Boards across the world now recognise that nothing short of an audit renaissance will make them feel satisfied about their oversight on cybersecurity challenges. The feared trillion-dollar number has entered the fear factor gauge as infrastructure breakdowns, halting of operations, ransomware demands and egregious data leakages have grabbed headlines all over the world. Some of the most sensitive organisations in the world have fallen prey, despite massive investment in cybersecurity!
The basic three-part renaissance required can be summarised as follows:
1. Raise global awareness about the subject: Use examples, videos, drawdowns from repositories, sessions by experts and a cutting-edge self-study module available for widespread free usage.
2. Build a culture of safety: Nothing short of global cooperation will work. All incidents, patches, clever attempts to steal, closed down operating assets and restarting strategies must be uploaded to a global repository. Access to the repository must be authorised, universal and uninterrupted. Custodians for this repository should be Central banks of the largest 10 nations on earth, by rotation. All tools, protocols and frameworks that create safety must also be universally shared.
3. Build human and mechanical competence to detect early and counter threats: No lags in continuous monitoring and auditing should be tolerated by the system. Any post facto checks can only be useful as future learnings about attempted attacks. Any breach is too costly to afford and therefore must immediately be uploaded to the repository. As the repository is a true universal asset, it will acquire the status of being protected, curated and shared universally.
Only an establishment with infrastructure of this quality will support unstoppable enhancement in computer power, as quantum computing comes online. Storage and retrieval systems will also have to be constantly kept in a state of accelerated improvement. The battle between the forces of good and the evil will have to be transported to cyberspace. Knowledge and vigilance must trump greed and fear!
I invited three organisations whose boards I chair, to share their policies and practices. Am here, sharing these practices which have evolved over years of effort to serve as examples how all can learn and improve by sharing:
Lessons from Blue Star Limited
Cybersecurity risk management is a process of swift detection of emerging risks, assessing their potential impact, and determining how to respond in an agile manner if those risks materialise. A cybersecurity management strategy is kept refreshed at all times, as experience builds.
Effective cybersecurity risk management happens on a continuous basis, both at cultural and operational levels.
Blue Star has enhanced its cyber risk management framework through the following initiatives:
• Establishing Culture
While developing a cybersecurity risk management programme, the first thing to initiate is embedding it in the company’s culture. The average cost of a cyberattack is approximately $1 million, and 37 per cent of organisations attacked have had their reputation tarnished as a result of the attack. This is why a cybersecurity-focused culture must be established at all levels in the organisation, to prevent loss.
An important aspect is guarding against vulnerable human behaviour. This is done by adequate training and awareness to recognise phishing emails and other social engineering attacks.
• Security Operations Centre (SOC)
Blue Star implemented Security Operations Centre services that house an information security team responsible for monitoring and analysing the security posture on an ongoing basis. The SOC team works closely with the organisation incident response team, to ensure that security issues are addressed quickly upon discovery.
Benefits of SOC to Blue Star:
1. Monitoring of security-related incidents round the clock and correlating them with global emerging threats.
2. Proactively hunting for targeted attacks, advance threats, and campaigns.
3. Developed the ability to ward off a ransomware attack
4. Reduction in the incident investigation and remediation time.
• Vulnerability Assessment and Penetration Testing (VAPT)
Periodic comprehensive VAPT testing is a strictly disciplined activity. This includes Application Security review, Wi-Fi Penetration testing, Infrastructure Penetration Test, Endpoint Security Review and Secure Configuration Review for Servers & Networks.
• Secured Websites
Deployed SSL certificates for web portals; security standard compliance extended to software partners.
• Information Security Policy
A set of policies and procedures has been formulated to ensure users understand and comply with a set of guidelines on handling of information stored within Blue Star’s network and systems.
• Information Rights management tool
Data residing in unsecure locations is accessible to individuals who must not have access to it. This is a common use case within any organisation, where unintended user groups gain access to data. Such a situation may cause data leakage to parties which do not have the organisation’s best interests in mind.
Blue Star has deployed Seclore software, to protect sensitive information flow. This helps to protect sensitive data that is shared between internal users and user groups m. Pre-defined permission policies to documents stored in file repositories and file server folders are in place. When a document is added to the repository or the folder, permissions for print, copy, forward are attached to the document. Only certain groups of users are allowed access to sensitive documents.
• Protection during Internet Access
Data on employees’ laptops are protected at all times. Even when employees are outside the Blue Star network i.e. when they are accessing the Internet over less secure and vulnerable public Wi-Fi connections or from home. An intelligent guard is installed carefully to protect against malicious websites, viruses, worms and Trojans. This is especially important when almost all of our organisation is working remotely.
Also, there might be incidents when some of us inadvertently access links that may be malicious. This is where the Zscaler Cloud Proxy tool kicks in to guard employees’ machines while accessing the Internet. The tool also offers a dashboard that provides important MIS on overall security and usage.
• Backup and restoration
Blue Star has enhanced its data protection by introducing an enterprise class back-up and restoration tool to retrieve data during any cyber or other disruptions.
• Insurance Policy
Cyber Insurance Policy has been obtained, to protect the company from loss incurred from corruption of its data from unauthorised software, computer code or third-party data, wrongful appropriation of network access code, disclosure of third-party data by the company’s employees etc.
Cybersecurity insight from L&T Financial Holdings Ltd
The potential data loss from a hack per company could run into millions per year. One failure to defend against a hack can spell disaster. Most of the attempts get repulsed at the external firewall-level itself.
Key aspects of defence (It is more or less like Army defence of land):
1. Be aware of possible avenues of breach. Examples are third party APIs, vendor access to systems etc. These are more vulnerable.
2. Invest proactively to strengthen the posture of defence.
3. Create awareness among all employees on Cybersecurity’s importance and reduce chances to accidentally or intentionally leak information outside. Access control and development codes are held in code repositories, instead of individual machines.
4. Have multi-layered architecture to ensure that the attacker, if successful, does not get deep within.
5. Everyone has a role to play in defence and it is not only the cybersecurity team’s job. While that team leads the effort, others have to complement.
6. Regular sharing of practices among companies. This builds overall environment against attackers and they are less encouraged.
System malfunction is curtailed. Despite security checks which may increase the per transaction time taken are weeded out continuously as new techniques become available.
Access controls might deny usage options to genuine users sometimes. Potential mitigants that we apply are as under:
1. Sanity testing of production systems before making it live.
2. Performance testing post implementation of information security controls with simulated traffic in pre-production environment.
A critical aspect is: How exactly does information security get staffed? For most of the evolved functions, a separate layer which conducts audit is deployed i.e. internal audit and statutory auditors. Information security must avoid inherent conflict of interest, as providing security and audit are separated.
Information security is a new function but slowly Internal audit function is being beefed up through reskilling Statutory auditors also have to pick up the slack as they get into ESG and technology driven continuous audits.
Insights from NSDL e-Governance Infrastructure Limited
There are six pillars around which IT security has been thought through. These are:
IT Infrastructure security
Third-party risk assessment
Business resilience and
1. IT Infrastructure security - covers aspects like server patching, network security, firewalls, access etc. for both cloud and on-premises infrastructure. This is a monthly activity to update all patches and secure all bases.
2. Application security - covers all APIs, mobile applications and all existing workflow applications. All changes have to be first cleared through information security and the testing of the production environment is also done.
3. Endpoint security - since we are BYOD company, basically this operates under zero-trust policy. Tools are deployed to ensure the checkpoint between device and our network layer. Also, monitoring of the end device is in place.
4. Third-party risk - we have a large ecosystem of third parties comprising fintechs, bureaus, call centres, vendors and other technology partners. We try to have controls over them through either direct control using audits, or we give them pointers for self-certification. Self-certification is used in case of large companies only.
5. Business resilience - basically, around ensuring applicability of DR or ensuring that applications are in high-availability mode to ensure business continuity in case something goes wrong.
6. Security governance - last but not the least, regular review on our status. Monthly security posture review by CDO and CRO. In addition, this also gets reviewed at Board committees of RMC and IT strategy.
Some of the important cyber and digital security measures deployed are:
1) Global Standards and frameworks that are most widely and successfully used. A yearly update is mandatory.
2) Multilevel, defence–in–depth security architecture deployment. Data traffic is subjected to at least 4-5 levels of scrutiny / checks (using different methods) before it reaches the main system.
3) Daily automated scanning of application systems and infrastructure is done to early detect any new known vulnerabilities. Findings are reviewed / verified and an action plan defined to fix these vulnerabilities. Counter-measures such as Web Application System (Machine learning based) are deployed for preventing the exploitation of vulnerabilities that need time to fix (due to upgradation of version or application dependency).
4) Security posture (attack surface assessment) and benchmarking against the peers in the industry is carried out using automated platform-based services. A real-time dashboard helps regular monitoring and planning of action to maintain / enhance the posture.
5) Zero trust approach – Role-based access is followed. Internal users also don’t get to access the system directly. Firewall rules determine who will be allowed access. Privileged users don’t have access to credentials. Intermediate system logs using securely stored credentials and each action is logged/ anonymised.
6) Industry standard key strengths and algorithms are adopted. This applies to all three phases, data in motion, data at rest and data in use.
7) Unstructured data is monitored based on the policy defined by the respective data owners. Data leak prevention systems block the data, disallowing its transfer through any channel (removable storage, web-based storage, print or email).
8) Emails contain critical information, as these are the most preferred channels of communication. Therefore, email on mobile is provided only through separate secured containers within users' mobile devices. This provides features such as disallowing copying data attachments outside the container, taking screenshots etc. If email is forwarded, DLP rules would apply.
9) Data traffic of all the above technologies / devices is monitored 24 X 7 with help of state-of-the-art tools and fine-tuned processes and skilled resources. Correlating events, detecting anomalies and triggering a ticket to the resolver group is an automated process.
10) Well-thought-out cybersecurity / information security policy and process are deployed to ensure uniformity of action to meet the organisation's security objectives. Continuous review and finetuning is undertaken to ensure robustness. Review is done up to the board level for critical cybersecurity policy.
11) Continuous security awareness training is provided to all the employees of all levels. Awareness sessions are conducted for top management and board members.
12) All these controls are audited on continuous bases by internal auditors / independent experts as well as the certification auditors and reported to the audit committee of the board.
Cybersecurity is receiving adequate attention at the highest levels and awareness is getting widespread. The battle is on. Winners will be those who are diligent and vigilant.
The writer is a corporate leader based in Mumbai. He is a chartered and cost accountant and writes regularly on the Indian economy and public policy