Data Safety Still a Dream in Nepal?

By Chiranjibi Adhikari

Kathmandu – With the rapid advancement of the digital age, the use of information technology in Nepal is growing at an unprecedented pace. However, private and government organizations’ lack of necessary caution in personal data protection poses a significant risk. Recent studies and evaluations by cybersecurity experts indicate that many organizations in Nepal are weak in their data security practices.

The proposed Personal Data Protection Bill in Nepal is still in the implementation phase, but institutional preparation for it appears minimal. The increasing number of cyber attacks in Nepal in recent years has instilled fear among the general public and large companies alike.

Data Security Status of Nepali Organizations: 15 Major Weaknesses

Cybersecurity experts have identified the following 15 major weaknesses in Nepali organizations:

1. Lack of Data Protection Officer (DPO): Most organizations have not designated a responsible person for data protection.
2. Lack of Legal Knowledge: Organizations lack information about national and international data protection laws.
3. No Data Classification: There is no practice of separating sensitive data.
4. Weak Consent Management: Data is used without explicit consent from customers or users.
5. Lack of Investment in Cybersecurity: The use of essential security tools like firewalls and antiviruses is very low.
6. Absence of Regular Audits: There is no practice of regularly auditing data security.
7. No Incident Management Plan: There is no plan on how to respond if a data breach occurs.
8. Use of Insecure Communication Channels: Sensitive information is sent through personal messaging apps or emails.
9. Lack of Employee Training: Employees are not trained on information security.
10. No Risk Assessment for Cloud Services: Security terms are not reviewed when signing agreements with service providers.
11. Weak Password Policy: Weak passwords and the use of the same password across all systems are common.
12. No Data Deletion Policy: There is no policy on when to remove unnecessary data.
13. No Use of Security Technologies: Technologies like DLP (Data Loss Prevention) and SIEM (Security Information and Event Management) are not used.
14. Banks and Telecom Sector are Slightly More Aware: Due to regulatory bodies, they are comparatively ahead in security.
15. Digital Transformation is Increasing Awareness: Post-COVID-19, some organizations have started focusing on data security.

10-Point Recommendations for Improvement

To improve the data security situation in Nepal, experts have made 10 key recommendations:

1. Appoint a DPO: It is essential to designate a qualified person responsible for data security.
2. Develop a Data Security Policy: Clear procedures for data collection to destruction must be established.
3. Mandatory Employee Training: Training programs are necessary to enhance cybersecurity awareness.
4. Sensitive Data Classification and Encryption: Critical information must be kept secure.
5. Strengthen Access Control: Role-based access and two-factor authentication (2FA) should be mandatory.
6. Regular Audits and Monitoring: Monitoring of data usage is essential.
7. Develop a Data Breach Response Plan: A plan for immediate response in case of an incident must be created.
8. Use Secure Communication Channels: Encrypted emails and cloud services should be implemented.
9. Create Data Retention and Deletion Policies: Unnecessary data should be removed in a timely manner.
10. Practice International Standards: Work should be done according to GDPR, ISO/IEC 27001, or Nepalese law.

Rising Risk of Cyber Attacks: Nepali Organizations in Crisis

Recent cyber attacks in Nepal have affected businesses across all sectors. From financial institutions to healthcare providers, all are becoming targets of attacks. Cyber attacks, which cause billions of dollars in damage globally, have now become a regular challenge in Nepal.

Top 5 Cyber Attack Methods:

1. Web Software Vulnerabilities: Data theft through attacks like SQL Injection, Remote File Inclusion, XSS.
2. Network Layer Weaknesses: Password theft via Wi-Fi or LAN (Man-in-the-Middle).
3. System Software or OS Vulnerabilities:Ransomware attacks on old or un-updated systems.
4. Hardware-Level Weaknesses: Potential data leakage due to device flaws.
5. Social Engineering: Attempts to trick users into installing malware.

Whose Fault Are Cyber Attacks?

Partial blame can be attributed to software manufacturers, service providers, company employees, or network providers.

However, the most significant reasons are the lack of Regular Cybersecurity Assessment, Information Security Audit and Lack of Awareness & Education

Tips for Users to Avoid Cyber Attacks:

1. Use Strong Passwords: Use passwords that include alphanumeric characters and special symbols.
2. Use Two-Factor Authentication (2FA): Employ an additional layer of security beyond just a password.
3. Avoid Open Wi-Fi: Do not perform sensitive activities on public Wi-Fi networks.
4. Use Different Passwords: Do not use the same password for all accounts.
5. Check for Password Compromise: Get information from https://haveibeenpwned.com.
6. Use Firewall and Antivirus: Regularly update them for system security.
7. Keep Software Updated: Regularly update your OS and all apps.
8. Keep Passwords Confidential: Do not share your passwords with anyone.

Conclusion:

As Nepal enters the digital age, data security and cybersecurity have become extremely important issues. A secure digital future is not possible without building a legally robust system, making institutional improvements, and raising public awareness.

Download the Personal Data Protection Policy of Nepal: https://giwmscdntwo.gov.np/media/pdf_upload/PDP_Draft_public_gbtnock.pdf