23 Apr Cyber Risk and Compliance – Relocation Industry in India – An IKAN Advisory
In 2019, Indians lost 1.2 Trillion rupees to cybercrime and according to a survey about 70 % of Indians are worried that their identity may be stolen. India has recorded 131 million cybercrime victims in 2019 compared to 350 million worldwide and four in ten consumers in India have experienced identity theft and 63 % of such cybercrime victims were impacted financially.
Cyber Risk in India
Cyber Risk is real and it is here to stay. Indian companies need to invest more to ensure protection for their customers. Traditionally Indians have not considered Cyber Risk a major threat and even if they did, it has taken a lower priority due to the absence of proper laws and an effective legal system.
Within our Relocation Industry, we see a considerable transfer of information and data and it is recommended that all relocation service providers should invest in and ensure the bare minimum compliance when it comes to data security and protection of confidential information, especially because our legal system is not geared up and hence Data recipients should and must :
- Adhere to a comprehensive security policy and procedures for handling confidential information that addresses secure methods for processing, transmitting and storing confidential information.
- Should not disclose confidential information to third parties
- Should ensure all systems that contain confidential information are identified.
- Ensure information classification and handling procedures are implemented. These procedures must include labelling and handling technique for electronic and paper documents that contain confidential information.
- Ensure that all employees who handle confidential information are properly trained to secure information while it is being processed, transmitted or stored.
- Conduct background checks on all employees and contractors that will be handling confidential information
- Ensure all employees and contractors sign non-disclosures and confidentiality agreements.
- Ensure all employees and contractors receive at least annual security awareness training.
- Ensure that actions of employees and contractors that have access to confidential information are monitored and logged.
- Ensure access is removed immediately when employees and contractors that have access to confidential information are terminated
Compliance tips – raising the bar
In 2014, an IKAN employee actually downloaded the entire database of our clients and handed it over to a new entrant relocation company. Our clients were exposed and their personal data was now in the hands of another. Information like passport numbers, visa numbers, date of birth, family member details and visa expiry information had been handed over. In today’s tough climate of data protection, such an incident could be a death knell for any company.
IKAN learnt its lesson and invested heavily into data protection and cyber security. In fact, in 2018, IKAN ploughed back its entire profits into putting up technology that would ensure protection of our client’s data.
IKAN invested in the DLP ( Data Loss Prevention ) tools to ensure that sensitive data is not lost, misused or accessed by unauthorized users. DLP also provides reporting to meet compliance and auditing requirements and identify areas of weakness and anomalies for forensics and incident reports.
IKAN also put into place a VPN (Virtual Private Network) which is an encrypted connection over the internet from an independent device to a server. The encrypted connection helps ensure that sensitive data is safely transmitted. It prevents unauthorized people from eves dropping on the traffic and allows the user to conduct work remotely, a perfect solution for a work from home environment.
Hence, I am pleased to offer some tips to my fellow members of the Industry which if they were to conform to, they would be able to stand head and shoulders above their competitors.
- Take note of GDPR requirements and create processes in accordance.
- Appoint Data Protection Officers
- Purge Data periodically.
- Use shredders in office.
- Keep the desk clean and never leave confidential and proprietary information lying around
- Protect Whistleblowers
- Secure a Global Quality Seal
- Create and implement a Data Integrity Policy
- Create and implement an Anti-Fraud Policy
- Create processes for Protection of Personal Identifiable information or your clients.
- Secure an ISO 27001.
- Invest in a secure database management system and protect the servers storing the data.
The client data protection controls are very important and, in this process, your personal data will also be protected and be least vulnerable to external attacks.