In an exclusive interaction with Stanislav "Stas" Protassov, co-founder and technology president, Acronis, BW Businessworld breached the topic of cybersecurity talent gap in India, and obtained his opinions on cybersecurity strategy for fintechs and more. Read on for excerpts from the interview.
Excerpts:
We know that cybersecurity incidents are increasing at an alarming frequency. But why are companies struggling to keep up with the bad actors?
In physical conflicts, attacking is more costly than playing defence – in cyber conflicts the situation is reversed. Defenders have to make no mistakes and the attackers need to find just one. On top of that, in many situations a failed attack carries no consequence for the attacker. A phishing email gets blocked or deleted, but companies rarely investigate - nor do they have the resources to do it - the origin of the attack.
Another reason is the growing complexity of IT and the society’s dependence on it. Organisations build layers and layers on top of the existing systems and struggle with updating them because critical business processes depend on them and any change would be costly. In government organisations, the desire for stability when providing government services is even higher and the desire to leave running systems unchanged is even stronger. This leads to legacy systems, outdated and vulnerable, and an easy target for attackers.
How are the policymakers trying to catch up with these attacks?
Existing threat intelligence efforts don't seem to deter attackers, as they are mostly focused on state-sponsored attack groups. This could be a fair approach because those APT groups may be far more dangerous, but it also leaves small and medium businesses without protection from their law enforcement. In some countries, like the US and Singapore, the government puts more effort in prosecuting cyber criminals, but India is behind in these efforts.
Fintechs handle sensitive data. What are the best practices in security for them? What should their cybersecurity strategy be?
There is no magic secret specific to fintech. It all revolves around having secure software and secure operations.
Secure software means updating it in time, controlling the software supply chain, using secure coding practices for internally developed software, having secure architecture in the foundation and using secure protocols. Adopting these principles will help prevent supply chain attacks and minimise exploitable vulnerabilities.
Secure operations means all those practices we know too well – mandatory 2FA, phishing protection, employee vetting, following four-eyes principle for sensitive operations and so on. Adopting these practices would help avoid repeating the case of Solarwinds and other similar cases.
There’s a noticeable talent gap in cybersecurity globally and in India. How can this gap be addressed?
Education plays an important role. Currently India has no universities in the world’s top-100 university ranking – it’s highest ranked university is Indian Institute of Technology Bombay, ranking 177. It doesn’t necessarily mean that India can’t produce talented and educated security engineers, but there is a correlation between the education’s quality and availability and people entering the engineering workforce. In comparison, China has six universities in top-100, and even Singapore, despite its size, has two on the list.
Another issue is the “brain drain”. With global competition for talent, many businesses – and countries – struggle to attract and retain top talent. Short and mid-term, this competition could be won by making work in India more attractive, but the long-term strategy should be around improving the education system and supplying more entry-level security engineers.
We are on the verge of a metaverse revolution. What would security look like in the metaverse?
While it’s still in the early stages, with Metaverse – higher the adoption rate, wider-ranging the threats. Primarily, as soon as digital property in the 3D universe will become of value, we’ll see the cases of accounts hacking and tampering, phishing and assets theft.
Device security will be a big issue too. Platform and device hacking will get a lot worse – and those can have potentially terminal consequences in the physical world: hacking your Metaverse device (like, the Oculus headset) can cause seizures, if you're epileptic, it can hurt your vision or hearing at least temporarily, or can expose your physical location.
As for data regulation, the Metaverse platform is currently driven by US companies – there’s no federal-level data privacy protection legislature within the US. According to US laws, data collected by Facebook belongs to Facebook, and Facebook will surely make profit off that data.