Even as India saw the second-highest number of cyber attacks wherein almost 76 per cent organisations were hit by such attacks in 2018, according to a report from the Data Security Council of India (DSCI) this year, small and medium-sized businesses are also being targeted increasingly. From 46 per cent in 2018, 48 per cent SMBs this year reported data breach cases, as per Kaspersky report. Moreover, micro-enterprises also saw such instances increased from 30 per cent to 36 per cent between 2018 and 2019 so far. While small businesses are gradually getting aware of the digital risks yet there is still a large chunk that needs to be cognizant of it and take appropriate steps. Munjal Kamdar, Partner, Deloitte India who looks after enterprise and third-party risk scenarios elaborates on the challenges small businesses face with respect to their digital security, cross-border data flow, and more in interaction with Financial Express Online.
Small businesses tend to outsource non-core tasks. However, do you think there is a concern in doing so?
They are focusing on growth and innovation and to manage them companies are outsourcing a number of tasks they consider non-core. This helps them focus on core business and grow. Businesses are also focusing on partnering with a set of organisations in order to innovate since you require an ecosystem to adopt the innovation. However, there is an issue around data privacy about employees, citizens, bank customers, telecom customers, whose data gets outsourced.
Now if you put all of this together, the perception you will see is that outsourcing has become a major concern. outsourcing – the way it is looked at is only a vendor relationship but vendors are one part of it. Your customers, through digital channels, participate very effectively. So, your dependence on organizations beyond your own core company itself has become very, very high. In fact, a lot of companies have employees on contracts. So small businesses' reliance on third parties is very high and that's the reason they need to be safeguarded and also they don't have the resources to secure themselves very well that makes them very vulnerable.
With cross-border data flow and third-party risks involved, do you think SMEs understand their significance?
According to one of our surveys, 50 per cent of organizations' objective is to reduce the number of third-party incidents they have. That is the core objective. 83 per cent have experienced a third-party incident in the last three years while less than 30 per cent of organizations have invested enough in extended enterprise risk management. This shows how important this is for organizations.
With respect to cross border data flows, as an offshoring hub, India itself is in the process of implementing more strict data related laws. Also, the Government of India believes that payment information related to Indian customers should remain in India. However, the threat landscape has become global. If I want to rob a bank in the US, I don’t need to be in the US. Organizations — clients as well as service providers — understand this and also that the data is the new oil. Now, they’re becoming much more attuned to cyber threats, other than information, security threats, and building mechanisms to protect data. That is the impact that you’re seeing in terms of cross border data flows and the adoption of global best practices.
Watch | Business and Credit, both become difficult for MSMEs: Interview
How do you see this entire argument around data localization?
There’s no easy answer to that question since there are various stakeholders with different objectives. From a basic digital data perspective, the whole idea of the internet is to make data accessible anytime and why should anybody interfere with this? That is one view of the topic. From the regulator's perspective, there are two issues, one is how to minimize attacks that can happen from anywhere. You cannot ensure 100 per cent prevention. I don't want to speak on behalf of the regulator but I see such reasons driving data regulations across India and other countries. Moreover, one of the motivations to do that would be to create jobs in India as managing data requires analytics skills and also helps the government generate revenues.
SMEs are usually not aware of digital security. They see their emails, websites not working but they don't realise the hack. So, awareness is still an issue.
Yes, awareness levels need to improve. Mostly small businesses tend to use shared infrastructure, shared email ids instead of having their own corporate email id in the first place etc., because of high scale issues, and so on. However, this is changing. A number of, let’s say businesses in financial services, which are most prone to outsourcing, offshoring, partnerships etc. because it’s always a digital service, at least the more progressive banks have taken a lead in increasing their security posture, awareness, ability to prevent themselves from getting hacked and also extended this to their ecosystem partners.
Interacting with small businesses, what are the key challenges, you realised, they faces or areas they lack in?
First, they have low awareness on the type of work they are performing for their various clients, their partners and the indication of risk and safeguards need to be in place. They don't comprehend that fully. Second, their lack of ability to frame their policies to define what is acceptable to them and communicate it to their clients, partners, vendors etc. Third, their ability to understand the changing nature of risk as they adopt new technologies is also missing. And finally, the foresight and the view of what and how much they should be investing in their security posture. So those are the challenges we normally hear from small businesses.