Experts’ opinion on securing digital assets
Highlights
- Employees are the leading cause of cyber security breaches in organizations, which usually occur due to human error.,
- Many cybersecurity regulations now hold organizations liable for the actions or failures of their suppliers and third parties. These regulations recognize supply chain risk and the necessity of having effective risk management procedures in place to support privacy commitments including the information passed onto third parties.,
T oday the digital assets of a company can be just as important as its tangible assets. Files and data that reside on a computer or storage drive generally are referred to as digital assets.
More digital assets are being created and acquired by businesses than ever before. As more users access these assets, they become more vulnerable to cybercriminals looking to penetrate the system and steal an organization’s data. Furthermore, with the rise of everything digital, businesses now face new challenges and liabilities, ranging from data protection to changing privacy regulations to associates posting information on social media. Businesses must begin focusing on protecting their digital assets, not just physical assets or liquid assets.
Employee awareness
Cybercrime is a massive problem that businesses must be aware of and take precautions against. As digital technologies continue to advance and become more prevalent in people’s personal and professional lives, cyber security awareness is more important than ever.
Education and awareness of cybersecurity are essential. Security professionals have been going around teaching this for a number of years now. “Over the years we have tried multiple approaches to increase the awareness, and trust me when I say that none of those works,” pointed out Bithal Bhardwaj, Group Chief Information Security Officer, GMR Group.
Employees are the leading cause of cyber security breaches in organizations, which usually occur due to human error. They are an organization’s driving force and are in charge of carrying out the day-to-day operations that keep it running. They are responsible for handling essential and/or sensitive information as well as interacting with different stakeholders. When they fail to adequately protect company data, the company may face a variety of serious issues. This could include:
- Regulatory issues, such as failing to safeguard information in accordance with the General Data Protection Regulation (GDRP), can attract massive fines.
- Customers and other parties lose faith in your brand, resulting in reputational damage.
- Disruption to your operations, which could result in significant losses
- Confidential and sensitive data loss
- Monetary loss, especially if criminals gain access to the company’s bank accounts
“One latest approach we are taking is that we are trying to touch the personal side of every employee. We are running a program for over 6,000 employees. We call it the Cybercrime First Responder Program. We try to teach the personal lives of people,” Bhardwaj further mentions. According to him, If common sense enters the home from a digital standpoint, it will take place in the workplace as well.Regulations
Regulation will always follow technology. Elements of cybersecurity legislation aim to establish accountability and responsibility in order to ensure that senior management in businesses takes risk and security issues and strategies seriously. Many regulations specify information security requirements and control mechanisms that organizations must implement to protect customers’ personal information from theft or unauthorized access and misuse further.
Furthermore, many cybersecurity regulations now hold organizations liable for the actions or failures of their suppliers and third parties. These regulations recognize supply chain risk and the necessity of having effective risk management procedures in place to support privacy commitments including the information passed onto third parties.
The Indian Computer Emergency Response Team (CERT-In) issued directions “to strengthen the cybersecurity in the country” which has significant implications for the cybersecurity landscape. The directions, enforce a stringent 6-hour timeline for reporting a cybersecurity incident and broaden the types of security breaches that must be reported. “The industry not reporting cyber incidents on time is manifested in the new provisions they introduced, including the time stamps and how you are supposed to synchronize the clocks,” said NS Nappinai, Advocate, Supreme Court & Founder- Cyber Saathi. She further adds, “today, what you have is actually an outcome of you not having followed the rules earlier.”
Advice to companies
Most organizations today have a traditional incident response management process in place. “We are treating ransomware as a specific case wherein we designed a ransomware detection to a response strategy,” said Neha Taneja, Chief Information Security Officer, Hero MotoCorp.
According to Taneja, Organizations should have a “ransomware response drill” where organizations assign responsibilities to employees, considering the value of the data that has been stolen or if the ransomware needs to be paid.
Following are some of the steps every organization should follow to secure their digital assets:
- Make a detailed inventory of everything, including what’s stored where – in the cloud, on an employee’s smartphone, or in any piece of the technology infra.
- Organize the most important information first: With cloud storage, backing up files, or saving everything in multiple locations, has become easier.
- Copyright and trademark protection: Take copyright and trademark protection to the next level by trademarking a company’s logo or registering content online for copyright protection. Any processes that the company develops in a unique way can also be patented. When considering such registrations, it is always a good idea to consult with a licensed attorney first.
- Understanding the risk trends: Knowing how an organization’s risk posture changes week by week is critical for network security. New vulnerabilities emerge on a regular basis, necessitating immediate intervention by the team. Regular updates about emerging risks, common risks in the industry, software-specific vulnerabilities, and hotfixes, such as web and database servers, should be provided to the team.
NOTE: This article is an extract from a discussion at the recent ET Spectrum, Delhi.