nprotected servers were mainly behind some of the biggest data security breaches at Indian companies last year, an analysis by ET shows, imposing significant monetary as well as other costs on enterprises. More than 3,13,000 cyber security incidents were reported in the country in 2019, the Computer Emergency Response Team-India (CERT-In), the country’s nodal cyber security agency, said last week.
SBI, JustDial, Airtel, Kudankulam Nuclear Power Plant (KKNPP) and Indian Space Research Organisation (Isro) fell prey to some of the biggest cyber hacking incidents last year, while startups like Nykaa Fashion, Bounce, Vedantu and Oyo, too, saw attacks that exposed consumer data.
A company, however, risks much more than just monetary loss after a breach, experts said.
“While many believe that the most fateful consequence of a data breach is financial loss, the after-effects go beyond revenue impact,” said Mini Gupta, partner — cybersecurity, EY. “A data breach can put customer trust at risk… Such breaches may also impose legal liabilities and penalties upon the affected organisation along with the loss of intellectual property,” she added.
The cost of response mechanisms — such as detection and notification processes that need to be activated — are also high, while company share prices are likely to drop along with revenue, impacting overall brand value, Gupta pointed out.
Companies also face challenges in onboarding new customers after such cyber security incidents. Moreover, the data breaches are not limited to an organisation’s data alone, but may also extend to other organisations that it has access to, Gupta said. In the past six years, the global average cost of a data breach has grown by 12%, totaling $3.92 million per breach in 2019, according to the Cost of a Data Breach report by the Michigan-based Ponemon Institute and IBM Security.
On their part, ethical hackers have criticised domestic internet-consumer companies for what they say is a lack of bug bounty programmes following reporting of cyber breaches. “India has the maximum number of bug bounty hunters today, but it still lacks the basic policies,” said Avinash Jain, lead security engineer at Grofers, who found a bug in the IRCTC system that exposed data of around 2,000,000 rail passengers in 2018.
“The first challenge that these professionals face is, after finding a bug most companies do not have a process of where it is to be reported. Secondly, these companies don’t reward these practices unlike global firms, which is demotivating,” Jain said.