What have been the major shifts, trends and challenges in risk governance and information security in 2020?
The pandemic, and its resulting changes to the business world, accelerated digitalisation of business processes, endpoint mobility and the expansion of cloud computing in most organizations, forcibly changing legacy thinking and technologies.
COVID-19 refocused security teams on the value of cloud delivered security and operational tools that don’t require a LAN connection to function, reviewing remote access policies and tools, migration to cloud data centres and SaaS applications, and securing new digitisation efforts to minimise person-to-person interactions.
In terms of shifts and trends in information security risk governance, privacy is becoming a discipline of its own. No longer just a part of compliance, legal or auditing, privacy is becoming an increasingly influential, defined discipline of its own, affecting almost all aspects of an organisation.
New digital trust and safety metric focuses on maintaining the integrity of all interactions where consumer meets the brand. Consumers interact with brands through an increasing variety of touch-points, from social media to retail. Security for these touch-points is often managed by discrete groups, with specific business units focusing on areas they run.
Third party cyber security risk is potential threat presented to the organisation and customer data. Organisations have to be extra vigilant on their engagement models to minimise supply chain risk. AI is now creating new security responsibilities for protecting digital business initiatives. AI, and especially machine learning, continues to automate and augment human decision making across a broad set of use cases in security and digital business.
Security process automation is also emerging to eliminate repetitive tasks. The shortage of skilled security practitioners and the availability of automation within security tools have driven the use of more security process automation.
Moreover, network security is transforming from the focus on LAN-based appliance models to cloud-delivered security services. Cloud-native applications require different rules and techniques, leading to the development of cloud workload protection.
What are the major threats and challenges arising from these trends?
Interconnected attack surfaces are among the major threats. Due to increase in work-from-home and cloud migration, attackers get more opportunities to penetrate an organisation IT infrastructure. Credential and identity theft also continue to accelerate with use of insecure and dormant account access keys for malicious access to critical system. Furthermore, emerging technologies, especially deep fakes (AI/ML) and 5G accelerate the cyber threats. New attack vectors are coming up due to increased penetration of fast internet and higher compute powers.
The digital payments and finance domain has grown stronger and FinTech ecosystem has expanded. How do you see this and what have been NPCI’s efforts in line with this?
Digital business has created a new ecosystem, one in which partners add new business capabilities and security complexities. The objective is to provide an ecosystem that balances the requirement to protect the enterprise with the need to be innovative, resilient, risky and remain competitive. The majority of vulnerabilities exploited will continue to be ones known by security and IT professionals at the time of the incident.
NPCI continues to invest in people, processes, and technology that are needed to protect the IT Infrastructure, the information generated by them and the digital identities that access such information remains safe and secured by state-of-the-art technologies for guarding and monitoring them.
Maintaining the privacy of details is of paramount priority for us. NPCI drives around 2.5 billion transactions on a monthly basis using its indigenously developed platforms like RuPay, UPI, IMPS, AePS, NETC FASTag, etc. We have deployed various technologies to upgrade our security posture, leveraging a multi-layered defence approach to combat evolving cyber threats. These systems are built with high resiliency and protection to cater to our vision of being the ‘best payments network globally’.
How is NPCI leveraging AI/ML for risk management?
We have also embarked on a mission to be an AI/ML organisation by 2022. Our entire staff, including the leadership team, is constantly undergoing training on the AI/ML front. The fraud risk management function, as part of NPCI, has designed and implemented a real-time fraud risk monitoring and management solution. The solution is envisaged as a value added service offered by NPCI to its member participants as a real-time monitoring tool for fraud detection and prevention. This system uses AI/ML capabilities which are built-in to predict fraudulent transactions. We have had an increase of more than 50 per cent in our fraud catch rate post deploying the AI /ML algorithms. As the model matures, we expect a higher lift.
In addition, we are working on few other areas to leverage AI/ML. This includes information security and HR, on areas such as user entitlement behaviour, attrition, employee queries, use of chat bots, etc.
What will be the digital best practices in risk governance in 2021?
The spectrum of review evolves everyday as the cybersecurity space is facing newer trends every moment given the pace of growth in this segment.
Zero-trust network access technology begins to replace VPNs: The Covid-19 pandemic has highlighted many of the problems with traditional VPNs. Emerging zero-trust network access (ZTNA) enables enterprises to control remote access to specific applications. This is a more secure option, as it hides applications from the internet. This reduces the risk of an attacker piggybacking on the VPN connection to attack other applications.
Secure Access Service Edge (SASE): Increased access security on perimeter network security transforms from focus on LAN-based appliance models to SASE cloud-delivered security services, which are growing increasingly popular with the evolution of remote office technology. SASE technology allows organisations to better protect mobile workers and cloud applications by routing traffic through a cloud-based security stack, versus backhauling the traffic so it flows through a physical security system in a data centre.
Extended Detection and Response (XDR): Network behaviour and anomaly detection solutions are emerging that automatically collect and correlate data from multiple security products to improve threat detection and provide incident response capabilities.
What will be NPCI’s areas of focus and efforts in this direction?
Securing the cloud: NPCI is a firm believer in the cloud playing a critical role in managing the scales for its IT infrastructure. With the help of automation and cloud, we can achieve the digital payment scale and infrastructure requirements. Some of the benefits that have been achieved with our cloud strategy include faster TAT for production deployment, scalability and elasticity, business continuity improvement and more resilient infrastructure and launch of new services and products with less worry on infrastructure’s availability.
Automation and integration of AI/ML: We see in near future fraud models using AI/ML will see the light in the transaction process to reduce the ‘false positives’ as identified in the traditional risk management modules. These models also help in determining the focus on product strategy with simplified execution and application development models to target new geographies as well as improve digital payment inclusion. This will help in risk management, reduce transaction failures, and help curb fraudulent transactions.
Online dispute resolution: NPCI is developing a cutting-edge online dispute resolution on UPI to address complaints about transaction failures and technical declines by banks on UPI. This will create a superior experience with minimal friction.
Integration of emerging technologies: At NPCI, technology is a key driver behind implementation of innovative business ideas. We are trying our hands on blockchain, open source, IoT, cloud computing, voice assistants, wearables, API accelerators, data analytics and RPA for enabling ‘phygital’ experiences and protection against financial fraud. These advancements increase data governance, transparency and trust that make early red flag detection possible and make the systems future-ready and fool proof. We are exploring solutions to improve customer experience without compromising on the area of security. We are also doing internal experiments to try voice assisted payments, use of BLE technology to enable offline payments.
Data transformation approach: As a technology contributor, digital transformation mind-set is the approach to design, connect, deliver and manage experiences across diverse channels and devices to maintain a singular voice throughout the context of the customer journey. DX enables the transformation of business and organisational activities, processes, competencies, and models to fully leverage the changes and opportunities of a mix of digital technologies and their accelerating impact across the society in a strategic and prioritised way.
Robust cyber security and risk mitigation: Security is the top-most priority for NPCI and we have an efficient system in place to detect red flags and arrest the problem at a nascent stage. For an organisation of this size and scale of operations, with multiple projects underway, it becomes imperative for the top leadership to be observant and respond quickly to volatile external factors. Under cyber security, it is our responsibility to protect the data and transaction of every customer. Given the volume and value of transactions that occur on a day-to-day basis, we need to maintain an eagle-eye over the safety aspect. In lieu of the increasingly prevalent cyber-crimes, our risk management and grievance redressal system provides efficient and timely solutions.