Cyber Security to spur a paradigm shift for Businesses Further improving productivity and efficiency

By Alok Malik, Director - IT / Security, GlobalLogic

Cyber security has a lot of benefits with respect to increasing productivity and business efficiency in many ways and multi-fold. Organizations today are evaluated from security standpoint as a basic benchmark which is a must to conduct business. It’s considered as a hygiene factor in the organization which also helps all stakeholders including customers understand management view on security. Some of the benefits of cyber security from productivity and business standpoint are:

• Personal Information Protection - We hear a lot of "digital" and to add to it one of the most important components in the digital age is personal information. If a hacker is able to gain access to personal information of your employee, customer or any stakeholder; then the business is at risk which includes reputation loss and in turn huge business loss.

•Dedicated Cyber Security resources - One of the critical element is personnel who are dedicated to managing organization's cyber security.

• Allowing Employees to Work Safely - Without the cyber security defence systems in place for your business, you and your employees are always at a risk of an attack. If the end point becomes infected, then it can hamper productivity of an individual as well as the business at large

• Corporate Applications Uptime - As a business, you host a number of corporate applications which can be a hybrid model wherein few are hosted internally and few on the cloud. If any of the applications become infected, there is a strong point of shutting down the same unless you get the mitigation plan and root cause of the attack. This means that you will not only be losing money from missed transactions, but also will be at a risk of losing customer trust

• Denies Spyware and Prevents Adware - Viruses / Worms can slow down end points and make it practically impossible to work upon. This not only wastes a lot of time for employees and IT team, but in turn stalls the business too.

• Be secure on Phishing Attacks - Phishing as generally stated is an unethical attempt to obtain sensitive con­fidential information such as credentials, company in­formation, credit card details etc. for malicious reasons. Such attacks can be prevented by regular information security awareness among employees wherein they need to understand and adhere to cer­tain Do's and Don’ts such as:

• Do validate the request by calling the person and then share data.

• Do inspect the web link before clicking; attackers embed malicious URLs into seemingly legit ones within their emails

• Be cautious of unexpected email attachment or links; especially any that are requesting private information, even from folks you know

• If you receive a suspicious email, please report it to Information Security team.

• In case of sharing any confidential/sensitive information, please ensure to share it via corporate sharing mechanism of your organization.

• Do not share your credentials / personal information in case you are not sure of the link authenticity.

• Business Protection - Full proof enterprise-level security solutions can provide great protection to your business and it is a must in this modern age of Information Technology. In the current scenario, where cyber-attacks are on a high there is an ardent need to have a basic level of protection which includes Anti Virus, Application White listing, Firewall, Wi-Fi security, UTM. The tools deployment depends upon organization business requirement.

• Helps in building customers confidence - If you can prove to your customers that the business is protected against cyber-attacks, it helps win customer confidence which in turn means more business. As an organization, Information Security needs to ensure there is a balance between compliance and technical part of security

• From compliance perspective:

• In case we are processing credit card data, then its mandatory to have the PCI-DSS certification in place

• At a bare minimum, an organization must have ISO 27001:2013 certification to ensure basis of security are covered

• From technical standpoint:

• It’s a must to ensure that the organization is protected against cyber-attacks by having our Anti-Virus, Application White listing, Redundant Firewalls (network) in place

• This isn't limited to the above and must include wireless security and UTM in place which performs multiple security functions within a single system.

• Regular vulnerability assessment (internal as well as external) must be performed.

• DLP is an added advantage along with Mobile Device Management solution

Additionally, improving systems and processes to thwart and contain any damage that a future cyber attack can cause, there needs to be a stronger emphasis on the key elements of an IT system. The systems, processes and procedures are the backbone of any organization and all these can be achieved by having the right people, process and technology in place.

People:

• The people who are the end users must be given periodic Information Security Awareness training for them to be up to date with organization security

• Regular mailers must be sent for making the people engage in Information Security

• Quiz along with prize can be an addition for people to make it more interactive

• Identify key people who can run to become trainer for Information Security Awareness

• Ensure to have the buy-in from Sr. Management, without which one can fail. Follow Top Down approach

Process:

• The process/policy must be based upon a defined standard framework which can be ISO 27001:2013 / SANS critical controls or any other standard which is governed by a body which is recognized worldwide

• The processes/policies must not be limited to Information Technology (IT), but must include other functions such as HR, Recruitment, Administration, Finance, Legal, and Business etc.

• Share these processes/policies with respective stakeholders which in most cases are people

Technology:

• With the people and processes in place, we can easily identify the technology to implement. It isn't a good practice to identify a technology first and then fit in the people and processes around it

• Technology is an outcome of getting people to do the right things and processes ensuring that things are done right

Few attacks which were recently taken care because of strong fundamentals of People, Process, and Technology are:

• Google Phishing Scam - Wherein people found Google Doc link in their Inbox which was from a fake identity and looked a real one. The smart people didn't clicked on the link, however, few those did and granted access were compromised

This, however, highlighted the need for periodic internal phishing campaigns which keeps people on their toes when they access any suspected email or link. Rapid7, Knowbe4 are few of many organizations that help conduct these tests and share results which can be an eye opener for many organizations

• Wanna Cry Ransomware Cyber Attack - Over 200K systems around the globe were affected by this attack. As per the research, India was among the worst affected where around 5% of all systems affected in the attack were in India. The systems running older unsupported versions of Microsoft Windows such XP and Windows Server 2003 were initially at risk

This however demonstrated the need for regular patch updates which are released by Microsoft and other software and hardware vendors. Additionally, the less exposed systems to the public network always helps

The fact is that cyber criminals are becoming increasingly advanced with each passing day. Such elements are constantly devising novel ways to infiltrate business infrastructures and stealing sensitive data that can cost a fortune, therefore it’s time to be prepared today before it becomes too late!

Don't Miss ( 1-5 of 20 )