Does Cybersecurity Strategy require a rework? Post Pandemic!
Firewall and antivirus are just not enough for data protection. A dedicated cybersecurity team is a necessity and just the IT team is not sufficient in managing security. Moving forward into 2021 and beyond, cybersecurity is everyone’s responsibility. Senior executives are more concerned and putting more emphasis on security. Heavy investments are done on security to get the best security defense available. Let’s see the reasons behind this change in culture and how CIOs and CISOs need to adopt this change into their current strategy.
The change in the technological landscape, with the pandemic and work from home arrangements for business continuity it includes the cloud infrastructure, IoT devices, personal laptops, phones, SAAS applications, and so on. We are losing sight of our perimeter and it’s blurred. Securing the Email platform, Endpoints and backups should also be in focus. Apart from the technology, increasing the awareness among the employees, stakeholders, top management, and the board is important.
Be it any industry, protecting the crown jewels of business is the prime objective. Cyber-attacks are mostly targeted towards the data. All these stolen data end up in a digital marketplace where hackers and buyers make a deal of these breached data. The dark web serves as a digital marketplace for these activities. The plain internet we use for our browsing is the basic web surface layer, but all these illegal activities happen at another layer that is out of sight on the Internet. Only if we understand the route to market, we could put a barrier to the flow. Focusing more on the dark web in my upcoming article, I would cover activities we perform online and how it ends in the dark web, and what goods and services being exchanged.
The Ministry of Electronics and Information Technology (MeITY) in India had informed the parliament that India had faced almost 7 lakh cyber-attacks till August 2020 (i.e) only in the first 8 months of the year. The Cyber Crisis Management Plan (CCMP) formulated by the ministry has been presented to the government for enforcing it in critical sectors. RBI had already issued various notifications since 2017 to all regulated entities to comply with the cyber crisis management plan.
Most numbers of cyber-attacks were targeted against the financial and health sectors during the pandemic. Data has been a crown jewel for any financial services organization. Companies that store PII (Personally Identifiable Information) will always be a target for hackers and other nefarious parties. In general, organizations should limit the amount of PII they collect. Also, if your business requires you to work with PII, then a robust security framework must be adopted to deal with the data governance. Integrating cybersecurity with data governance enhances the value of data protection.
Due to current economic conditions and pandemic, security investments have been slowed down at certain organizations and CISOs are making alternate arrangements in addressing their security needs. This pandemic had brought the least prioritized vector to high priority, that is enabling secure remote working conditions as the perimeter is unknown.
Incorporate machine learning capabilities to identify all your information assets, be it a remote device, on-premises infrastructure, or even data on a SAAS platform. Regularly patch your systems and keep your perimeter security current.
This is the time to rework the strategy. CISOs (Chief Information Security Officer) and CIOs (Chief Information Officer) working model and priorities that they had before the pandemic is not relevant now and the current situation pushed us to take up the new working model and new priorities which safeguards data on the remote working environment and enabling the business continuity. Top management is now by default instilled with the security first thought due to remote working environments.
We are never too prepared to address cyber-attacks as the cyber threat landscape is constantly evolving. There is no one-size-fits-all approach, always align your cyber strategy to reflect the risk that you would want to address in your organization.
For a Fintech company that aimed to disrupt the financial industry with technology then including product security into the strategy is a must. Product security function to be set to closely work with both the engineering team and the technological security team. Fintech also has a similar set of risks like Application security risks, data breaches, 3rd party security risks, Identity theft, Cloud security risks, money laundering risks, and so on.
Information Security is to protect the information and its resources whereas Product security must deal with developing a secure product. Product security engineers should be involved in the complete development activities right from the design reviews, writing security requirements, reviewing codes, testing for vulnerability, and so on. Unlike the traditional CISOs reporting to the CEO or CIO of the organization, the Product Security team should be aligned to the technology division, CTO who shares a similar mission as that of the product security. I will write a brief strategy on setting up a product security team in my upcoming articles.
CredAvenue is proud of its rich heritage in protecting the availability of the infrastructure and ensuring the confidentiality and integrity of its customer data in transit & storage. By adopting a robust data governance model with the incorporation of cybersecurity and product security within the framework along with the AI and ML-based technologies, CredAvenue secures its customers data. We constantly protect our client information, interactions, and in-house data with the dark web threat intelligence capabilities. This intelligence also helps secure our internal employees’ personal accounts. Our internal users receive alerts even if their personal accounts are found in the dark web database. We are together with the nation to build a secure financial industry.
To conclude, protecting the data from a most dynamic threat landscape requires a most robust strategy in place. Companies should focus on approach towards more proactive approach rather than being reactive. We must know what, when, and how we are protecting our data. Instilling the security mindset and bringing on security culture among employees creates the first line of defense for any organization.
