Computer Security Day Insights: Hear From India's Top Experts

May I have a few minutes of your time?

Congratulations user! You are the lucky winner of an iPhone 15 Pro.

Chances are you’ve received one of these messages on your WhatsApp before. And if you didn’t fall for it, you are lucky indeed. 

While the shift toward digital India has benefited the economy, it has also opened up new avenues for cyber threats. Hundreds of people get exposed to such phishing attempts on a daily basis, resulting in severe repercussions like financial loss and data breaches. 

With a rise in cyber attacks, phishing, and ransomware incidents, Indian government and commerce face the continuous challenge of safeguarding critical infrastructure and sensitive data. As we approach Computer Security Day, it’s the perfect time to re-evaluate ​​our defenses by choosing the right security software and implementing vigorous security measures.

A 2023 Microsoft report revealed that India accounts for 13% of cyber attacks in the APAC region, making it one of the top three most attacked countries. This finding highlights the increasing vulnerability of India's digital infrastructure and the need for enhanced cybersecurity measures. Indian businesses, both in the public and private sectors, must develop effective strategies for threat mitigation and management.

Securing an IT infrastructure requires a multi-tiered approach. Organizations have to apply adequate security measures across various sub-levels critical to computer security. According to Dr. Shekhar Pawar, founder and CEO of SecureClaw, it's crucial to safeguard these three key areas: people, processes, and technology. "Implementing a strong cybersecurity posture is a continuous process. Human beings are often the weakest link causing most cyberattacks."

To help you implement the proper practices to secure your business, we've gathered expert security insights from leading professionals and specialists in India. Let's take a closer look.

Cybersecurity awareness

From financial institutions and government bodies to small businesses and personal users, the need for reliable cybersecurity practices has never been more prominent in India. 

India has witnessed several cybersecurity initiatives. The Digital India campaign, launched by the Indian government in 2015, aimed to secure government data and promote the adoption of safer digital practices among citizens. This march toward cybersecurity awareness led to several other initiatives like the aadhaar system and the National Cyber Coordination Centre (NCCC). 

However, cybersecurity isn’t limited to the aspect of user awareness. It’s a holistic approach that involves preventive measures, risk management, incident response, and continuous vigilance. 

“Organizations should use tools that study new phishing techniques used by hackers [to] train their employees quickly,” said Shikhil Sharma, founder of Astra Security, discussing how Indian organizations can measure the cybersecurity awareness of their employees and stakeholders. “Explicit video training can get frustrating for employees. Thus, the training should be part of the daily workflow.” 

Shikhil mentioned how, over the past few years, phishing attacks have been getting more and more sophisticated. “Attackers now combine social engineering techniques and synthetic video generation to increase the effectiveness of phishing campaigns,” he said. “This three-pillar approach goes a long way in ensuring layered protection against such attacks.”

He also advised that simulated phishing exercises should happen within apps employees already use, like Slack or Gmail, during the workday. “This way, you get real responses from people instead of when they explicitly try to pass a quiz on phishing.”  

A common example of such simulated phishing exercises is sending fake emails to test employee responses and train them to avoid clicking on risky links.

Data privacy and protection

Data is what fuels the online world. It’s the catalyst that makes it possible for businesses to create personalized experiences, gain customer insights, and enhance their operations. For individuals, data privacy centers on personal information and financial records. Safeguarding these valuable assets requires the highest level of protection.

Data protection isn’t just a matter of compliance; it’s a right of businesses and individual users alike. The concept of data privacy encompasses the principles and practices that govern how information is collected, stored, processed, and shared.

When data privacy is not taken seriously, the consequences can be dire. In March 2021, there was a data breach of nearly 110 million users of MobiKwik, India's leading digital banking platform. The data was reportedly sold on a hacker forum on the dark web and exposed details of KYC documents, credit card details, and contact numbers linked to the app.

On August 9th, 2023, India finally passed the Digital Personal Data Protection Act to govern how entities process personal data. It offers citizens control over their personal information by making it mandatory for organizations collecting data to obtain user consent before processing it.

The question remains: how can organizations with complex data ecosystems ensure compliance with evolving data protection laws? Santu Chakravorty, VP of Cybersecurity Solutions & Services at Strobes Security, said, “Regular security audits, especially those impaneled by the Indian computer emergency response team (CERT-In), ensure adherence to data protection regulations.” 

Dr. Shekhar Pawar also shared a proactive approach to data privacy and compliance. He highlighted how, in recent years, the zero-trust security model has contributed to data security. The model assumes that no one, whether inside or outside the organization, can be trusted by default.

“ISO 27001’s Information Security Management System (ISMS) has played an essential role in many large organizations protecting information,” he said. “A new cybersecurity framework like Business Domain Specific Least Cybersecurity Controls Implementation (BDSLCCI), primarily suitable for small and medium companies, can also protect organization data and mission-critical assets.

Patch management

Be it a standalone system or a corporate network, they’re defined by various applications, operating systems, and hardware. This diversity poses a challenge to keeping track of updates and vulnerabilities. With patch management, users identify, acquire, and install patches for bug fixes and feature updates to eliminate lags and security holes. 

Successful security programs must understand where their most sensitive data and systems are located and which vulnerabilities bring the most significant risks with them. Studies show that unpatched system vulnerabilities are the primary factor behind threats like ransomware attacks. 

By promoting a culture of regular patching and implementing best practices, businesses reduce the risk of data breaches and system compromises. However, due to its complex nature, patch management often leads to workflow disruptions. According to Santu, companies should employ automated patch management tools aligned with CERT-In guidelines for a secure environment. You can schedule the tools to run during off-peak hours, thereby minimizing disruptions to critical systems and services. 

He also suggested that phased rollouts are the way to go for industries like retail and e-commerce, where uptime is critical. “Start with a smaller group, monitor for issues, and then expand to the broader organization,” he added. “This approach not only ensures continuous service availability but also provides an opportunity to address potential issues in a controlled manner.”

Adil Advani, Digital PR and Marketing Director at AnySoftwareTools, echoes this solution. “Maintain a rollback plan to revert changes if issues arise quickly. Regularly review and refine the process based on feedback and results. A gradual approach ensures continuity and system integrity.” 

By proactively identifying and addressing vulnerabilities, patch management builds business resilience and solidifies its foundation. The key here is a well-balanced approach, one that prioritizes critical systems, incorporates regular testing, and reduces disruptions. 

Password security and multi-factor authentication (MFA)

When it comes to personal security, not everyone is aware of the basics of keeping their data safe. But consistency is critical, and as soon as that regular flow of protection is broken, it opens up an opportunity for hackers. 

Effective online security begins with strong passwords. They are the first defense when it comes to securing your digital identity and sensitive information by preventing unauthorized access. However, with increasingly sophisticated cyber threats, strong passwords alone aren’t enough.

MFA takes the concept of password security to the next level with an additional layer of verification. It involves something you know (the password) and combines it with something you have (a text message or authentication app) or something you are (biometrics like fingerprints or facial recognition). 

One of the most common examples of MFA factors that users encounter is a one-time password (OTP). The password is a temporary 4- to 8-digit code sent via email, SMS, or a mobile app. The code is generated each time an authentication request is submitted.

Businesses constantly face the threat of losing critical data when employees aren’t cautious about password protection. Ankit Prakash, founder of Sprout24, noted that implementing advanced password protection practices while maintaining user-friendliness requires a balance.

He acknowledged the diverse linguistic landscape in India and shared some great tips on improving passwords to handle the differences. “Incorporating native language phrases can enhance memorability without sacrificing security. Educate teams on avoiding predictable passwords, emphasizing creativity and personal relevance to prevent password fatigue.” 

Adil Advani also insists on seamlessly integrating biometric authentication methods to enhance security without complicating the UI. “It allows users to access their accounts swiftly and securely, minimizing the need for remembering complex passwords,” he said.

Of course, there’s a tool for everything nowadays. Companies can invest in password manager software to help employees handle multiple credentials in the extensive digital workspace. 

Network security 

As one of the most prominent pillars of cybersecurity, network security protects an organization’s digital infrastructure from all kinds of cyber threats, unauthorized access, and data breaches. 

India has witnessed a fair share of data breaches, attributed mainly to the ongoing development of its network infrastructure. In 2020, the data of almost 80,000 COVID-19 patients was compromised when hackers broke into the network and database of Delhi State Health Mission. In 2021, about 1,90,000 applicants of the Common Admission Test (CAT) conducted by the Indian Institute of Management (IIM) were exposed to a similar incident. Their personal data, test results, and academic records were put up for sale on a cybercrime forum.

This is why network security is so vital. By protecting their network infrastructure, businesses ensure smooth and secure operations of all critical systems and digital assets. It involves establishing security measures like access control, antivirus software, application security, network analytics, firewalls, and VPN encryption. 

Matthew Ramirez, founder of Rephrase Media, gave us his tips about how Indian businesses can go about the process. “Companies can use a next-generation firewall (NGFW) to protect their network infrastructure,” he explained. “It combines traditional firewall functions, such as packet filtering, with advanced techniques like intrusion detection and prevention, antivirus, and deep packet inspection.”

Ankit also shared a noteworthy incident that showcased the effectiveness of zero trust architecture (ZTA) in safeguarding Sprout24. 

"Our intrusion-detection system alerted us about an unusual activity originating from what appeared to be an internal source. This incident demonstrated the strength of our Zero Trust approach, as it successfully thwarted the attack.”

Another proven way to better network security is segmentation. This process involves dividing a network into sections and restricting access between them based on a need-to-know hierarchy. This strategy helps contain breaches and limits the lateral movement of attackers. 

Moreover, tools like intrusion detection and prevention systems (IDPS) can be used to monitor network traffic for suspicious activities, allowing companies to act and mitigate threats immediately.

Don’t let your guard down

With great technology comes greater threats. But with a proactive approach, you can defend your digital assets effectively. 

Whether practicing strong password management, keeping your software current, or staying vigilant against phishing attempts, these expert measures collectively contribute to a more secure digital environment. 

Let Computer Security Day be an annual reminder of the ongoing need to protect your digital space. Take the initiative and invest in your digital safety by connecting with your security teams to identify system vulnerabilities. Ultimately, the responsibility of digital security rests with the end users.

Hear from security experts about zero-day attacks and learn essential strategies to fortify your organization against such threats.