With increased cyber-attacks in recent years and the rising per-record cost of data breaches, modern enterprises are faced with multiple challenges. Beyond that, they must also comply with data privacy regulations. To make us understand the challenges in security and data protection that Indian businesses face and their possible mitigations, Sanjeev Singh, Chief Information Security Officer and Data Protection Officer at Birlasoft, spoke to Nidhi Shail Kujur of Elets News Network (ENN).
Q1. Ransomware is having a serious economic impact on businesses. How can CIOs and CISOs deal with the issue?
Ransomware is just one of many serious concerns that enterprises face today. Ransomware’s criticality often overshadows the slew of other risks that enterprises continue to face. To be fair, ransomware is not new. They have existed since 1989, from the time of the ‘PC Cyborg Virus.’ They went mainstream in 2013 on the back of the swiftly evolving botnet distribution infrastructure, which allowed for rapid infection capabilities. Besides, cryptocurrencies, especially Bitcoin, made it possible to evade law enforcement by anonymously receiving ransom payments.
Also read: Is boosting cyber resilience the end game for Enterprises?
Understanding the motivation of the attackers is critical to creating the right defenses. The attackers are after our money and hold our data hostage to it. That’s why protections against ransomware must revolve around data. Since the ransomware authors research their victims thoroughly before launching an attack, it is imperative for watchdogs to know the infrastructure and data better than the attackers. Some of the measures that enterprises must take to improve resilience against ransomware include:
- Reduce the attack surface: This will hopefully make the attack cost high enough to deter the attacker. This includes activities such as keeping systems and solutions patched, avoiding misconfigurations, limiting access, allowing application directory listing, and reducing vulnerabilities, especially for public-facing resources.
- Limit the blast radius: This would include network segmentation and data boundaries to reduce lateral movement and the attack’s impact.
- Swift restoration from immutable backups: The enterprises must roll out capabilities to swiftly restore from immutable backups. The backups should be isolated from the production environment. The enterprises can also employ Write Once Read Many (WORM) capabilities to prevent any modification of backups.
- Timely Deployment: Deploy updated Antivirus (AV) / Endpoint Detection and Response (EDR) / Extended Detection and Response (XDR) on all endpoints to detect and respond quickly.To improve cyber resilience against ransomware, enterprises must question themselves on the following:
- Do we have the ability to identify what data was exfiltrated? On most occasions, businesses will not even know this part. Without this information, it is difficult to assess the impact and without impact assessment, it is not possible to decide upon a future course of action.
- What circumstances demand that law enforcement, clients, and users be informed?
- Do we have the capability to conduct a forensic investigation and identify the root cause of infection? If not, what has to be done to build or buy that capability? Rebuilding infrastructure without proper recovery and remediation will only make the new infrastructure vulnerable to fresh attacks.
- How fast can we contain an attack? Do we have agile controls that can lock down the environment in quickly enough?
- Can we isolate networks or sub-networks which are affected? How quickly can it be done?
- Can we swiftly turn on higher levels of security controls, reducing permissiveness across environments to limit the spread, like a kill switch? For example, dormant group policies or other controls that can be turned on to enforce stricter controls or dormant firewall/ proxy rules that enforce much tighter controls can also be implemented.
- Do we have an immutable backup? If yes, how quickly can we restore it? Would there be data loss?
- Do we directly negotiate with the attacker or through an intermediary? If yes, when and in what circumstances?
- What circumstances will force us to consider making the ransom payment? Do we need cyber insurance coverage? If yes, then how much? This requires quantifying the risk, and that is never easy.
Q2. 95% of Indian firms value data encryption scaling but lag in adopting the technology; what would you like to add to it?
Data has always been the holy grail that needs to be protected. Earlier, legacy controls did not really support granular data protection controls; hence, the security layer was built around servers, endpoints, and networks. Modern data protection controls allow for fine-grained controls at the data layer. Organizations can look to implement data protection controls, including data discovery, classification, and data-leakage prevention controls.
Data classification typically involves encryption for sensitive data, with additional access permissions, such as read, modify, or full control. This helps keep the data safe even if it is subjected to unauthorized access. This becomes critically important in modern hybrid enterprises where data is accessed from anywhere using different types of devices, such as corporate or personal, and different form factors, such as laptops, desktops, tablets, or mobiles.
There are quite a few solutions that provide data discovery and protection capabilities. However, enterprises should choose these technologies only after careful long-term planning. It pays to remember that once encrypted – using a solution, data would require decrypting and re-encrypting for a new solution. This is not a trivial affair.
Q3. What are the challenges in data protection that Indian businesses are facing?
The first and foremost challenge is the exponential growth and spread of data. In addition, privacy is becoming a bigger concern globally, with many countries adopting privacy laws that necessitate data protection in some form or the other. Identifying Personal Identifiable Information (PII) and Sensitive Personal Information (SPI) is a significant concern, in addition to business-sensitive information that may reside anywhere in the environment. Because of the velocity and volume of data in our technology-driven world, handling millions and possibly even billions of data records can become overwhelming.
The cost of maintaining data privacy is another challenge. The direct and indirect impacts of a data breach can be catastrophic. The cost of implementing security and privacy controls, coupled with post-incident costs, such as ransom payments or privacy fines, can be enormous. Organizations need to identify these costs as the cost of doing business.
The ever-evolving complex technology landscape is yet another challenge. With IoT and IIoT becoming pervasive, it is no longer sufficient to protect just the IT infrastructure. Also, it is not an easy task to balance the need to allow business functions from anywhere and from any device, including personal devices, while safeguarding data. Therefore, careful data boundaries and associated controls must be defined and implemented.
Last but not least, data is accessed, processed, and handled by humans. This is probably the most complex layer because everyone is not expected to have the same level of awareness. Unaware and ill-informed employees can use weak passwords, delete data by mistake, fall into phishing scams, have privileged account access, and browse websites not under acceptable use. Implementing strict controls reduces user experience and improving user experience requires much more flexible security controls. This is a fine balancing act but a necessary one.
Q4. What best practices do Indian CIOs and CISOs need to adopt to drive the new workforce?
Workforce challenges are evolving with the increasing complexity of digital practices. This is further compounded by the hybrid work environment, where the social component of collective and collaborative learning takes a hit. On the one hand, tools are getting complex, requiring multiple collaborators to work together. On the other hand, remote work is more aligned with individual contributors.
CISOs need to identify ways to foster collaboration and collaborative learning, especially in terms of transferring experiences from one colleague to another. Keeping the workforce motivated is another key focus area. This can be achieved through initiatives such as regular check-ins, having shared goals and mutual expectations, showing appreciation publicly and finding ways to be together while apart.
Q5. How are CISOs preparing to meet the global demand for skilled, diverse workers with technical skills to meet the cyber challenges?
The complexity and diversity of security controls and modern IT infrastructure, coupled with the hybrid work environment, necessitates extending security to the edge layer. This makes it a very demanding environment for professionals. While tools exist to ease control implementation, their maturity is defined primarily by the competency of teams managing these tools.
Unfortunately, many professionals are more focused on expertise in tools and certifications than on the fundamentals themselves. There is huge scope for improvement in foundational courses, such as college degrees, and a focus on skill development rather than just knowledge.
Another sore point seems to be the lack of interest in continuous learning. The attack surface is evolving continuously, and so are the attackers’ tactics, techniques, and procedures. Keeping track of the latest events in the industry and applying those to improving cyber resilience goes a long way. Yet, many professionals seem content to deliver what they already know.
To overcome these challenges, CISOs must demand that their teams develop a healthy curiosity and an eagerness to learn. A professional with sound fundamentals can achieve results irrespective of the tool. It is also true that a hybrid workforce allows greater flexibility in hiring, and we are no longer limited to talent pools available locally. CISOs also need to create and maintain effective learning and development initiatives to ease new hires into their roles. This also helps with cross-skilling.