NEW DELHI: Lack of strong data protection and privacy legislation makes India highly vulnerable to data breaches related to personal information, according to digital network solution firm Verizon.
"Specifically with respect to India, the threat of PII (personally identifiable information also called sensitive personal information) data breaches looms large due to lack of a strong data protection and privacy legislation," Verizon Enterprise Solutions, Managing Principal for APJ, Ashish Thapar said.
The company today released data breach investigations report (DBIR) which found that social engineering targeting personal information in education segment is high, which is then used for identity fraud.
"Highly sensitive research is also at risk, with 20 percent of attacks motivated by espionage. Eleven percent of attacks also have 'fun' as the motive rather than financial gain," the report said.
Thapar said that with hyper increase of e-commerce, and e-governance transactions and the rate at which broadband and 4G penetration is increasing in India, other threats such as phishing, pretexting, ransomware, cryptojacking, botnet infections and DDoS have become all the more worrisome in today's scenario.
The DBIR said ransomware, a malware which locks computers and frees it after getting money, attacks double since 2017 and now target business critical systems.
"Ransomware attacks are a key cybersecurity threat for global organisations. It is the most common type of malware, found in 39 percent of malware-related data breaches double that of last year's DBIR, and accounts for over 700 incidents - India is no exception to this trend according to our investigation caseloads," Thapar said.
According to the report, human factor continues to be the weak link in cybersecurity breaches with employees of companies still falling victim to social attacks.
"Financial pretexting and phishing represent 98 per cent of social incidents and 93 percent of all breaches investigated with email continuing to be the main entry point (96 per cent of cases).
Companies are nearly three times more likely to get breached by social attacks than via actual vulnerabilities, emphasizing the need for ongoing employee cybersecurity education," the report said.
It further said that while on average 78 percent of people did not fail a phishing (misleading e-mails, website links etc) test last year, 4 percent of people do for any given phishing campaign.
"A cybercriminal only needs one victim to get access into an organization," the report said.
It said that one security breach can have multiple attackers and the study by the company found that 72 per cent of attacks were perpetrated by outsiders, 27 per cent involved internal actors, 2 per cent involved partners and 2 per cent feature, multiple partners.
"Organised crime groups still account for 50 percent of the attacks analysed," the report said.