The panel revolved around a discussion on the recent CERT-IN notification regarding containing and reporting security breach incidents. An important topic addressed in this panel revolved around the timeframe for reporting breaches. CERT-IN has observed that for most organizations, there is a serious lack of awareness with regards to auditing, logging and monitoring security events. Organizations wrestle between different authorities before reporting any incident thus delaying the investigation process. Citizens lack awareness while renting out their properties and fail to take the necessary precautions when leasing out their network connectivity.

The collaboration at the banking level especially during the pandemic was a great example for other industries to follow. The support received from NPCI (National Payments Corporation of India) with regards to disseminating the threat intelligence information among banks can be extended to other industries as well. The CERT-IN notification can serve as a useful step in this direction. However, it is important that organizations become aware of the threat lifecycle and ensure to report the incidents in a timely manner. Any lack of synchronization or delay in capturing the logs even by a few seconds may prove to be a major hindrance in the investigation process.

Questions revolved around the reporting time of incidents which CERT-IN has mandated to be within six hours. Data privacy incidents may be reported within seventy-two hours but organizations need to give immediate attention to data security breaches and reduce the incident reporting time. It also becomes crucial for organizations to include different scenarios in their BCP-DR (business continuity and disaster recovery) policy, for instance, how an organization would ensure business continuity despite the fact (a) that they are no more connected to the Internet world, (b) the undersea cables are cut and (c) they receive no updates on threat intelligence from any nodal agency or other industries.

The intent is to get every industry to collaborate and share information ensuring that no one is coerced to get things done. The panelist from the services industry appealed CERT-IN to improve their vendor-selection process for their consulting projects. On the other hand, the panelist from the banking sector brought to light the challenges faced when reporting incidents where multiple vendors and regulatory bodies are involved.

It was concluded that India needs to forego the complexities and report security incidents in a timely manner irrespective of the entity (client-vendor-user) identifying it first. This will help CERT-IN to respond to and mitigate cyber threats in an effective way.

Watch the Panel Talk