<p><em>The time for cyber security is now and any delay in securing this Digital India will result in tremendous financial losses to the cyber community as a whole, writes <strong>Nikhil Kaduskar</strong></em><br><br>At a time when just over 20 per cent of India's population is using the Internet, online sales have already surpassed over $11 billion. Analysis by Morgan Stanley, a private equity firm, indicates that the Internet market in India could grow to $137 billion by 2020. Although the business environment is favourable for this growth, cyber security and consumer protection could throw a spanner in the works for the Internet market in India.<br><br>E-commerce business has been characterized with short go-to-market time and strategic focus on customer acquisition. Prioritization of product launch inevitably leads to relegation of information security and consumer privacy. Typically, the e-commerce industry follows the iterative or agile approach to software development with the initial iterations aiming to deliver crude, but working solutions to the consumer. With this, security is pushed to late-stage iterations or deprioritized indefinitely. Lack of secure coding practices for the website or app provides many back doors for hackers to gain access to the sensitive data. To make matters worse, e-commerce companies collect an enormous amount of data, including device contacts, GPS location, email IDs, passwords, and financial information. Recent alleged hacks of Ola Cabs and Housing.com showcase the ease with which the attackers could exploit these vulnerabilities and gain access to the treasure troves.<br><br>The big players in the e-commerce market do take certain measures to protect consumer data. Many of them follow the recommendations from the Data Security Council of India (DSCI), a Self-Regulatory Organization (SRO) established by NASSCOM to promote data protection. They also aim to achieve the Payment Card Industry - Data Security Standard (PCI-DSS) certification to protect card data. These standards being voluntary and unenforceable, only a limited number of market players adhere to them.</p><table style="width: 200px;" align="right" border="1" cellpadding="1" cellspacing="1"><tbody><tr><td><img alt="" src="http://bw-image.s3.amazonaws.com/Nikhil_Kaduskar-mdm.jpg" style="width: 200px; height: 200px;"></td></tr><tr><td><span style="color:#696969;"><em><strong>Nikhil Kaduskar</strong></em></span></td></tr></tbody></table><p>From a regulatory point of view, e-commerce companies are required to adhere to the Information Technology (Amendment) Act of 2008 (ITAA 2008), especially clause 43A "Compensation for failure to protect data". The clause lays down penalties for negligence or failure to implement security controls that results in loss of sensitive personal data. This regulation is a great start for forcing companies to consider data security, but falls short of prescribing minimum required controls and laying down the specific responsibilities of the business. Being too open-ended, the ITAA is vulnerable to interpretation and potential misuse by unethical businesses. Government's oversight responsibilities are not clearly defined because of which many irregularities within security implementations are never uncovered.<br><br>India currently ranks in the top 5 countries with most malware infections . At the same time, India is also in the bottom 3 in terms of preparedness for cyber security. The government's cyber security budget for FY 2014-15 was just $7 million. Compare this to the $13 billion cyber security budget of the US for FY 2015 , the magnitude of the issue is clearly evident. With a lack of commitment for cyber security, enforcing regulations and auditing e-commerce companies is a mammoth task that the government may not be capable of performing.<br><br>A methodical approach is required to tackle cyber security issues within India. First, a strong regulatory framework must be established as a foundation to provide protection to consumers as well as businesses. Regulations provide guidance for deploying security controls and define the level of efforts which businesses should take to secure the data. Regulations should also stipulate high monetary fines for lack of security controls, thereby increasing the average cost of data breach from Rs. 3,396 per compromised record, which is one of the lowest in the world. For highly regulated countries, the cost is around Rs 13,900 ($ 217) . A capable cyber task force, along with a grievance mechanism and compensatory rules, may instil confidence in consumers.<br><br>Secondly, businesses should become self-aware and define their risk posture. Ownership of security should be internalized and dedicated teams established to enable secure development of applications. In the long run, businesses may reap the benefits of having a mature cyber security program which helps in reducing security incidents and increasing customer loyalty and trust.<br><br>Finally, consumers need to be made aware of security issues and their role in the changing marketplace. The banking industry in India runs awareness campaigns for their customers with special focus on phishing, sharing of data, and customer's responsibilities in terms of online banking. A similar campaign must be initiated to make consumers aware of the risks of transacting online and also inform them of their digital rights.<br><br>In the ambitious Digital India initiative , slated for completion by 2019, our Honourable Prime Minister Narendra Modi dreams of a Digital India where cyber security becomes an integral part of national security. The time for cyber security is now and any delay in securing this Digital India will result in tremendous financial losses to the cyber community as a whole.<br><br><em>The author is a cyber security consultant with five years in the domain and writes India-focused security articles for Infosecbyte</em></p>
