With cyberattacks becoming a commonplace within the digital world and with business models and technologies changing, the need of the hour is to have a compliance and a regulatory framework for every organization across industries
For a CIO in 2022, there remains several challenges that need to be tackled but the major concern will always be security. Though businesses started moving their assets to the cloud even before the pandemic, the switch to a remote workforce further accelerated the process and with it, IT monitoring and security became one of the top priorities for a CIO.
“With the increase in SaaS based applications, organisations are required to build stringent security controls at their edge networks,” says Saravanakumar Krishnamurthy, Executive Vice President – Technology Engineering – IT, Network & Cyber Security at YES BANK. “The underlined statement should always be to secure the data, whether it is on the cloud or on premises. At the same time I believe that internal threats, which are mostly unknown or internal dark web for many organisations will be one of the key issues CISOs need to address on a war foot basis. Cyberattack groups are openly challenging and stating openly they are injecting attacks on big organisations. The Lapsus$ group is one of the classic examples,” he adds.
The BFSI (Banking, Financial Services and Insurance) sector has always remained a primary target of cybercriminals over last several years, given the amount of sensitive data that they have to deal with. As someone from the BFSI sector, Saravanakumar believes that some of the top cybersecurity threats that continue to threaten this sector are Ransomware, DDOS, Bots, Phishing, Data Exfiltration (Data Theft), DNS & Domain Hijack. “These are the most sophisticated attacks that give real threats to the BFSI sector,” he says.
The need for Regulations & data protection laws
A data breach or a cyberattack of any kind can have a long-term psychological effect on an individual or a business, while also impacting the reputation of a brand. Also, every society perceives threats differently and so every different kind of threat has to be measured and addressed in a different manner and approach. The key concern however still remains the ‘Awareness’.
“The amount of initiatives and programs relevant to Cybersecurity happening across the globe and in our country are still in a minuscule percentage as compared with the amount of cyberattacks taking place. Many countries in fact do not have adequate policies and strategies in place to combat these kind of cybersecurity issues,” Saravanakumar observes.
In a country like India, where business model are mostly technology driven and businesses adopt all the latest technologies well in advance than many developed countries, Saravanakumar says that ground level issues should be addressed first before formulating any security policy. “Security policies, frameworks and standards should be aligned after addressing these issues and only then it will get easily assimilated into the culture itself,” he explains.
The regulatory landscape is however slowly changing with most nations coming up with their individual data protection laws and regulations. But as Saravanakumar explains, before understanding exactly what we expect from a Data Protection law, we need to, as an organisation segregate the data as structured and unstructured; classify the data; secure the data and then should know how to govern the data.
“We should first formulate a proper data lifecycle model first and then implement the data protection or privacy regulations. As far as the BFSI sector is concerned, the Reserve Bank of India (RBI) should bring more data awareness programs and publications and make an assessment of the industry,” he concludes.