more oriented to making better business propositions for the customers and not out of any compulsion caused by losing some order contracts due to lack of such initiatives.
Do the MSME have the necessary resources and skills to holistically look at the Digital Transformation journey of their organization? If not, how do they approach this aspect?
Most of the MSMEs might be lacking the resources or skills to properly drive these initiatives and hence they must rely on external entities who could be consulting entrepreneurs, interested vendors, or some partners having better knowledge about the subject. They probably need appropriately skilled people of their own, but such skills are not easily available at the time and within the budget.
Therefore, most of the time, they have to rely on external skills which they can hire temporarily, get some work, necessary at that time, done, and then let go of it. This kind of piecemeal approach results in loopholes within their system as these multiple initiatives are taken at separate points in time and must be integrated and if the external agency is not the same, no one takes responsibility for such patchwork integration. When we look at the information security control considerations, these could result in wide open gaps, providing a playfield for those who have malicious intent.
Is Information / Cyber Security crucial for the MSME business? How can it affect business? And challenges
Large enterprises that are customers of MSMEs and offload certain parts of their work to these MSMEs require their supply chain entities to undertake digital transformation initiatives limited to the integration with their systems. A few of these large organizations also support them by providing them with software that is developed and tested by them. Few do provide help by giving appropriate guidelines on what to do. Few have impanelled the development houses and service providers, helping these MSMEs in their supply chain to get better and appropriate pricing for such initiatives.
Where none of these happens, the digital transformation vendors and service providers are also taking the initiative to tap such potential MSMEs through publicly available databases or with help of their tie-ups with industry associations. However, the focus on Information Security is still more on a minimum requirement basis rather than comprehensive integration within such Digital Transformation initiatives.
You are a financial organization that is fully fortified with the best team with you along with the best security infrastructure. You are deploying all the practices and frameworks that are required to secure your data. So, are you completely safe?
No one with their senses in place should ever think that they are completely secure. Being paranoid about such things will always help to be alert and proactive to safeguard the enterprise’s digital assets. However, why would a hacker want to break their head over the fortified systems of a large enterprise unless there is a motive and intention to challenge the organisation itself? If data is the only motive, then such entities would probably try to find out as to which MSME / smaller entities these large enterprises will engage in to get their mundane jobs done. Mostly, this is offloaded for the economic viability of the services offered by large enterprises and to beat the competition by using this outsourcing model to reduce the cost of services offered. Hence, it becomes easier to target such small MSME entities and obtain the data that is being processed in their system and which belongs to large enterprises.
The information security weaknesses left in such MSME systems could be easily exploited and further, the weakness in keeping the necessary logs and trails, makes it difficult to trace back to who did this act with malicious intent. We have already seen above that customer requirements are only a matter of compliance for MSME due to a lack of resources and skills. Information security implementation in spirit is necessary if it has to be aligned with the kind of information security considerations their customers or principles have put in. Only after that will the data be equally secured throughout the supply chain of such large enterprises. MSME / small entities will have to play their role carefully and thoughtfully when it comes to handling the information offloaded to them for processing by large enterprises.
The problems of cybersecurity and other information players. Do you think these problems can be addressed by the security industry players?
Two to three years back, some statistical data was brought up saying that annual spending on information security by small entities and mid-sized entities, in our country, ranges between Rs. 40,000 to Rs. 1.25 lakhs.
With such a kind of annual spending, no one can even get a properly skilled person to look after your security for a year. What about the other costs like solutions and technologies required to secure the digital assets? The information security budget needs to be revisited by every MSME and necessary consideration needs to be given, assuming that this is necessary for the long-term survival of their business.
It is to be remembered that large enterprises are the target and, most of the time, it is their name and reputation which get tarnished. They could play a bigger role in the Cyber Security posture of their supply chain entities. If large enterprises consider a certain amount of their Cyber Security spent on strengthening the MSME and other smaller entities in their supply chain, over a period they could easily claim that wherever their data moves, it is secured.
Similarly, the way reputed lawyers take pro-bono cases to help the economically deprived or doctors/health care organisations make certain provisions to medically aid the economically weaker section, if the well-to-do information security consultants, information security technology OEMs, Established security practitioners, and security service providers support the MSME in building a good cyber / information Security at a reasonable cost, it will change the complete landscape of the Security Posture, across the industry.
The long-term impact of the MSME segment does not fully wake up to the need for good security practices.
The long-term impact is that the larger entities will continue to be at risk. Over a period, larger entities would find it very difficult to cope with this problem through their outsourcing model, and considering the reputation at stake, they may take certain drastic steps. These kinds of steps taken by larger enterprises could bring the entire business of MSME at stake.
