CERT-In’s new directives: A security strategist’s perspective

One can’t deny greater digital maturity that organisations have achieved in past three years. From widespread cloud adoption, emerging technology use cases to application modernisation among other areas, there has been an accelerated uptake of digital solutions, but cybersecurity remains a concern – in fact, a growing one. According to India’s nodal cybersecurity agency CERT-In, the country witnessed over 14 lakh cybersecurity incidents in 2021. The number is alarming, but the silver lining is that firm efforts are directed towards curbing these incidents.

CERT-In’s latest directives, much talked about among IT leaders and the CISO community, aim at strengthening the cybersecurity posture of enterprises in India. There are 3 major ways these directives strengthen cybersecurity readiness of enterprises, service providers, intermediaries, data centers and government organisations.

Eliminating time discrepancies
CERT-In has mandated synchronisation of ICT infrastructure with Network Time Protocol (NTP) servers of the government’s IT organisation National Informatics Centre (NIC) or National Physical Laboratory (NPL). It has also allowed organisations to connect to Network Time Protocol servers that are traceable to those of National Informatics Centre or National Physical Laboratory.

Syncing of ICT system clock essentially eliminates discrepancies in incident reporting and resolution time, which is critical to ensure timely prevention of greater damage to IT systems after an incident has taken place. Many enterprises, service providers and data centers, including Yotta, maintain in-house Network Time Protocol servers which are connected to all internal servers and devices. Thus, connecting them with National Informatics Centre or National Physical Laboratory doesn’t involve complexities.

Quicker response time
As a major development, CERT-In has defined a timeline of 6 hours for organisations to report any cybersecurity incident. This is an aggressive timeline via-a-vis that of many mature markets. The US, for instance, has set an obligation to report cyber incidents to its Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours.

CERT-In’s 6-hour timeframe is, however, a good step to ensure greater transparency and curb the effects of an incident. The initial hours of an incident are highly critical which determine the impact of the incident. This step will help organisations to mitigate risks as immediately as possible, instead of waiting for several hours. The step will guide organisations to take proactive steps and actions, while allowing CERT-In to hand-hold organisations to respond to the incident, wherever needed.

Maintenance of data
The directive of maintaining subscriber data for 5 years would help CERT-In to maintain a repository of cyber incidents, identify patterns and devise best practices to prevent them in the future. It may require organisations to invest in additional backup and storage capacities, but any investment in cybersecurity is worth the money, since the benefits substantially outweigh the costs.

Overall, these guidelines were much required. It will result in greater seriousness regarding cybersecurity and increased investments in this area. These steps will not just make organisations more conscious about cybersecurity, but also improve their overall cyber posture.