By Sachin Yadav – Partner, Financial Advisory, Deloitte Touche Tohmatsu India LLP &
Shailesh Kand – Associate Director, Financial Advisory, Deloitte Touche Tohmatsu India LLP
The changing macro- and micro-environment are prompting organisations to transform the way they handle enterprise security. Cyber risks have become more connected and complex with the adoption of a digital-first, cloud-first, and connected environment, where perimeters have dissolved, and data is scattered across platforms and endpoints. According to Deloitte’s “2021 Global future of cyber” survey, when asked about the greatest barriers to managing cybersecurity, 44 percent said “data management traversing complex perimeters”. Data breaches are increasing at an alarming rate, with a likely impact on customers, employees, partners, and shareholders. While cloud is a great enabler, it also disperses data, making it difficult to have visibility across the data lifecycle.
Similarly, while organisations proactively work towards shielding against an external threat, most tend to overlook the threat on the inside, commonly known as an “insider threat”, malicious or non-malicious employees, who could intentionally or inadvertently release sensitive data (Intellectual Property data, PIIs, or other sensitive information).
Businesses today need to be more vigilant around data and users and have robust processes in place in the event of a breach or a fraud. This can be made possible with a holistic approach towards security that goes beyond protection and prevention, and towards faster detection, recovery, and post-attack analysis with the right technology. In addition, having a cyber-aware workforce, an organisational culture built around security, and robust processes for governance and accountability can truly transform enterprise security.
Securing the world around data
Organisations are being shaped around data—improving efficiencies, driving innovation, fostering a sustainable environment, amongst others. Data is also the holy grail for the risk and the security function—to evaluate and quantify risks, foresee and respond to threats, foster decision making, and improve the overall risk management programme. How data is catalogued, stored, protected, monitored, and destroyed, determines how secure it is. It also determines that in the eventuality of a compromise or a fraud, how it can be recovered or a forensic analysis carried out to identify the root cause.
As organisations embrace cloud, it becomes imperative to secure the data across cloud platforms. To improve security and vigilance on the cloud, organisations need enhanced visibility using tools such as Cloud Security Posture Management (CSPM). CSPM tools help watch out for compliance violations, possible threats, misconfigurations, and unauthorised access/insider threats. Similarly, access and authorisation need to be more granular and dynamic, tied to contextual security information (device security posture, device integrity, etc.).
To secure the data throughout its lifecycle, companies can use technologies such as Data Loss Prevention (DLP), Cloud Security Posture Management (CSPM), Multi-Factor Authentication (MFA), Zero Trust Access (ZTA), and control insider risk through continuous monitoring, behavioural analytics, and next-gen detect and respond.
At the same time, it is important that “data responsibility” as a mind-set is inculcated business-wide for organisations to act responsibly with customer, employee, or third-party data. According to the “Crime in India 2021 – statistics volume II” , by the National Crime Records Bureau (NCRB), a total of 52,974 cybercrimes were reported in 2021. Any data breach that can potentially expose customer data, can make them further susceptible to cyber crimes and frauds. With the recent release of the draft Digital Personal Data Protection Bill, 2022, and from FY2023, mandatory reporting of cybersecurity and data privacy complaints in the Business Responsibility and Sustainability Report (BRSR), organisations will need to evaluate how they deal with personal data.
Managing insider threats
With respect to insider threats, employees may be the weakest link in cyber security, but it is crucial to consider their working environment and mindset. When conducting formal business, employees need to feel as though they are dealing with something significant and personal. A clear explanation of the repercussions of their lack of care and attention should be presented to them along with updated ways and tactics to safeguard devices and data. They may be affected by adverse events that impact the company.
Key factors resulting in cyber-attacks include, but are not limited to, inadequate password management, lack of employee awareness, applications and software downloaded from untrusted sources, regular patching, not updating IT assets in a timely manner, visiting malicious or unsecured sites, insecure data transfers, exposure to confidential information, using pooled IT resources for official purposes, responding or sharing information with an unknown person, and using unmanaged networks while working remotely.
Leveraging the power of AI/ML
Deepfakes, commonly referred to as synthetic media, may be used for purposes other than mimicking famous people and giving greater credence to false information. Organisations are exploring how Machine Learning (ML) can spot fraudulent activities, such as buying fake goods or using fake identities.
Legal limitations on exchanging data with other organisations, even to detect fraud, present a challenge. Teams employing ML technologies assess models using test data, counting the number of false negatives, false positives, true positives, and true negatives using an answer key. IT and cybersecurity experts must monitor how the actions of new clients change over time once onboarded.
Business leaders face many challenges with cybersecurity, trust, brand reputation, and digital rights management. Web3.0 and the metaverse may require new implementations across networks and partner ecosystems. This can expand the surface area of vulnerability and data risk for businesses that are already concerned about these disruptions. With added layers of complexity, malevolent actors may find new and advanced ways to attack organisations.
In a world of computers and machines, employees may come across as the easiest targets. But they could prove to be assets when equipped with the right tools and necessary guidance. Anything can be achieved when minds that want to make a difference come together, including cyber security.