India's Unique Culture Affects Cybersecurity Issues

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Amrit Dhillon

Dec. 11 — Although many of the cybersecurity issues facing India resemble those found in other countries, analysts say there are some aspects unique to India of which foreign companies operating there, particularly those with employees in country, need to be aware.

India's culture, laws and attitude of ordinary Indians towards the confidentiality of information may surprise companies seeking to bolster privacy and data security measures in line with other countries, analysts told Bloomberg BNA.

Making generalized statements about a country that hold true for more than 1.2 billion unique individuals and untold thousands of companies isn't truly possible, but local security professionals say that generally in India, there is:

• a casual attitude towards private information;

• little awareness of intellectual property rights;

• no dividing line between the personal and the public;

• a lack of regulatory oversight;

• the misperception that security risk is external, not internal;

• a lack of compliance; and

• low investment in security technology.

(Click image to enlarge.)

pvlr image 12-16-2015

Casual Attitude Towards Private Information 

Privacy isn't paramount in anyone's mind in India, from the ordinary citizen to government ministers. For foreign companies this represents a challenge in that they have to realize the behavior of employees will be different to what they are accustomed.

“They can't change the way Indians instinctively behave and live but they do need to work on changing the behavior of employees in the workplace so that they stop disclosing private information,” Sivarama Krishnan, a partner at PricewaterhouseCoopers LLP Risk Advisory Services, said.

Information that in the West is seen as private isn't seen the same way in India, where information about one's health, income, investment, and family details are openly and easily shared. Strangers on a train often share private information about salaries and investments.

Cabinet ministers, doctors and chief executive officers easily share their mobile numbers. In shopping malls and restaurants hackers buy information from vendors who collect phone numbers, addresses and e-mail addresses. It is easy for them to get access to data in housing directories for a price.

Little IP Rights Awareness 

India is the fourth most targeted country globally for phishing attacks, according to a report by information technology services company EMC Corp. In 2013, Indian companies lost around $53 million due to phishing scams with the country facing over 3,750 reported phishing attacks in July-September alone, according to EMC.

Intellectual property rights aren't well understood, with piracy widely regarded as acceptable to copy products, services, ideas, codes, information from websites and even the plots of Hollywood films—virtually frame by frame—without expecting any repercussions. This casual attitude makes Indians inadvertently susceptible to phishing attacks on companies.

A recent PwC report on cybersecurity found that almost 38 percent of corporate respondents claimed to have suffered a loss of “hard” intellectual property, which included strategic business plans, deal-related information and sensitive financial information.

Abbas Goddhrawal, Ernst & Young Advisory Services senior manager, said that the executives of companies that don't process or maintain customer credit card data or personally identifiable information tend to think they are safe. “They do not fully understand the severity of cybersecurity threats to their intellectual property and proprietary information such as product designs, source code, pending patents, formulations, manufacturing process instructions and procedures, research and development results and analysis, exploration data,” Goddhrawal said.

“The proprietory information they risk is customer lists, pricing, cost and sales information, pre-released financial results, merger and acquisition information, third-party contracts and bid plans.” Therefore, the risk of being compromised is high among companies that have a lot of intellectual property at stake, such as life sciences, retail, and defense companies, he said.

Personal v. Public Blurred 

Personal versus public space isn't clearly separated in India, analysts said. They merge and mingle. Consequently, people frequently put out personal information about themselves—on social media and job searching sites—that can be misused.

“The inability to differentiate between what is work-related information and what is personal means that even senior people unintentionally reveal information about themselves—their movements, the hotels where they are staying, the projects they are working on when they give their profiles—that can be used by competitors,” Prasanto K. Roy, the head of media at Trivone Digital Services Pvt. Ltd., said. This kind of personal information should not be in the public domain, he said. 

A tremendous amount of competitive business intelligence can, therefore, be found in the public domain because many Indians don't separate business information from personal information, he said.

Krishnan said that “the lesson for foreign companies is that they need to recalibrate how they use technology here, recalibrate how much effort needs to go into making Indian employees aware of the need for secrecy and caution and need to spend more on technology that may be intrusive but is needed to protect their data, i.e. technology which allows them to monitor their staff and what are they doing on social media or on job portals etc so that you can detect misbehaviour and correct it.”

Mumbai-based independent cybersecurity lawyer Prashant Mali said raising public awareness about privacy and confidentiality is an urgent need. “The government needs to allocate a budget for mass cybercrime awareness in the country and this should be in vernacular languages too to reach rural India,” Mali said.

Lack of Regulatory Oversight 

One of the biggest gaps in cybersecurity and data protection in India is a lack of regulatory oversight, analysts said. In places all over the world with stronger cybersecurity regimes, it is regulators who have promoted awareness and pushed for compliance and disclosure, they said. But in India there is little enforcement.

Despite an amendment to the Information Technology Act requiring security breach reporting (209 PRA, 11/2/09)(8 PVLR 1574, 11/2/09), the provision hasn't been enforced because there is no enforcement mechanism in place, analysts said. Companies don't bother complying, out of fear that their reputation and valuation will be damaged. 

Security Risk Misperceptions 

A widespread perception exists among company management that the risk is only external, not internal, that a company's employees could not possibly harm the company. Experts say this believe is rooted in a culture that places a greater premium on trust and personal relationships than on contracts and rules. Nor is there much awareness of the possible risks from employees once they have left the company, either because of what they might do as individuals or what they might do if they are poached by competitors.

Lack of Compliance 

Many companies in India are very enthusiastic about gaining international certification for information technology best practices and security and privacy standards—such as ISO 9000—but many fail to then actually comply with these standards.

“India represents the second largest level of certification after the U.K, but these companies do not comply with the standards,” Krishnan said.

“Our society is not compliance-inclined. We tend to take short cuts. We circumvent processes. So companies have the standards certification but they do not comply. They don't even get the technology to enable them to comply,” he said.

Low Investment in Security 

The PwC report found that the average information security budget in India has increased by approximately 25 percent over the last five years. Its author, Krishnan, said that the growth rate isn't as impressive when one considers that the base it was growing from was very low.

“Overall there is a low use of technology for security and the result is that companies don't even know what is happening inside their offices because they haven't got the technology to detect lapses,” he said.

To contact the reporter on this story: Amrit Dhillon in New Delhi at correspondents@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com