“There are two types of companies: those who are hacked, and those who will be hacked.”
With these words, Ms Neetu Chitkara, Principal, Boston Consulting Group, opened a panel discussion on ‘Cyber Security: Beyond Just Compliance’ at the two-day FICCI-IBA annual banking conference- FIBAC 2017 conference.
The panellists were a mix of experts from business, law and technology. They included S. Ganesh Kumar, executive director, RBI, Dinesh Kumar Khara, MD (Risk, IT and Subsidiaries), SBI, Balsingh Rajput, SP Maharashtra Cyber, Govt. of Maharashtra, Ms Debopama Sen, MD, head of Treasury and Trade Solutions, Citi South Asia; Peter Gartenberg, GM, Enterprise Commercial, Microsoft India, Sriraman Jagannathan, VP Payments, Amazon India, and Ms NS Nappinai, Advocate, Constitution, Criminal, Corporate, Cyber Laws, IPR / Author, ‘Technology Laws Decoded’. The panel was moderated by Ms Chitkara.
In her opening remarks, Ms Chitkara observed that “gone are the days when you could leave cyber security to the CSO or IT team.” She explained that the problem now is so intense that it is the domain of the CEO or the board at the highest level in any organisation.
“The number of records breached in 2016 was 1.8 billion.” These are just the ones that are reported. The hackers could be sitting anywhere on the planet, learning from the Internet and hacking in India. “It is a constant war without borders.”
S. Ganesh Kumar, Reserve Bank of India, agreed that security is an important concern. “The RBI is to come up with guidelines,” he said, explaining that India has matured and does not need to be micro-managed. He described security as a “marriage between convenience and confidence.”
Customer perceptions also keep changing, with the younger lot having a different view of privacy. This makes it difficult for the regulator. But RBI has taken up the challenge and is trying to keep ahead of the curve. They have got a repository of data. He disclosed that the money loss in cyber theft is not very different from traditional money losses.
Dinesh Kumar Khara, State Bank of India, added that bankers were facing great difficulty in maintaining cyber security. “Threats are of concern to any financial company. Our employees in core banking should be informed and must perceive this threat. Otherwise they are not vigilant enough.” He suggested that bankers should remain vigilant with their vendors. All applications must be insulated from risk.
Ms NS Nappinai, Advocate, Constitution, Criminal, Corporate, Cyber Laws, IPR / Author, felt that cyber security is beyond compliance. The banking industry now comprises high-trust verticals and looks for convenience. It aims to offer the convenience and confidence. There is a fine balance between these two. “Social engineering brings malware to your table,” she said, highlighting the greed not only of the criminals, but also that of the users. “The human is the weak link.” In her opinion, prevention and protection are more important than punishment.
Peter Gartenberg, Microsoft India, was of the view that India is unique in that “the whole move to a perimeter-less environment from a security standpoint is here and now; and that’s different from some of the other western countries. That has presented Indian enterprises with a unique challenge.” Another issue he identified is the slow upgrade cycles. That facilitates exploitation of vulnerabilities in the software. He advocated the use of cloud, which is a far more secure environment because it incorporates the latest features in terms of cyber security.
Ms Debopama Sen, Citi South Asia, felt it will be hard for institutions to be ahead of cyber criminals. “They just have to get it right once, and we have to get it right every single time.” The working generation is still one of digital immigrants, not with the same mobility as digital natives. “It is work in progress,” she said, pointing out that the situation in India is not different from that in other parts of the world. The emphasis is on training and simulation, so that everybody knows how to react in case of an incident.
Balsingh Rajput, Govt. of Maharashtra, wished to dispel two myths: one, that IT and cyber security are the same. “IT development and cyber security are two different fields.” The second myth is that cyber security is a technology problem. “No. It is your business continuity problem.” If technology, processes and people work together, the system works well. If one of them misbehaves, there is a threat to business.
He explained that technology won’t bring deterrence. “Deterrence is to the human, not to technology.” Hence we must try to understand the enemy, and bring the law to bear. He felt that people should not be shy about coming to the police to report a cyber-crime.
Sriraman Jagannathan, Amazon India, observed that the concept of cyber security evokes fear. “If all of us deal with this topic as a fearful thing, majority will not engage with it deeply.” If cyber security is synonymous with fear, it will be difficult to contain in a rapidly changing world. It needs to be understood, and the desire should be to do better each time. “An organisation that is going to get better at it will move faster.” And people will get better not from fear, but from learning. It is a continuous process of creating, classifying, and understanding patterns.
All the panellists agreed that implementation of cyber hygiene is important.