Think as Indians: Share, Work with Government to Mitigate Cyber Risks
Financial sector is vulnerable to cyber breach as it works on the outsourcing model. Vendors and other partners should share the responsibility around security when it comes to digital cash, suggests Gulshan Rai
Internet has been in existence for over two decades but it is only now that we have started talking about its relevance and importance to transactions. It is part of national infrastructure and economy and our financial systems ride on its strengths. We are witnessing a paradigm shift that security was never so important as it is today.
All kinds of technologies exist: www, social media, mobile, cloud, Internet of Things (IoT) and what not. No sector of the economy is left untouched especially the financial sector. The fundamental question is: do we integrate security at the time of planning the infrastructure? IoT is new for India but it happened in US couple of years ago. Recently, one small instance of hacking shut off one-third of the West Coast. In another instance of hacking, reportedly 3.2 million cards were compromised in India. The question is: can we do without Internet? The simple answer is no! The fact remains that Internet was never designed to be a secured medium; it is a completely open system.
There are a few characteristics we need to understand about the Internet and other means of communication. In mobile communication, the government licenses the service provider; the infrastructure is set up and the best infrastructure is used by the public—set up by private, used by public. Internet is opposite—it is set up in public, used by the private. They need to be married together and this is where the challenge lies.
Some of the equipment / technologies are owned by the organisation and some are hired or outsourced and business is transacted per transaction basis. For instance, if a bank has to draw a statement of transactions, the outsourced vendor is asked to generate one. All critical system passwords are open, infrastructure control is with multiple vendors and this is all part of the same architecture. Did we plan for this? Perhaps not! This is why I say that at the time of planning, proper infrastructure planning with secure architecture needs to be put in place to firewall an organisation against myriad vulnerabilities.
We need to follow certain guidelines:
To keep one’s passwords secure and safe, not shared with anyone, which is the sole responsibility of the user;
The infrastructure owner or the outsourced vendor has to make sure that entire infrastructure is secure;
The financial institution, which is providing service to its customers has to share the same responsibility to have strict and tight control on the infrastructure without any compromise; and,
The government is an equal stakeholder as it has to facilitate by virtue of policymaking and creating legal frameworks.
So, there is shared responsibility with all stakeholders.
Capacity building and basic training of the staff handling ATM, including the security agency is also important. When the recent instance of compromising of cards happened, somebody must have sneaked in and planted a skimmer in the ATM, which went unnoticed. Since these are outsourced functions, the service provider has to take the responsibility of educating the people involved in such operations and such breaches can be prevented.
The world is a global village and all companies must think of themselves as Indian and they must be ready to share, work with the government to mitigate those incidents and work together to find out the root cause of those incidents. That is where the international cooperation has to come. Digital cash knows no boundaries, it is a seamless world and the international best practices have to be leveraged. While they have individual obligation to the country they belong, they still have to follow the law of the land and share information on collected evidence that will help mitigate the ensuing risk and prevent more of any such instances.
Technology knows no boundaries too and is used by all leading to a complex situation. The distinction between a terrorist, spy agency, state hacker, novice or a professional is increasingly getting blurred. It is difficult to identify the attacker / hacker and it is a challenging situation. It is an act of partnership between industry and government to help secure the digital transactions so that the customer is reassured before many others start using the digital highways.
(The views and opinions expressed in this article are those of the author and do not necessarily reflect the views of INCLUSION. Comments are welcome at firstname.lastname@example.org)
Inclusion is the first magazine dedicated to exploring issues at the intersection of development agendas and digital, financial and social inclusion. The magazine makes complex policy analyses accessible for a diverse audience of policymakers, administrators, civil society and academicians. Grassroots-focused, outcome-oriented analysis is the cornerstone of the work done at Inclusion.