In 
From a cyber security perspective, enterprises in India stand good in terms of awareness of data security. Are they equipped enough?
I would say they are more equipped than many other jurisdictions. I am quite impressed with the level of security that they have – primarily because a lot of their guidance comes from multinationals that have offices here. The multinationals that have offices here follows the same security procedures that they follow globally.
I am quite impressed. I think many other countries may not be as updated as India. Also, we have the outsourcing world, and we come from outsourcing legacy where the companies – service providers – had to be completely compliant viz-a viz security practices and procedures even before we got any laws. Otherwise foreign customers won’t contract with us because the customers have very strict requirements (say) in the EU or the US or Australia or wherever else they are coming from.
Indian enterprises are well equipped
Indian companies are well equipped, because of their grounding in the outsourcing space – that have always had a very good internal securities and procedures and systems. Multinationals who have offices in India have to globally maintain a standard. So, India, I wouldn’t say, would be lower in compliance than it would be in America or the western world.
Banking is definitely pretty aware of it – because they have to, because of the criticality of data. But, what about sectors like manufacturing, automobile or e-commerce? They have so much of analytics coming in, cloud computing... Data is now residing not just on premise, it’s on cloud. So how are the vendors providing robust security?
As a global statement, I think the healthcare industry has to do a lot in order to catch up with the global standard. They are the most prone or the easiest to hack or breach unlike any other industry. Primarily because they haven’t paid as much attention as the banking industry or the insurance industry has paid. That’s a global phenomenon, and they need to look into that. But no one is really interested in the data that they have, so there are very few breaches that will happen of a hospital data. No one is really interested.
I mean, unless someone picks out some facts and gets some benefit out of it, no one is going to hack that. But there is an immediate monitory benefit that comes out when it relates to a bank or a retailer or a credit card company. That’s why they are the most prone to data breaches. Therefore, they are the most vulnerable. We feel they need extra security. Be it manufacturing or any other space, when the threat is low – I am not saying people are lax – but people are ok with the security standards or systems that may be good, but don’t have to be absolutely perfect.
IT Act in India
Coming to the IT Act: There is little ambiguity around social media – what they can post, what they cannot. There is much ambiguity around how much a CSO can prevent his/her company employees from doing what they are not supposed to do.
It isn’t complete in nature, and it never will be – because technology is moving so fast. I think when it was written cloud might have existed in concept. Cloud is today a reality. Social media – the way it has evolved, BYOD: all these concepts are more current than when the IT Act came about in 2000. It will keep evolving. It’s not to say that its enough or not. There will always be a catch up time between the law and technology. Technology moves so fast that law does take time to catch up. But when it does catch up, it moves so much further ahead.
But I think the rule to apply is that what you would do in the virtual space – if something was to go wrong. What would you do if the same thing was to go wrong in a brick and mortar space. What are the laws that apply and by analogy you apply the same laws in the virtual space. Till you don’t have a law, that’s the way to go about it.
And you know that if there is a harm that is being caused to someone and the same harm if I caused to someone in a virtual world (like abuse him or whatever), I would have to pay this penalty or go to jail or I would have to make good these laws by doing something else – apologising or losing my job or whatever else it may be.
The same logic would apply in a virtual space as well. So, till we don’t have laws (for the virtual world) – we do have principles to guide us. I wouldn’t say we don’t have laws. Yes, we don’t have laws specifically written on a particular topic, we may not have a law on Cloud or how law has to deal with Cloud issues or Cloud privacy etc. But we have laws that deal with every aspect that can go wrong or right using the Cloud.
There are very few countries in the world, which have really addressed their law or that have really addressed Cloud or anything that is for the technology that has moved further ahead. So, India in that sense, not that far behind many other countries. Yes, we don’t have a specific data protection or a data security law. But we have all the provisions under the IT Act.
So, I don’t feel we are lacking anything, or we are lacking something which other countries have. Every country is struggling in the same manner that we are doing.
Add new comment