When a cyber crime is reported in India, the first reflex of the police is to impound the computer in question. The motherboard is treated as hard evidence and is dumped at police stations just like motor vehicles or murder weapons seized after crimes. Nothing wrong with the drill per se except that a CPU has very limited value in cases of cyber security breach. Rather than pieces of hardware, the real clues come from data footprints on the World Wide Web, for which neither our police nor prosecutors seem prepared. India has a robust legal system and independent judiciary but it is a long way from establishing the rule of law on the Internet.
Very few FIRs are registered and hardly any figures of financial losses are disclosed to the media. But a significant drop in the industry’s growth rate is surely due to security reasons. India’s unsafe security environment could be costing its BPO and ITES industry more than $500 million annually by conservative estimates. According to Forrester Research, the Indian industry is losing up to 30 per cent of its growth rate due to reasons like data leakage and unsafe ethos.
The safety of private customer data is central to offshore outsourcing industry. The graphic below shows the most vulnerable points in the cyber network used by banks, finance companies and a variety of other service providers. Customer credibility and faith are built over time but leaving nothing to chance, the bigger foreign clients want to see high levels of compliance with global security certifications such as BS 7799, SAS 70 or ISO 17799. They also want a strong legal framework because with increasing threats and vulnerabilities, the benchmarks for control requirements are constantly moving up.
The issue of data security is equally crucial for India’s growing e-commerce. Last year, 33 per cent of airline tickets were bought online. Banks also reported unprecedented rise in on-line trade of mutual funds, insurance and depository services.
According to Euromonitor, the number of Indians using debit cards grew from 0.25 million in 1999 to 28 million in 2004. Today the total number of cards in circulation is over 50 million with Rs 1,000 billion in transaction value. Obviously Indian customers are getting addicted to online spending with very little idea of issues of personal data security. The story below left explains how increased awareness about technology use and timely interventions can minimise the risk of security breach.
A study by Carnegie Mellon University in 2004 found that when it comes to perceptions of individual identities, the Indians are largely stuck in the physical world. For example, the concept of privacy to most Indians pertains to physical territories such as personal or living spaces. To Americans, in contrast, privacy means above all protection of their information and identity.
The study maintains that the choices people make in daily life are influenced by the ‘mental models’ they use to interact with the real world. Since the ‘mental models’ are different for societies living in different stages of technology use, transplanting foreign laws can never yield instant results. A new and comprehensive legislation will help only when the investigating and enforcement agencies are trained and technologically empowered to deal with cyber security issues. The private sector will also have to adopt an identity management approach to business with much higher levels of verification and access control.
This means that India will have to evolve, through trial and error, its own legal and security culture for the virtual world.