Securing Data Privacy and Cybersecurity in Today's Tech Landscape

Companies must prioritize data privacy and cybersecurity, adopting a holistic approach to protect valuable data and infrastructure. Compliance, breach preparedness, threat awareness, secure environments, emerging technologies, and addressing AI/IoT challenges are crucial for enhanced security.

In today's rapidly evolving technological landscape, companies face significant challenges when it comes to data privacy and cybersecurity. The ever-growing volume of data, faster internet connectivity, remote work, and the use of new technologies have created complex environments where organizations must protect their sensitive information. Devroop Dhar, Co-Founder and board Member of Primus Partners, sheds light on the biggest challenges facing companies and shares insights on how organizations can effectively address these issues.

Understanding the Holistic Approach to Security

The current global corporate landscape has become complex, with the ever-growing volume of data, faster internet connectivity, hybrid model of working, the use of multiple devices to access systems and data, and use of new-age technologies. Additionally, cyber threats are becoming more sophisticated with the possibility of critical sectors being deliberately targeted by different countries. This leads to critical challenges for companies in terms of data privacy and cybersecurity, including -

• Need to understand and treat security in a holistic fashion - The biggest challenge that organizations face is a lack of understanding of the holistic approach needed towards tackling privacy and cyber security related challenges. Firstly, threats are ever-evolving, and hence organizations need to be agile and nimble. There can’t be a one-size-fits-all all approach here. Similarly, organizations work with third party contractors, vendors, suppliers etc. and many a times, people from these organizations have access to systems and data. Many organizations support Bring Your Own Device (BYOD) or allow internet access to mobile phones and tablets in office, and it is important to organizations need to realize that they are as vulnerable as any of these devices or any of thethird-party organization they are working with and need to take up security in a holistic fashion.
• Handling data privacy regulations - As businesses and business models gets interwoven with data, including personal data, it is ever so important to be aware of and compliant with all data privacy regulations and guidelines. Non compliances to the same can have severe impact on the brand, reputation, client centricity and viability of businesses.
• Cross border information sharing -Companies at times would need to share or process data across multiple geographies and need to be compliant with regulations and mechanisms of sharing and storing of information across borders.
• Data breaches - Companies need to be fully prepared to pre-empt, prevent, and handle any data breach or cyber threat. There needs to be robust systems and processes in place to tackle the same.
• Culture and people related aspects - Preventing and handling cyber related aspects is everyone’s job in the organization. Such a behaviour should be there in the cultural ethos of the organization and people should be encouraged and rewarded for finding out potential vulnerable points and rectifythe same. Simple behavioural aspects like stopping people from tailgating can have a significant impact on making the organization more secure. Additionally, people should be trained continuously on data privacy and cyber security to make the organization more secure.

Preparing for Data Breaches

The use of technology is a must in today’sbusiness environment. Infact, organizations of the future will be defined by how agile and nimble they are in terms of technology adoption and innovation. While use of technology is a given, however various elements can help organizations keep pace with keeping their organization updated to handle latest threats and vulnerabilities -

• Strengthening the CIO function- Firstly, the CIO role and function needs to be strengthened, with the CIO preferably reporting to the Board on a regular basis. The team should be adequately staffed and should have a position of Data Protection Officer. Regular data and security audits need to be conducted with a feedback loop in place to close the gaps.
• Security as part of the design-Security must be embedded into the system design in the organization. There should be focus on multi layered security and accesses and permissions should be based on the principle of least privilege, i.e., accesses and permissions should be limited to the extent that is needed for working.
• Centralization in security policy management -Implementation of the organizational security policy is very critical. While the responsibility of security and compliance lies with everyone in the organization, however, the implementation, management and review of the policy needs to be done centrally by the IT team. Any IT asset non-compliant with the security policy needs to be identified and isolated outside the organizational perimeter till it is compliant and safe to be back.
• Be aware and compliant with regulations - Data privacy and security is a serious matter and there are multiple regulations, including ones in other countries and regions like GDPR. In case of India, the Data Privacy related laws are expected to be enacted soon. Companies need to be aware and compliant with the regulations. Also, for Indian companies, they need to start preparing themselves for the Law expected to be enacted (the draft is in public domain since November for comments and feedback). Companies dealing with cross-border data would have to be compliant with multiple laws and regulations. Companies, especially the CIO function, need to drive the organizational response and preparedness towards the same.
• Training and Capacity Building - Security is the responsibility of everyone in the organization, and hence people must be trained and sensitized at a periodic interval.
• Strong incident response plan along with feedback loop- Companies need to build a robust incident response plan along with a feedback loop to capture and act upon any reports of incidents or potential incidents in the organisation, as well asimprove the system based on feedback.

Keeping Pace with Evolving Threats

Seven (7) steps that companies can take to secure their data and infrastructure in a distributed environment are -

• Multi factor authentication - Multifactor authentication should be used for accessing and working on critical systems. The use of all three factors like what you know (e.g., password), what you have (e.g.,a token) and what you are (e.g., biometrics) can be used to strengthen the system access and prevent misuse.
  • Strong access control - Use of role-based access control with the principle of least privilegeshould be followed. Users should only access systems and information that are essential for the role they perform.
  • Use of VPN - Use of remote access method like VPN to facilitate secure remote access with lesser chance of data being misused in transit
  • System and software update and patches - This is a very basic and fundamental aspect but is often missed. Companies need to ensure that the latest system and software updates and patches are installed and working on all user machines.
  • Training - Users need to be trained and sensitized regularly on the importance of data security. At the end of the day, the organization is as strong as the weakest link, and falter due to the mistake or non-compliance of a single user.
  • Data back-up- Critical Data needs to be backed up daily, so that the impact of any potential and unavoidable data loss is minimized to the extent possible
  • Incident response system - Above all, organizations need a strong and robust incident response and management system to be able to report, isolate, handle any incident or potential incident in the organization.

Promising Technologies and Approaches

While there are multiple promising and interesting technologies and approaches which are there, the four (4) which look most interesting to me are -

• Web3 technologies – Web3 technologies, which are based on decentralized systems and built using blockchain, provide the control of user data to the user itself and thus help build a more secure system and organization
• Building a Zero Trust Architecture with multiple layers of security and which would authenticate users and devices dynamically based on the principle of least privilege.
• Use of AI/ML to understand patterns and predict any potential risk or security breach possibility and proactively act against the same.
• Use of Quantum computing techniques and algorithms like Quantum Key Distribution (QKD) and Quantum Cryptography to make systems and accesses more secure.

Challenges from AI and IoT

The use of new technologies such as AI and IoT would lead to a quantum increase in the amount of data, including personal data, being generated, thus increasing the surface for attack. Each of these devices can be a potential point of entry for an attack. It would make systems more complex and difficult to manage from a security standpoint, including the ability to implement the organizational security policy in a seamless manner. Regulatory compliances and data privacy concerns will also rise tremendously. Organizations need to prepare themselves for these challenges. Cybersecurity policy of the organization needs to be robust and should factor in the challenges arising from AI and IOT enabled devices. A strong authentication and access control mechanism with the principle of least principle and using multi factor authentication should be used. Period risk assessments and data and security audits need to be conducted and any feedback received should be used for improvements. All IOT and AI devices should have the latest software patches and updates so that they are protected from known threats and vulnerabilities. Lastly, people need to be trained and made aware of the cyber related challenges arising from these devices, so that there is complete knowledge and awareness about potential threats arising from any phishing or social

Devroop Dhar, Co-founder & Board Member, Primus Partners