The onset of the COVID-19 pandemic two years ago changed everything — from how we work to the way we interact and transact. Thanks to the rapid adoption of digital technologies, work has become hybrid and hyper-connected. While most people in metro cities had been sharing information and consuming content online even before 2020, the pandemic allowed the digital revolution to penetrate deeper into lower-tier cities and towns.
As we continue to swiftly drift towards a ‘virtual-everything’ world, online security and privacy have emerged as the need of the hour. A failure to safeguard one’s privacy could not only result in exploitation and fraud, but may also invite criminal offences against internet users.
Yashovardhan Azad, former Special Secretary, Intelligence Bureau, tells YourStory,
“As per the report of CERT-In, 11,58,208 cybersecurity attacks were reported in India in 2020 during the lockdown — a rise of nearly three times from 2019. These security breaches point at the regulatory gaps in our data protection framework which provides bait to cybercriminals to devise such attacks.”
Individual and mass data – the new target
On the new front of cybercrime, attackers don’t target humans to obtain data; they just target the data itself. If machines, especially those in charge of automated processes (think repeatable tasks like bank transfers, scraping web data, and moving customer data files), offer the best path to get to sensitive data, that’s the one the attackers will choose.
While the hybrid work environment has made it easy for anyone to work from anywhere and has helped many employees save time in commute, securing the data has been a major concern.
Sumit Srivastava, Solutions Engineering Manager of information security company CyberArk, explains that the root of this problem lie in the sudden change of environment that many companies had to navigate.
“Security policies were written on the assumption that there will be office premises; people would work in a restricted access area or room. They would have workstations that were company-provided and up to date with easily enforceable security policies. COVID-19 spurred many privacy issues; many workers were given a budget and told to avail themselves of a laptop,” says Sumit.
He adds that such improvised interventions don’t ensure the same level of security as one offered by the employer, or provided in the office workstation. Likewise, the concept of secure work areas at home is not a realistic one for most of us who live with families, flatmates, or strangers in the coffee shop peering over our shoulders.
Revaluate privacy
The hybrid work model has changed the privacy game as well. It means that companies have to re-evaluate how data privacy is enforced amid the new normal in 2022.
Yashovardhan adds that companies must invest in privacy, enabling technologies to keep their networks secure and protect the privacy of their employees. The use of VPNs should be encouraged as sharing confidential data on a public network can be a data-privacy nightmare.
“Companies must also understand the significance of encryption to prevent data breaches and the use of encrypted devices and software must be preferred at all times. Individual awareness about the potential harms of data thefts and the importance of securing one’s personal data is equally important. Organisations must work towards fostering privacy hygiene amongst their employees by sensitising them about important data security practices like using licensed antivirus software, keeping their operating systems updated, using strong passwords, enabling two-step verification, and creating backups using encrypted software only,” he explained.
He adds a robust data protection framework is crucial for strengthening India’s cybersecurity, which is directly linked to the information privacy of citizens and our digital economy.
The problem, however, arises when people don’t even realise the importance of data privacy. Debayan Gupta, Faculty of Computer Science, Ashoka University, believes most people are unaware of the value of their data.
Adding to this, Yashovardhan says, “With the pandemic leading to a global shift from physical to digital spaces, data privacy has become indispensable for cybersecurity and user privacy. Digitisation is accelerating at an unprecedented rate. From the emergence of new technologies like blockchain to the rise of telemedicine, edtech, ecommerce and online communication infrastructures, data lies at the foundation of the entire digital ecosystem.”
“A lot of your data, like a scan of a college ID card or medical insurance number, can sell for surprisingly large amounts,” says Debayan.
Human or a bot?
Adding to this, Sumit Srivastava, Solutions Engineering Manager, CyberArk, says, its not just humans who are susceptible to clicking on the wrong link or are perhaps a little too cavalier about what they share about themselves online; software bots make mistakes as well.
Software bots are little pieces of code that are designed to do repetitive tasks. They are used in huge numbers by organisations around the world in sectors such as banking, government, and all other major verticals. The idea behind having bots is that they don’t just free up human resources from working on business-critical, cognitive, and creative work, but also help to improve efficiency, accuracy, agility, and scalability.
They are a major component of a digital business.
“The privacy problem arises when you start to think about what these bots need to perform their function. A lot of the time it’s about access: if they gather together sensitive and personal medical data to help doctors make informed clinical predictions, they need access to have access to such data. If they need to process customer data stored on a public cloud server or a web portal, they need to be able to get to it,” explains Sumit.
He adds that when humans get compromised, it happens at an individual level, but when bots get compromised, it happens on a large scale.
“If bots are configured and coded badly, they can access more data than they need to. The output might be leaking that data to places where it shouldn’t be. Likewise, we hear about insider attacks and humans being compromised to get to sensitive data virtually every day. Machines have the same security issues; if they can access sensitive data and they aren’t being secured properly, that’s an open door for attackers – one that can put individuals’ privacy at risk,” he adds.
What can be done?
However, there is no single answer or solution that can guarantee online security and privacy. But here’s what helps:
- Cyber awareness and “what to do”: Just like healthcare basics (getting cut with a wooden splinter vs a rusty nail: what to do), “cyber care” basics also need to be taught and practised. In some cases, just changing a password may not be sufficient; having some phone numbers memorised for emergencies is also important.
- This applies at organisational levels as well. An organisation should have a plan for what to do if something happens: say, a data leak where the private details of customers are leaked. Bad things will happen from time to time – but an organisation that has a clear plan of action will do much better than one that is merely reactive. Most organisations, even big ones, don’t have this – do they need to hire outside counsel? Can they release logs to the police?
- Cyber hygiene: Continuing the comparison with healthcare, there are many things one should practise in their daily life to have good “hygiene” on the internet. Not using critical passwords (eg bank) elsewhere, having 2FA, etc.
- High-level government legislation can ensure standards and fair practices, along with mechanisms to track and punish new kinds of crimes.
“India must legislate a strong and progressive data protection law at the earliest in consonance with the global standards to secure our digital economy, and ensure optimum protection of the personal data of Indian,” says Yashovardhan.