Dr. N K Arora, chairman of the Covid-19 working group – National Technical Advisory Group on Immunisation (NTAGI) yesterday stated the likelihood of the onset of the third wave in India, as cases have been galloping fast in the past few days.
As companies again begin to enter their bio bubble of sorts in the way of a hybrid working model, the risks to cyber security loom large. The CISOs had experienced an unprecedented surge in cyber security breach attempts in the last couple of years. It’s important to have a review and relook of how the cyber security scenario unfolded in the past couple of years and how can the learnings and observations be adapted to the current circumstances.
Primarily, it’s important for organisations to put all the right controls, tools, and technologies in place followed by a vigil on the user behaviour. “In the pandemic, many companies implemented the required controls and technologies that were absent hitherto to run the operations of the organisation. Secondly, in spite of these tools available, companies had to adjust them to accommodate the traffic that will access the resources,” says Pawan Chawla, CISO, Future Generali India Life Insurance.
Thirdly, implementing DLP, EDR, information classification tools, and other controls is also of paramount importance. During the first lockdown, devices were quickly allocated and delivered to the employees with not much attention given to making them as secure as operating in an enterprise environment. “The adoption of Endpoint Protection and Detection response (EDR), encryption, and other tools will provide a protective gear against attack vectors waiting to enter enterprise perimeters,” says Chawla.
Future Generali India Life Insurance also implemented the information classification and Data Leakage Protection (DLP) tool during the pandemic period. These tools basically bring the information assets of the company within their supervision and control rather than being vulnerable to antagonistic forces lurking in the open domain.
The other aspect to governing the data and information is actively monitoring the devices and the data access provided to employees in terms of how it is being used and handled. Whether employees are being given access to the data they are supposed to be given access to perfectly fulfill their responsibilities. “Two key technologies are playing an important role in this scenario in securing the information assets. The cloud-based firewall proxy provides for the security requirements when employees are working from the place of their choice. Hitherto, the office environment was the perimeter; however now, the parameter has changed with employees working from anywhere,” says Chawla.
The EDR technology can also help in analysing user behaviour and averting ransomware and phishing attacks.
As India enters the third wave, user awareness campaigns should also be continued, “The user awareness initiative should go unthrottled as it keeps the users on an always-on alert mode in following the information security hygiene” says Chawla.
According to a survey done in the pre-pandemic times, there were over five hundred domains getting registered on a regular basis, which remained as a trend until the end of December 2020. An investigation should be undertaken on the reason for those registrations. They were cropped up for perpetrating cyber threat vectors against corporations. Thus, companies should be cognizant of these happenings and make employees aware of such incidents.
Governing cloud environments
The cloud computing paradigm got mainstreamed in the pandemic period however certain companies have over a period discovered that cloud is a misfit for them. Moreover, even for companies where the cloud meets their requirements, governing the cloud infrastructure is critical.
The CISOs should not fall into the trap of oversubscribing cloud services. The cloud providers offer various kinds of cloud computing services and companies have adopted a lot many services operating on multiple cloud platforms offered by different vendors. “CXOs should avoid going for services not required for their environment. Even after signing up for the services, the companies do not take enough care on governing and maintaining those services,”
In specific instances of recent cyber-attacks on certain banks, they happened because the administrator forgot to discontinue the backup server on the cloud, which was supposed to be used as a stop-gap arrangement to patch the production server. This backup server was compromised and then it was to be found that the customer data was residing there. Moreover, companies were also found with their User Acceptance Testing (UAT) servers holding customer data.
The importance of implementing zero trust in the cloud environment cannot be emphasized much. “Cloud computing environments are secured de-facto is a myth. They can only provide a baseline cloud platform. CXOs still suffer from the misconception that the cloud is secure by default. That’s not the case,” states Chawla.
Adherence to regulatory mandates
The recent amendment to the cyber security guideline issued by IRDAI is much stricter than its previous guideline in 2017. “The vulnerabilities on the Critical and internet-facing applications have now to be fixed within one month. According to the old stipulation, the period was six months. For normal applications, the time has been reduced from one year to two months,” says Chawla.
These stringent requirements may have only come after considering the learnings from some hacking attempts on companies in the pandemic period.
Apart from IRDAI, CERT-in has also actively involved itself in not only sending advisories to companies but also taking feedback on the various initiatives undertaken.
As we enter the third wave, let’s not forget to keep security right at the beginning of selecting a particular IT product or solution and not leave it towards the end. The accuracy in pinpointing the right vulnerabilities and coming up with remedial action is a function of continuous training, upskilling and reskilling programs. Companies will have to mandatorily conduct them and keep them as an integral part of their cyber security framework.