Even though the Indian Computer Emergency Response Team’s (CERT-In’s) norms aren’t clear yet, enterprises must up their cybersecurity game. Enterprises must continuously train their employees on the right security practices as well as adopt cybersecurity tools. This is a must of enterprises want a bright and secure future.
CERT-In’s guidelines are coming: What enterprises need to do
Cybersecurity is one of the ripest issues of this decade, the reasons why every country now has a Computer Emergency Response Team (CERT) in place to deal with breaches and cyberattacks.
The Indian Computer Emergency Response Team’s (CERT-In’s) norms have raised quite the ruckus among enterprises and users alike. While the norms were first announced back in April this year, the deadline for complying with them was pushed to September 25 in June.
While the security community appreciates the Indian government finally taking an interest in cybersecurity legislations, there are some crucial challenges with the CERT-In’s norms too.
While the security community appreciates the Indian government finally taking an interest in cybersecurity legislations, there are some crucial challenges with the CERT-In’s norms too
For example, the rules need companies to report security incidents within six hours of becoming aware of them. They also have a broad definition of security incidents, which can make businesses liable for not reporting incidents as simple as a poorly conducted phishing attack at times. There’s also the rule that makes it mandatory for virtual private network (VPN) service providers to store user information, monitor their usage, and maintain servers within India.
These rules have been resisted extensively, by tech giants such as Facebook. Industry bodies, both Indian and foreign, have also opposed them. For example, in May, a letter signed by some 11 industry bodies from the European Union, the United Kingdom and the United States, has raised concerns over the six-hour timeline, calling it an “overbroad” definition of reportable incidents and more.
The signatories include large and powerful industry bodies like the Bank Policy Institute, the US Chamber of Commerce, and US-India Strategic Partnership Forum, the US-India Business Council, and more. The letter also calls the CERT-In’s rules “onerous” in nature.
Businesses Must Up Their Cyber Game
Even though the future of the CERT-In’s rules might not be clear for months, enterprises can and should take steps. It’s unlikely that a change in rules will ensure that all of the compliance norms will be dropped. In fact, with India’s National Cybersecurity Policy being in the works for over a year now, it’s good form to adopt security compliant products, for all companies, irrespective of their size.
With India’s National Cybersecurity Policy being in the works for over a year now, it’s good form to adopt security compliant products, for all companies, irrespective of their size.
It’s highly recommended that enterprises today adopt security platforms that provide a wide coverage of malware, including ransomware, backdoors, distributed denial of service (DDOS), SQL Injection, cross-site scripting attacks, and more. They should also seek tools that offer indicators of compromise (IOC) and indicators of attack (IOA), which let early detection of compromises too.
Going deeper into the issue, there’s other kinds of cybersecurity that should be in place. For instance, tools that support Trusted Automated Exchange of Indicator Information (TAXII), allow seamless sharing of cyber threat information across an enterprise’s products, services and even organizational boundaries.
Employee Cyber Education a Must
No matter what tools enterprises adopt, a key ingredient of true compliance in any country’s CERT guidelines is employee education. Enterprises must continuously train their employees on the right security practices, ways of recognizing phishing emails and messages, etc. Even the best cybersecurity tools can’t protect against a hack if users (in this case the employees) aren’t responsible enough.
A key ingredient of true compliance in any country’s CERT guidelines is employee education
A recent Indeed survey has found that enterprises continue to prioritize cybersecurity talent when it comes to recruiting. The COVID-19 pandemic fast tracked the requirement for robust cybersecurity practices as companies became remote, more devices were online, digital payments were rising and security issues were at an all time high. Indeed shows that job postings for “cybersecurity” have grown 81% between August 2019 to August 2022.
Consumers Want Cyber Secure Companies
According to a recent ISACA research, there is a growing sense of hopelessness in consumers who think nothing can be done to protect them from cybercrime. The international study of more than 3,000 consumers across the UK, Australia, US and India, found that 41% consumers in India have had their personal information stolen by cyber criminals. Also, 40% of consumers in India stopped doing business with a company known to have compromised on cybersecurity, something companies must heed as they progress.
Security firms like Vehere and Crowdstrike offer a host of policy compliant security products, which can not only provide early notifications for cyber incidents, but also keep a log of such incidents.
Recently, Cloudflare, a cybersecurity company, launched Post-Quantum Cryptography support for all websites and APIs served through its network, overnight enabling support for post-quantum cryptography on nearly 20% of the Internet.
It also announced the first zero trust SIM for mobile devices to better secure enterprises’ corporate networks and protect employees. In addition, Cloudflare and Yubico have collaborated to create an exclusive solution to help end phishing assaults and make them more accessible to millions of customers.