The Reserve Bank of India (RBI) has slapped a whopping fine of INR 5.39 crore on one of the well-known Banks from India in October 2023 for not complying with the standard RBI guidelines related to KYC norms. Also, the organization failed to report incidents of cyber security breaches in time.
Post-investigation find-outs: After thorough scrutiny headed by compliance investigation officials, it was found that there was not an adequate record of the end-user activities. The bank failed to produce enough evidence that they were continuously monitoring the IT tasks and transactions that can identify and raise red flags for suspicious IT sessions. There were no proper mechanisms in place for audit and reporting.
Another massive cyber incident surfaced in April 2023 in India where the police department of one of the southern states busted a gang of cybercrooks that compromised data of 66.9 crore individuals and put on sale. The data from 8 different cities, 24 states and 104 categories were illegally possessed by a malevolent that were operating from some other city of India.
The stolen data also included GST details of persons and companies, and the consumer/customer data of major organizations such as road transport corporations of various states, major e-commerce portals, social media platforms and fintech companies.
Post-investigation find-outs: According to the police officials, there was unauthorized access to the databases which included personal information. From the official database of various organizations, the bad actors compromised the personal details of millions of customers and users. The police did serve notices to over 11 different organizations, including banks, a social media giant, an IT services company, online insurance platform and others.
A healthcare company in Mumbai, India faced a fraudulence of INR 2.25 crore in October 2023, when an international hacker posing as a corporate communication manager, sent a phishing link to the company’s owner. Instead of being cautious, the victim unfortunately clicked on the link and Rs 2.5 crore from the company’s cryptocurrency wallet was stolen. It has been observed that despite repeated warnings against clicking on unknown links, users fall prey to data breaches.
Post-Investigation find-outs: The owner or victim of the organization lodged a complaint to the cybercrime portal to inform about the offence. Police probing the case said that the complainant’s wallet was hacked by a phishing link and the suspected scammer took help of advanced tools to execute the cyber-crime.
Lessons learnt from the above cyber incidents
All the victim organizations did not heed enough importance to the compliance mandates that jeopardized and exposed them to cybercrime. Regulatory bodies demand strong IT practices around password management, user authentication, and authorization as well as mechanisms to detect anomalous activities including audit and reporting to stay protected from constant IT threats. Regulatory bodies expect organizations to impart their workforce with adequate education on looming cyber risks and how to avoid those risks.
Their primary and larger objective is to ensure that government and business organizations maintain data integrity, data privacy and data confidentiality.
Today data is widely distributed in hybrid ecosystems and co-exists on on-premises data centers, multiple cloud platforms and in managed service environments. This evolving IT infrastructure has put data at grave risk from compromised insiders, suspicious third parties and organized cyber criminals. In the above incidents this is exactly what went wrong. Typically, inadequate IT security measures or half-baked policies play the spoilsport.
What went wrong in the above incidents?
Incident 1: The RBI (Reserve Bank of India) has provided guidelines on “Cyber Security Framework” circular in 2016 where banks are asked to remain audit ready with the help of advanced real-time threat detection. The regular and automated reports generated on end-user activities helps the banks to detect and identify any kind of anomalies happening in the IT infrastructure. In a nutshell, the RBI demands a strong Identity and Access Management framework, had the organization implemented the RBI guidelines, they could have averted the IT incident.
Incident 2: Prevention of unauthorized access is one of the top and dominant requirements mandated by most regulatory bodies and IT standards. This incident shows all the 11 organizations should have had stringent mechanisms to detect and identify unauthorized access or any anomalous activities in their IT infrastructure. Protecting citizens’ data in an increasingly digitized world is getting challenging every day. And the new DPDP act is a step towards the right direction.
The new DPDP (Digital Personal Data Protection) Act announced by the Government of India recently emphasizes on “strong protection” of personal data irrespective of industry and organization size. It takes an integrated approach towards data protection without differentiating between how sensitive the personal data is – hence, safeguarding all data at the same level. Once the act is applicable to Indian organizations, the country will witness lesser number of similar incidents in the coming days for sure.
Incident 3: The global compliance standard HIPAA (Health Insurance Portability and Accountability Act) mandates the healthcare industry to build a centralized policy framework so that they can enforce data security measures, stringent access control mechanisms and audit trails. It also demands security threat alerts and risk analytics to prevent anything anomalous. Had the organization been abiding by the policy standards, then there would not have been such disasters.
Moreover, inadequate training as to the dos and don’ts for cybersecurity also triggers such incidents. Amid increasing cases of phishing and malware attacks, users need to refrain from clicking links received from unexpected, unknown, and unsure sources. This minimizes the risks to a greater extent.
How to minimize the risks of cybercrime?
Robust Identity and Access Management is a must
Data is omnipresent and ever-growing. It is the biggest asset to ensure business expansion and continuity but is also vulnerable to breaches, espionage, or other security threats. It requires a robust access control framework, well-defined IT security policy and strong governance of identities that are frequently accessing the data assets for several reasons.
Enterprise-class Identity Access Management (IAM) solution remains a top-priority for organizations to ensure security control, identity lifecycle management and streamline overall access control frameworks. Regulatory compliance guidelines help organizations to build an unambiguous IT security policy. In fact, organizations can have effective IT security policies that manage, control, and monitor end-user accounts, conduct regular audits, and revoke elevated rights on time if any anomalous activity is found.
ARCON IAM solution in the given technology challenges enables an organization to take control of the management and monitoring of all the identities to comply with the access control requirements consistently with the regulatory standards.
- It helps the IT administrators to administer and govern digital identities when the number of end-users in an IT environment increases gradually.
- It can address the problem statements by automating the end-users’ identity lifecycle management through provisioning and de-provisioning of end-users.
- It offers an intuitive workflow matrix and provides role and rule-based access to every critical system/ application.
- It authenticates every access with multi-factor authentication and monitors the activities seamlessly after allowing access.
- It helps administrators to identify users who are deviating from the baseline policies and provides detailed analytics of end-user activities
Adhering to compliance mandates helps organizations to steadfastly build a proactive security framework.