As the world remains on the path of aggressive digitisation, post COVID-19, attention is rapidly shifting to cybersecurity and responsible data use. Data sets are being created and are moving economic activity in a completely different way. Virtually the entire physical world is being represented digitally and all work, movement of goods, people and services are proceeding virtually. Every human being is in search of an Oculus headset to participate in this revolution.
Virtual reality and Augmented reality (VR-AR) are taking wing, news wars are erupting and being extinguished all over the world. New relationships are being crafted and old norms and businesses are unravelling! In this milieu, corporate boards are reaching out to identify cyber risks and are overseeing data protection and responsible use (prevention of misuse of data obtained under an NDA or that which is copyrighted). Even medium-sized businesses are victims of cyberattacks today. Hackers, are finding it tougher and tougher to attack larger companies due to the cyber fortresses they are building and so their attention is turning to SMBs.
The threat comprises critical data leaks, unacceptable interface controls with digitised upstream customers, Trojan horse attacks to larger ecosystems by penetration through weak SMB systems, non- entombed data, causing duplicate payments. The most common cyber threat delivery mechanisms are phishing, malware, ransomware, denial of service, and impersonation. This can result in huge financial losses, business continuity disruptions, data losses, and employee demotivation.
A cybersecurity framework to consider
Protection: establish infrastructure to capture data sets and sharpen internal financial controls to support the business model. Also spread awareness about responsible data use so that reputation of the enterprise remains protected. Use the COSO framework. The aim is to contain the impact of breaches and to build resilience.
Early detection: Choose Auditbots that will monitor and detect unusual data patterns. Deploy them on a weekly cycle. Implementing the right strategy can auto-detect suspicious activities before they spread. Pro action is better than correction.
Response and recovery (R&R): An agile response and recovery system is very important, especially in today’s remote employee workforce model. A clear response plan, with well-defined processes, clear roles and responsibilities, and an adequate communication plan are critical to R&R.
Compliance: This area has become very important especially as all processes are moving online. For instance, the EU’s General Data Protection Regulation (GDPR) and NYFDS have several compliance requirements when it comes to data storage, breaches, and response plans. Digitise all compliance with laws, regulations and protocols. Staying compliant not only is mandatory but also will make business stronger and less susceptible to threats.
Build employee awareness: Make password refreshment a religion. Unaware employees are the most vulnerable to threats such as phishing, social engineering, etc. Creating a well-informed cybersecurity culture is important.
Customise: decide on the basis of a risk analysis, the specific tools to deploy.
Some cybersecurity imperatives
- Inventory of all business-critical assets, information, data, and reports. Data is your most valuable asset. Capture data sets as they occur.
- Extend cybersecurity to vendors, partners, customers and employees. The APIs that connect you to them must be encrypted.
- Prioritise external-facing online systems e.g., eCommerce websites, vendor portals, etc. if applicable. Ensure that you install protective software.
- Ensure all digital devices (like laptops, devices, phones) are in scope, especially given that several of us are working from home today.
- Conduct a detailed audit/assessment to identify potential gaps and understand levels of severity.
- Build a plan to address the gaps; use planning services/tools, like threat modelling to help you plan better.
- Do not be constrained by lack of in-house expertise – work with partners who are experts in this space and can provide a complete range of security solutions.
- Managed services are a great way to resolve the skill gap issue. They are cost-effective with better, tried-and-tested solutions.
- Continuous monitoring and regular testing of the cybersecurity setup is important. Very much like testing your home security system.
- Execution of the plan is-key.
Cybersecurity is not as expensive as it once was. Neither is it as intimidating as it was. It is easy to get started. Get an audit done and understand where you stand and what options you have.
(Shailesh Haribhakti is corporate leader based in Mumbai. He is a chartered and cost accountant, and writes regularly on the Indian economy and public policy.)