Recent news reports about a leading Indian bank being directed to compensate a phishing victim is of significance from several perspectives, especially for organizations in the BFSI space. Some of the interesting points in this incident (as well as the judgment) are:
- First instance in India where the IT Act has been used to redress phishing victims.
- The bank has been taken to task, which shows that India’s IT Act does have teeth. Yes, your company can also bite the dust if the customer has a bad experience on the infosec front.
- The customer’s responsibility to protect his authentication credentials has not been taken into account by the adjudicator.
I don’t plan to get into a debate about who was right or wrong in this case—except for the fact that effective infosec controls, user education and processes in the organization can negate the effects of phishing to a great extent.On the positive front, this particular incident does make it easier for CIOs and CISOs to justify and push through the information security plans that they’ve had in mind for years due to the following reasons.
1. Banks might face RBI audits of a more stringent variety, so now is the time for banks to get funding for security controls and those user (as well as end user) security awareness training sessions and campaigns.
2. The business is likely to be more interested in your information security plans, now that the legal watchdogs are involved (along with possibilities of possible monetary compensation and loss of face to business). Enforcement of policies will also become easier with their blessings.
So it’s best to strike while the iron is hot, as the clichéd idiom goes. What are you waiting for?
PS: Naavi.org has an interesting take on the phishing incident, and what might have gone wrong.