Improving Cyber Security for Businesses#CyberSecurity #WorkFromHome #Cloud #Proactive #Cisco
With a shift towards the hybrid work model, there is a growing concern with increased cyber threats. In this scenario, it is important to focus on building awareness while also strengthening cybersecurity through technology.
August 2022: At the Cisco & Proactive Leadership Knowledge Turf organized by Pro MFG Media, industry leaders came together to discuss how cybersecurity could be enhanced for businesses. The esteemed speakers included Badar Afaq, Head IT, Antara Senior Living (A Max India Enterprise), Manoj Bhat, Director IT- Asia Pacific, Dassault Systèmes, Preeti Singh, Associate Director - IT, Osttra (CME Group & IHS Markit), Rajveer Singh, Global Lead - Information & Cyber Security Risk Management, Saxo India, Shashank Shekhar, Head AI Labs, Subex, Vikram Dhanda, CISO, Virtusa, Kuljit Hooda, VP & Group CISO, Xceedance, Rajiv Kumar, CEO, Proactive Data Systems, Hitesh Kumar, Cybersecurity Sales Specialist, Cisco. The session was moderated by Shrikrishna Dikshit, Partner Cybersecurity, Nangia Anderson LLP. Here’s an overview.
Cybersecurity Risk in Work-from-home
Manoj Bhat of Dassault Systèmes started the discussion by highlighting the growing significance of work from home and the role of cybersecurity in this context. “When it comes to work from home, I think many of us love it. This is here to stay. But when it comes to cybersecurity risks, one of the things which we have seen commonly and all of us would probably agree on is the fact that when we are at home, it’s a WiFi or a broadband access, which is probably not so secure. Also, what worries me is the fact that people copy a lot of data onto their laptops. Similarly, when a person is working from a public place, there is a huge amount of security threat as the laptop could fall in the hands of wrong people or someone might overhear a conversation about confidential information when the person is speaking on the phone. But when you are working from the office, you have firewalls in place and you are behind a secure perimeter, which is being taken care of by a dedicated team. When you are in the office there are chances that you are a little bit more aware as compared to when you are sitting away from the office. And, of course, your password is not kept secure or if it is weak then data leakage in this kind of insecure environment will be relatively high. Remote working is good. But we need to take a lot of care. And that’s how we can do better.”
Awareness is Key
Preeti Singh of Osttra (CME Group & IHS Markit) remarked that while work from home could make employees happy, it does pose cyber threats in terms of WiFi security and phishing, where employees are most vulnerable. “So creating awareness amongst the staff is of paramount importance for organization even when there is a hybrid work model. Organizations should also build strong security policies with regards to the bring your own devices (BYOD) system,” she said. Speaking in the context of cloud, Ms. Singh said that it offers a lot of agility and flexibility and has also reduced the cost. “So, by considering all these factors, organizations want to offer cloud services, but at the same time, it’s not very easy when it comes to security. That’s where we need to put a lot of security controls.
More Complex Environment
Rajiv Kumar of Proactive Data Systems, pointed out that when it comes to remote working, it is not hundred percent secure despite all efforts. “The other problem in this scenario is the use of multiple products for various requirements. This also means additional security threats. And in turn, it means that you need bigger teams to handle such situations.” He also added that while the frame had its issues, these issues became more complex with the cloud. “With remote working, it has become far more complex”
Authentication is Important
Badar Afaq of Antara Senior Living, sharing his thoughts said, “We have to live with this option of the cloud due to the overall impact of Covid including the work from home phenomenon. I see the cloud security infrastructure in three ways. One is access and physical security. Access at all levels should be secure at all levels. Secondly, it is about the database. Application should have multi-factor authentication. Thirdly, we should have some monitoring tools and threat protection tools.”
Importance of Zero Trust
Shashank Shekhar of Subex highlighted the importance of Zero Trust by saying that it has become the key to provide secure access in this new paradigm of work from anywhere hybrid work model. “Zero trust offers a very sophisticated, adaptive and continuous protection for users, for data as well as for assets. And hence, it provides an inherent capability to manage any potential threats in a proactive fashion. Where it differs from your traditional approaches is that it monitors each and every transaction and aims to wrap security around every user, every device and every connection. The base assumption of the zero trust model is that each connection and endpoint is a threat. And hence every connection and endpoint needs to be monitored. Now, when it comes to zero trust, there are many best practices and principles like multi-factor authentication, separation of duties, and parties in the network.”
He explained the three tenets of zero trust. “The first one is limiting and controlling access to the network. The second one is about verifying and securing the network. The third one is about logging and monitoring all network traffic. Organizations are leveraging state of the art machine learning techniques to detect any potential anomaly in the traffic and then take remedial actions to prevent any breach or attack or any potential malpractice. When it comes to artificial intelligence, along with a zero trust model, organizations are able to proactively manage those threats leveraging artificial intelligence.”
Critical Control Points
Hitesh Kumar of Cisco simplified the meaning of zero trust to ‘don’t trust anybody’ whether it is an internal employee internally trying to access some application sitting in front of a data center or accessing some application in the cloud. When it comes to enforcement or identifying what kind of data is coming in, having those critical control points, whether it is on endpoint, whether it is on email security or whether it is on the cloud, security is in terms of hybrid. When it comes to our solution, Cisco has got you covered, whether we are talking about endpoint control points, or applying security on your endpoints or applying security on your applications which are residing in your data center or in the cloud as well. One of the things is posturing. Because when it comes to the cloud, you might have different compliance requirements for your data. So having the visibility on your end to end posture, defining your posture by yourself is the best solution. And Cisco has created a solution along with our partner's Jupiter one, which will give you visibility on your end to end posture, and give you a blast radius as well. You should always follow the principle of least privileged access on how you define it on premises versus how you define it on cloud.”
Safeguard the Entire Ecosystem
Rajveer Singh of Saxo India explained the threat could either be a third party, an employee or anyone else, leading to exposing an organization in various ways. He further explained, “We wanted to actually leverage technology in different various ways. We have solutions where we can actually identify and take action to insider threats. We have to adapt our environment and employees to that level that they all understand the requirement of security. Of course, there is exposure and we can never say that we are 100 percent secure. But it is always a choice to minimize it. I would also talk about strict background verification checks. So this is also gradually being done by all the organizations in a predictable manner. That’s nothing to do with technology but more about from where and who is coming to your organization, even onboarding a partner or a vendor. As far as technology is concerned, technology, people and processes should be built together to secure the environment. That’s how we can safeguard the entire ecosystem.”
Most Overlooked Aspect
Confidentiality, integrity and availability are the three pillars of information security. Privacy is the new addition to it. Speaking in this context, Kuljit Hooda of Xceedance said that each has its own importance. “Confidentiality is the first pillar that generally is the most visible one – to the client, to the end user. That is the easiest to address. There are tools available for confidentiality that you can easily apply for access control. Second is about integrity. Integrity is the thing which you can’t implement very well, because of the real challenge that not everything is being maintained in a secure environment. It is very difficult to maintain the integrity and that costs companies millions. That can happen if I share the wrong information with the client or if I don’t share the complete information with the client. So integrity is of utmost importance. If availability is not there, you can still sustain for a time being. But integrity is the most overlooked and the most important aspect.”
Special case of confidentiality
Vikram Dhanda of Virtusa described privacy as a special case of confidentiality. “It’s not something additional. Well, if you can ensure confidentiality, the entire way you take care of privacy. So this is not going to be leaked out. Our notions of privacy are also culturally based; they have evolved over a period of time. These two things, if you secure, the rest gets taken care of. So once your internet is the land, it doesn’t really matter where you are, you are truly enabling work from anywhere. And if you can now ensure that the internet is secure by using some sort of a secure proxy solution, you take care of a lot of problems at the very outset.”