India debit card hack aftermath—will transparency set in?

The RBI might have mandated the disclosure of hacks but why did it take so long to reveal this breach and why are the banks still not acknowledging it?

Rudra Murthy K G Oct 21st 2016 A-A+

Data breaches are a given in the industry and the reaction to a breach – both proactive and reactive – is what really matters. Instead of getting worried about reputation or losing faith, companies need to learn all the possible areas of vulnerabilities at all levels, from policies to technical, and work around the challenges faced.

There are certain things you learn over a period of time which should set the premise for the future. Right now, as a CISO, I think what we need to learn from this particular breach is how to make such disclosures transparent to one’s customers and respective regulatory bodies and this has to come out as a policy.

The first question that needs to be answered is, how did this compromise take place for various banks? This reveals that there is a common vulnerability exploited by the attacking community. If only one bank had experienced this attack, you can blame its particular framework, but when it has happened to multiple banks, one has to look at the framework of the sector as a whole. Most of the reactions to these breaches are reactive without any real time monitoring or security processes.

In this particular breach, the affected person in this particular breach is the common man. The requirement at hand is to bring in security controls to frame the ways to validate card transactions by moving onto something more secure like biometrics.

When it comes to prevention, the current market looks sloppy. While research on cybersecurity and strategies to tackle hackers are undertaken by OEMs, they are still not as fast and advanced as the attackers.

One has to be sensible when it comes to handling a breach of this kind. It is surprising to see that a few of the banks allegedly affected are not even ready to acknowledge or disclose their flaws. This can happen only when there is an absence of a strict policy from the regulator.

The factor of losing face or reputation being affected by a hack exists at all scales – from an individual to a business, and banks are no different. If there are set laws in place where disclosure is mandatory, which bank would take it for granted and not comply?

To be secure, support has to come from all layers, especially at a mature level from the management. While the IT and the security teams may be the executioners, the management is the one responsible for any data breach.

Rudra Murthy K G is an accomplished IT and security evangelist with diversified leadership experience in strategizing, architecting and executing IT and information security services. Currently, he is the CISO of the Digital India Program and is also a part of the CSO Online Advisory Board.

As told to Saheli Sen Gupta.