Global pandemic has entirely changed the work culture of the organisation, while over 75 percentage  of the private sector employees are working from home and rest of the employees are working remotely at least once a week  percent of global employees work remotely at least once per week and willing to work from home more often if their job permits.

Presently, most of the organisations including start-ups ever are offering the option to work from home because of the serious health threats to the employees and to ensure the business continuity.Top managements and business leaders from all sorts of companies including the start-ups are recognising the benefits of permitting remote work for their companies

Previously, most of the organisation’s weren’t set up to work remotely, and most of the time prefers working on office premises only,but, the COVID-19 pandemic and resulting lockdown of many countries mean that many companies and their employees are now mostly full-time working from home (WFH).

Keeping business continuity in focus organisations allowed remote working, however the cyber security and information security has become a serious concern. One side work from home option has reduced commuting time for employees, more liberty for workers and even increased productivity, on the other side there are cyber security risks and challenges that come with allowing their employees to work from home or from any remote location.

What are the Risks of Work from Home/Remote Work?

Data security and cyber security is paramount, while work from home. Organisations need to have secure communication channels to access their Information systems hosted on premises, some organisations mainly start-ups may face operational risks such as not being able to support a huge number of simultaneous remote connections to their infrastructure and IT services. This could be troublesome for employees that need access to internal resources for business support and may even place additional burden on IT teams if they’re not properly prepared.

While this is a business disruption risk, and can cause unnecessary stress for an IT department that’s already overworked and overburdened trying to fix the issue on-the-go. Which could lead to the risk k of not properly implementing access, authorization and authentication policies which may result in employees accessing resources that they shouldn’t.

In order to reduce the risk of unapproved remote access to organisation’s Information Technology infrastructure, IT teams and information/ cyber security teams shall make it explicit which applications, services and VPN clients are supported by the organization IT infrastructure. Any unauthorised attempt to access internal Information Technology infrastructure with illegitimate and unknown tools should be treated as a cyber risk and blocked immediately.

Since many companies have a well-defined and strict IT and Information security policy for centrally managing and deploying software. Security patch updates to endpoints, gradual rollout procedures should be designed for deploying those updates. Delivering them all at once to remote devices connected with secured VPN technology, could create bandwidth traffic jam and affect inbound and outbound traffic. Data backups of individual laptops could be a tough task if backup servers are hosted inside the premises. Last but not least, enabling disk encryption for all endpoints should be a priority as it minimizes the risk of having sensitive data accessed or compromised due to unauthorised access or device theft.

Cyber Security Guidelines for Work from Home?

1. Having a Teleworking/Work from Home Policy

First and foremost, thing -Define “Remote,” “Work from Home” or “Teleworking” policy is a must if your organisation or start-up is allowing employees to work from home or locations outside of the office premise. This policy shall establish a set of procedures and guidelines that employees must follow in order to work from home. will reduce the inherent risks of working remotely since the organisation and employees are explicitly aware of the WFH responsibilities and its consequences.

Teleworking/ remote working policy shall include:

• Employee responsibilities
• Procedure of reporting of information security incident.
• Approval process from remote connections
• Workspace security mandates.
• System configuration/ hardening steps
• Use of encryption for data stored and in transit and Ensure encryption is used for all data that is stored and in transit
• Mandate use of a secured channel such as VPN for remote workers

2. Information security training’s to Top management and employees.

Conduct periodic monthly or quarterly training sessions to keep your employees and top management aware and educated on cyber security and information security risks and their responsibilities when it comes to organisation’s information security program and working from home.

Basic cyber security drills shall be conducted on regular basis and organisation’s information security awareness program shall be updated accordingly. Employees shall be aware of phishing attacks, spam mails as well as securing home Wi-Fi network.

Each and every employee shall be aware about the risk of using public Wi-Fi for organisation’s system. Employees should be aware whom to contact in case of any cyber security incidents.

Top management is more prone to cyber security attacks. They shall be adequately trained.

Organisation shall assess the Information Security awareness status of the employees and top management on timely basis.

3. Use of advance technology and tools for Data Protection

A well-defined policy in place will help employees know what they need to do and how to do it, but providing them with the right technology tools will also reduce the risks of working remotely. Depending on the organisations and the role of their employees, the technology could vary. Below are the few examples of some tools helpful in data protection during remote working:

• Enable built-in Firewalls: Firewalls are the defence for information security risks. Now a days every Operating Systems has inbuilt firewall which can prevent malicious inbound or outbound requests
• Enable built-in Encryption: Systems data will be encrypted by using built in encryption techniques, this is helpful in case the drive is lost or stolen. However, the passkeys shall be remembered by the IT administrator.
• Use Virtual Private Network (VPN): VPN provides a secured tunnel to the data travelling to the servers and make it difficult to crack for malicious users or hackers. Organisation shall only accept traffic coming through VPNs and employees shall always use VPN for connection to office network specially when they are in a shared network at home or outside
• Use of Password Managers:This will help employees to store their passwords and generate secure password.This reduces the risk of using the same password for all services and applications by employees.

4. Enablement of two-factor authentication

Use of two factor authentications to critical information assets is a must, since it provides a surety that the data request is coming from a genuine source. This method reduces the risk of phishing and malware attacks.

5. Monitor your third-party vendors and service providers

Many a times organisations outsource few services for them. In this case the vendors shall be regularly monitored as the Suppliers information security policy. Assess your vendors cyber security program on regular basis because a vendor can also be sometimes acting a risk for organisations information security

6. Use of access control

Organisation shall implement an access control policy in order to reduce the data breach or data leaks. Least privileged shall be given while granting permission to any user. Access should be based on the role of employees in the organisation, and these accesses shall be monitored on timely basis

7. Enforcement of strong passwords on Applications, servers and employee devices

Organisation shall ensure that strong password policy is enforced on employee devices applications and servers,

8. Use of web security protection

Last but not the least organizations should deploy security solution like antivirus, anti-phishing, anti-malware security solutions employee endpoints and technologies capable of preventing network vulnerabilities from exploitation. There are many solutions available in the market nowadays.

Only deploying these solutions is not sufficient, it shall be updated and monitored regularly and necessary actions shall be taken on it. Organisation shall deploy the solutions which can accurately detect the phishing attempts and any known malware attacks.

Work from home or remote working has given a golden opportunity to hackers and cyber criminals as well as it is a challenge for organisations IT Team and information security team. Managing Cyber Security during remote working is really tedious job for the organisations, however use of proper technology and monitoring can certainly mange this work. Organisations shall take cyber security as a risk and shall appropriately invest in safeguarding their Information assets. A vigilant and aware team can save organisation from cyber attacks and hence from financial, reputation and business operational loss.

# Keyword: Information security, cyber security, data protection, VPN, training and awareness VPN, strong password, business continuity, access control, remote working, work from home, cyber security risk.

Start-ups are integral to  economic success of any country, generating  millions new jobs in recent years and experiencing significant market growth as business owners tap new technologies to increase brand reach and impact. With the recently developed industry standards and regulatory requirements influencing all industries, cyber security compliance becomes a mandate for business success.

In this digital era, as the severity and number of cyber-attacks increases, industry standards organizations and governments seek to enforce cyber security by establishing mandatory compliance requirements. However, compliance requirements often lag behind cyber security risk. Therefore, to prepare for dynamic compliance requirements, businesses need to have a risk based approach which includes addressing and mitigating risk of cyber security so that they can stay ahead of the evolving requirements.

Think Big while Starting Small

Most of the time start-ups view their IT as inherently safe —there is a common thought, after all, why would hackers bother with smaller businesses when large-scale operations handle huge volumes of valuable data? Cyber security for start-ups may also take a back seat because almost all of mission-critical tasks that require owners’ attention.

Here’s the hard truth: Start-ups are often in the line of fire for digital compromise precisely because they don’t have built-in cyber security controls or well-articulated InfoSec policies.

Since there’s a lower chance of attacks being detected, identified and mitigated, attacker/hackers looking to test new threat vectors or grab consumer data may target start-ups

 Clearly, start-ups should not ignore risk pertaining to Cyber security. Few of the key activities includes

Compliance : From privacy regulations such as HIPAA and GDPR to start-up PCI compliance, our experts ensure your data handling and storage processes meet evolving expectations.

Internal Audits : Periodic internal audits are helpful in identifying critical gaps between the actual status and desired compliance status.

Risk Assessments :Regulatory bodies wanted to ensure that controls and measures taken by organisation are sufficient and reasonable to your organization, customers, and partners. There are many frameworks available in the market, organisation need to choose the right one as per their requirements and then identify acceptable risk. If possible more than one framework can be used to identify and compare the risks. Organisation shall identify and implement a balanced security strategy factoring in compliance and safeguards based on their specific business and objectives.

Security management : Proper security management services help streamline IT environment and protect business purpose. It provides a holistic view to the management about cyber security compliance.

Incident Response and remediation : When a breach does occur, organisations need to address the attack immediately, contain it, and remediate the threat. A properly trained, expert incident response team to stop, fix, and an ongoing incident response process and plan to keep data secure.

Vulnerability Assessment and Penetration testing : Not all vulnerabilities are obvious. Vulnerability assessments and penetration testing helps find and secure potential failure points.

Third Party Risk Management (TPRM)/Vendor Risk Management : Vendors or service providers are the integral part of most of the start-up businesses. Organisations need to ensure third-party partners are aligned with your organization’s risk controls. Organisations shall ensure that all the vendors are adhering all the desired requirements pertaining to cyber security compliance.

What are the data breach risks?

Data breaches has become very frequent irrespective of the organisations size.

The recent trends indicate that cyber criminals target small businesses which does not have adequate security to gain unauthorized access to data that they can sell on the dark web. Hacking and social engineering attacks focus on exploiting vulnerabilities in servers, systems, networks, software, and people to gain entry.

Many small businesses currently lack the necessary resources required to defend against these attacks, which increases the probability that hackers will continue to target them.

Below are the recent data breach trends

• One fourth of data breaches involved small businesses.
• Many of breaches include social engineering by exploiting lack of awareness of cyber security among employees.
• Maximum of breaches were financially motivated
• Most of the breaches were perpetrated by outsiders and script kiddies.
• Almost more than one fourth of breaches still take months or more to discover

What is cybersecurity compliance and why it is necessary?

Compliance, in general is the act of being aligned with guidelines, rules, regulations and legislation. In cybersecurity, compliance is a program that establishes risk-based controls to protect the confidentiality, integrity, and ensure availability of information stored, processed, or transferred.

Cyber security compliance is not a stand-alone compliance many a times, it is based on multiple standards or regulations to be adhered by any industry. Sometimes different standards can create uncertainty and surplus work for organizations using a checklist-based approach

For example, an e-commerce organisation needs to meet PCI DSS(Payment Card Industry Data Security Standards) if accepts payments through POS(Point-of Service) device, they also require to adhere HIPPA (Health Insurance Portability and Accountability Act) for their employees health information.If this organisation serves European customers then must be complaint with GDPR (General Data Protection Regulation)

What Data is subject to cybersecurity compliance? 

Cybersecurity and data protection laws and regulations primarily focus on the protection of sensitive data, such as

Financial Informatione.g. credit card numbers, card pin numbers, bank account number etc.

PersonallyIdentifiable Information (PII)e.g.First and last name,address,date of birthetc.

Protected Health Information (PHI)e.g. Medical history, records of admissions, prescription records etc.

Other sensitive datathat may be subject to state, regional, or industry regulations includes:

• IP addresses
• Email addresses, usernames, and passwords
• Personal email contents
• Personal messages
• Authenticators, including biometrics such as fingerprints, voiceprints, and facial recognition data
• Marital status
• Race
• Religion

Step by Step Cybersecurity Compliance Program

€Creation of a Compliance Team

For every business irrespective of size, a compliance team is compulsory. Since organizations mainly start-ups are continue to move their business-critical operations to the cloud, there is a need for an interdepartmental workflow and communication across business and IT departments.

Define the Scope

Identify and define the clear scope which includes business processes, information systems, legal requirements, contractual requirements, etc.

€Identify and Establish a Risk Management Process

RISK IDENTIFICATION

Identify all information assets and information processing systems, networks, servers, and data that they access.

 RISK ASSESSMENT

Review the risk level of each data type. Identify where high-risk information is stored, transmitted, and collected and rate the risk of those locations accordingly.

ANALYZE RISK

After assessing risk, you need to analyze risk. Traditionally, organizations use the following formula:

Risk = (Likelihood x Impact)

SET RISK ACCEPTANCE /TOLERANCE LEVEL

After analyzing the risk, you need to determine whether to transfer, treat, accept, or reduce the risk.

Implement Controls

Once the risk is identified treat the risk based on your risk tolerance, you need to determine how to mitigate or transfer risk. Controls can include:

• VPNs
• Access Management
• Firewalls
• Employee training
• Encryption
• Password policies
• Network security
• Third Party/Vendor risk management program

Create Policies

Document Policies and procedures for your compliance activities and controls. These policies acts as the foundation for any internal or external audits.

Continuously Monitor, Respond, and Improve

Continuous monitoring helps in identify new gaps in the cybersecurity compliance program and hence the weaknesses of the information systems and processes can be reduced to strengthen the security. Organizations need to regularly update all the systems in order to avoid any kind of data breach.

Since cyber security is an innovative method, where cyber criminals always try to find out new vulnerabilities in the systems and exploit it.These new vulnerabilities lead to Zero Day attack. Organisations need to monitor their networks and processes in order to identify any suspicious behavior and content it immediately. Internal audits and penetration testing are most effective ways of internal audits.

What are the Benefits of cybersecurity compliance?

There are lots of benefits:

€Enables you to protect your company’s reputation,

It maintain consumer trust, and build customer loyalty by ensuring  customer’s sensitive information is safe and secure

It reduces the risk of a data breach, hence the associated response and recovery costs.

It saves organisations from the less-quantifiable costs of a breach such as reputation damage, business interruption, and loss of business.

Enhance the trust of customers and regulatory bodies in the organisation

€Implementing the appropriate safeguards and security measures to protect sensitive customer and employee information strengthen company’s security posture.

€ It helps to protect intellectual property such as trade secrets, software code, product specifications, and other information that gives your company a competitive advantage.

Other Links :

CYBER SECURITY CHALLENGES FACED BY FINTECH START-UPS

During the current era, both big companies and small start-ups, are using Information Technology for ease of doing business, however it makes them vulnerable for Cyber-attacks. So, it becomes necessary for them to use Cyber security professionals e.g. CISO (Chief Information Security Officer) in order to protect information assets. ,It goes without saying  that information security activities in any organization consume more resources than ever before. Cyber criminals (Hackers) are becoming better all the time, and staying ahead of them is getting tougher. However, it’s not just more zero-day attacks by sophisticated criminals; competitors, growth of the organization, elevated infrastructure complexity and new compliance requirements also desire more cyber defence staff, adequate time and right technology to avoid becoming a victim of a cybersecurity breach.

In earlier days security was primarily focused on physical access to facilities and resources, or adding layers of logical controls to protect business application and data. However, security concerns of the present era don’t fit into this old traditional way anymore. Security concerns impact every aspect of an organization’s operations and should be an integral driver of strategic planning, along with all decision for future expansions.

Since cyberattacks have become smarter and more sophisticated at exploiting vulnerabilities, with the availability of many open-source tools it is easier for hackers to launch new attacks every other day. For the organizations and start-ups cyber security shall be a proactive program rather than a reactive which is to be launched at the time of cyber-attack. Thus, information security is an integral part of organizational strategic growth. It is just as important as goodwill, financial turnovers and product quality.

What is Chief Information Security Officer(CISO) and Virtual Chief Information Security Officer(V-CISO) ?

Top management team should be aware of the impact of lack of information security on their organization’s profitability and durability. A shortage of information security in the organization could result in heavy fines for non-compliance, punitive rulings after finding liability or negligence, or a loss of customers and partners after a confidence-shattering breach. There is a big risk of underestimating information security and it is too big to ignore.

In order to address the growing awareness of information security’s importance to strategic planning, many larger organizations and start-ups include a Chief Information Security Officer (CISO) at the executive level. Chief Information Security Officer is the executive who is responsible of Information security and cyber security compliance in the organization.

Many a times companies cannot afford the cost of having own CISO because of the huge salary range. There are situations where the organizations including start-ups need a CISO , but the budget doesn’t allow for a full-time person in that position.

However, there is a cost effective alternative. Organizations specially start-ups that lack the budget for a full time CISO can opt for an outsourced solution: The Virtual CISO, or V-CISO.

A Virtual-CISO is a information and cyber security expert who uses the expertise  of his/her years of industry experience to help organizations and start-ups  by developing and managing the implementation of the organization’s information security program in order to attain various government and non-government compliances. At a high level, V-CISOs help to build the organization’s security strategy, implementation and its management as well.

Organization’s internal security staff may work and report to V-CISO in order to strengthen the information security and cyber security framework and make it more impactful. In addition to this, the V-CISO is usually expected to be able to present the organization’s state of information security to an organization’s board, management team, auditors, or regulators.

Benefits of having a V-CISO

A V-CISO is generally a cybersecurity professional who works part-time basis offering information security services to multiple organizations at a time, working for several throughout any year. This gives organizations a flexibility to hire part-time CISO on requirement basis.

The V-CISO fills several needs through different types of services, including:

• Information Security and Cybersecurity guidance to management executives in order to adhere compliance guidelines
• Information Security architecture guidance
• Incident management including response
• Governance plans
• Cyber Security readiness assessment
• Compliance alignment recommendations (for ISO 27001,RBI Guidelines for banks ,NBFC, HIPAA, GDPR, PCI-DSS, CCPA and may more)
• Remediation prioritization
• Business Continuity Planning and Disaster Recovery Plans and DR drills.
• Identification of scope and objective for the information security compliance
• Risk management (risk identification and treatment)
• Vendor risk management
• Coordination of audits by regulators or customers

Why you organization need a Virtual CISO?

If your organization needs more information security compliance -related guidance at the management level, consider whether a V-CISO would be a good potential option. If you are a a start-up and your budget won’t support a CISO, you might need a V-CISO .If any of the below mentioned scenarios  are similar to  your situation, your organization might need a Virtual -CISO.

• If you are start-up and are really unaware whether you’re vulnerable to cyber security breaches: If your organization hasn’t yet assessed its information security risk, you might need a V-CISO to initiate and support that process.
• Your organization has been breached and no one from your team was able to detect the attack: Post-breach investigations and recommendations often lead to organizational leadership remodelling. One of those remodelling includes information security member of the executive suite. If this is the case, you might need a V-CISO.
• If you are a start-up dealing with critical customer data: In this case if you don’t want to hire a full time CISO, you need to have a V-CISO in order to safeguard your information assets and avoid high penalties because of non-compliance of various regulations
• Important or major changes have occurred that could impact security: If your organization is having mergers or acquisition, security risk should be assessed. Any significant outside influences, such as a global pandemic or natural disaster, which could impact business continuity as well all information security. If your organization doesn’t have anyone who can guide during these times and ensure security is not compromised you might need a V-CISO.
• If your organization wanted to share the workload for the existing CISO: Changes to the organization scope or environment, including new regulatory compliance requirements, may increase the demands of a CISO beyond their current capability. If your existing CISO requires helping hand, you might need a V-CISO.

There could be multiple reasons to have a V-CISO for your organization. An experienced V-CISO will provide valuable guidance and customised solutions as per your organizational needs. As well as it will save you from the burden of paying salary of a full-time CISO.

How to find a right V-CISO?

If you are struggling in your day-to-day information security requirements V-CISO would be a beneficial to your organization, and decided to have one. The very next step is how find the right one. A good amount or research and investigation can help you. Online reviews and existing customers feedback can help you to find a good fit, knowledgeable V-CISO for your organization.

The general process for engaging a V-CISO generally flows like this:

• Set up an initial consultation meeting (commonly one hour at no charge)
• The V-CISO delivers a proposal of scope of work including high-level information security readiness, proposed services and costs
• You may accept or reject the proposal, and then moves forward

• If you decide to engage a V-CISO, then negotiate an agreement that meets your requirements. If you need periodic gap and risk assessment and remediate report, make sure that is explicitly mentioned in the agreement deliverables.
• An agreement with a V-CISO can be set up for a hourly, monthly or quarterly basis . Make sure that you are getting the services you are paying for.
• A V-CISO can be an affordable and flexible approach to adding extensive information security experience and wisdom to your management team. If a V-CISO is a good fit, it can help your organization to identify and safeguard the weak links which could lead to aggressive cyberattacks.

#Key words- CISO,Virtual CISO, VCISO,vCISO, ISO 27001,GDPR,RBI, cyber security, information security, compliance, hackers, cyberattacks.

ISO 27001: ISO 27001 is a standard that is folloVendord for the Information Security Management System (ISMS) of an organization in which, the said company’s compliance status is checked, based on which new policies are created and applied. It’s a mandate in many sectors such as companies involved in the Cyber Security domain.ISMS includes the 3 major elements of cyber security: Confidentiality, Integrity, Availability (CIA).

To ensure compliance to the CIA in terms of ISO 27k1 the companies need to

• Audit
• Assess the risks
• Formulate policies
• Implement policies
• Continuous monitoring & Updates

The departments/processes that go through the above mentioned process are both, IT & Non IT Infrastructure of a company, but the audit of ISO 27k1 is mainly focused on the IT Infrastructure of a company.

ISO 27001 CERTIFICATION:

Being ISO 27001 Certified means, the certification body that you choose for this process (PECB or IRCA), gives you an attested confirmation that your organization is compliant to all the guidelines of ISO 27k1.

Now there are two types of certifications in ISO: Individual / Organization

The process for an Individual certified professional is completely different from that of a Certified Organization, these certified professionals then move on to performing the process of certifying the organization.

INDIVIDUAL

Types of ISO certified Professionals

• Lead Auditor
• Lead Implementer

A lead auditor is the one who is responsible for leading the audit team in an organization. He or she prepares the audit plan, delivers meetings and submits audit report at the end of quarter or year. Conducting audits is the main responsibility of a lead auditor and that needs to be done on a daily basis.

A Lead implementer is the one responsible for bringing the Lead auditor plan into action and makes sure all the policies are implemented and properly controlled.

Process of getting certified

According to PECB, the process for getting ISO 27k1 LA/LI certified is nearly not as lengthy for individuals as it is for the organizations.

Previous experience: minimum 4 years of job experience in IT is crucial, out of which at least 2 years has to be in cyber security.

Training & Examination: After attending 5 days of training in ISO 27k1 LA/LI, in the course outline guided by the certification body of your choice/requirement, you have to submitted a certain examination fee to the certification body, after which, an invoice in your name along with your exam question papers are prepared & sent to the authorized training center for you to attempt the exam.

Certification process: After attempting the certification exam, the candidate fills the certification forms in which they put in the required information, In the back-end the certification body verifies the information given by the candidates and if the compliance is there, the certificate is issued.

INFORMATION TECHNOLOGY (IT) RISK MANAGEMENT

 What is Risk?

Risk is any unwanted event which impact organisation’s objectives to attain business goal.

There are various type of business risk exists in any organisation

• Strategic Risk
• Operational Risk
• Financial Risk
• Compliance Risk

Risk Management is a process of Identifying, analysis and evaluating the organisations risks and then providing appropriate controls in order to mitigate the risk.

What is IT Risk?

In this digital age most of the businesses are using Information Technology. Hence IT is playing very pivotal role in many businesses.

If any organisation use IT to manage their business, it is very important to understand and identify risk related to their information systems and data, then to manage and reduce the risk, and develop a response plan in the case of any IT crisis.

Nowadays business have regulatory and legal compliance obligations in relation to data privacy, electronics transitions and staff training which are the factors which can influence IT Risk Management strategies.

Main IT risks include software and hardware failure, malicious and virus attacks, humanerrors, misconfigurations as well as natural disaster like flood,fire earthquake and cyclones.

General IT Risk

These Risk can be subcategorised further:

• Hardware and software failure – Abuse of rights and Corruption of data ,Electromagnetic radiation ,loss of power supply
• Malware – malicious software designed to disrupt computer operation

• Viruses – computer code that can copy itself and spread from one computer to another, often disrupting computer operations
• Spam, scams and phishing – unsolicited email that seeks to fool people into revealing personal details or buying fraudulent goods
• Human error–error in data processing, data disposal errors, or accidental opening of infected email attachments.

NATURAL DISASTERS SUCH AS FIRE, EARTHQUAKE, CYCLONE AND FLOODS ALSO ACTS AS RISK TO IT INFRASTRUCTURE. IN ABSENCE OF BUSINESS CONTINUITY PLAN, IT MAY LEAD TO DATA LOSS, CORRUPTION IN DATA RECORDS AND UNAVAILABILITY OF IT SERVICES TO THE CUSTOMERS.

How to Manage Information Security Risk?

Management of IT risk involves a series of activities in this chronological order:

• Risk Identification
• Risk Assessment
• Risk Mitigation
• Development of Response Plan
• Review of Risk Management procedures

How to reduce Information Technology Risk?

There are lots of risks and threats on business which can impact IT Operations. Applying appropriate measures will protect the IT system through unauthorised access.

Few steps to improve IT Security

1. Proper access control to computer, servers, networks and Wi-Fi.
2. Using strong password
3. Encryption of critical data
4. Using firewall. IDS ,IPS on the network
5. Update software and antivirus with latest patches.
6. Data backup for all the critical data
7. Information security training and awareness to the staff
8. Using secure software developments processes.
9. Implementing SSL for secure online communication.
10. Last but not the least having Cyber Security Insurance.

 Few famous standards and frameworks which can help organisations to mitigate IT risks are:

• ISO 31000
• COBIT
• COSO
• NIST Risk Management Framework
• ISO 27001
• ISO 27005

For any organisation risk identification is the first step for risk mitigation. An undetected risk is the most dangerous thing, a treatment methodology can be only be implemented once the risk is identified. Organisation need a right approach and skilled workforce to this job.Step by Step risk management process will help organisation’s to mitigate IT related risk and get an effective and efficient IT system to achieve business goals.

CYBER CRISIS MANAGEMENT

A click on a malicious link, any unwanted services open, using any obsolete OS can be much more catastrophic for the organisation beyond one’s imagination and can lead to cyber crisis.

SO WHAT EXACTLY CYBER CRISIS IS?

Cyber crisis is a situation of compromise, disruption or breach for the organisation’s critical information systems and data which is often known as Cyber Security Incident but these are beyond just incidents which can impact the reputation, financial outcomes and sometimes end up facing huge penalties.

FEW OF THE CYBER CRISIS SITUATIONS ARE

• Breach in networks
• Credit card data or health data stolen
• Personal data compromise
• Denial of services
• Website crash
• Email hacking
• Zero day attack

Few of the very famous Examples of worldwide Cyber Crisis are:

WannaCry: In 2017 this ransom ware infected computers and encrypted content of hard drives and demanded ransom in order to decrypt the same. Many organisations suffered by this attack.

NonPetya:This is again a ransomware started phishing spam in 2016 which affected master boot record. It has also impacted many organisation having the vulnerabilities.

HOW TO DEVELOP CYBER CRISIS RESPONSE CAPABILITIES

• Identification of the key stakeholders at executive level from legal, finance, IT, Information Security and Physical Security and formulate a Crisis Management Team (CMT).

•  Roles and responsibilities of each stakeholder shall be clearly defined, documented and communicated.

• Identify different scenarios of crisis and evaluate all the aspect by performing “What if” analysis and prepare responses accordingly for all the possible scenario. Organisation can take help of internal and external stakeholders as well as some expert consultants for this.

• Procedures for communication during any cyber shall be prepared according to different compliances pertaining to the organisation. These shall be readily available in case of contingency.

• Communication plans for external stakeholders, customers, media and external agencies shall be prepared.

• All the responsible stakeholders shall be trained and evaluated by performing drills or table top exercises on regular intervals.

• Identification of forensics experts within the organisation or some expert external agency like CERT for performing forensics and malware analysis to check the degree of damage done by incident.

• Last but not the least have someone who can handle the media for PR and as well as negotiate in case on ransomware.

Cyber Crisis is just like any other Information Security Incident, which can become a disaster if not addressed properly and diligently at right time. Cyber crisis can lead to huge penalties and business loss.

CYBER CRISIS HAS FOLLOWING IMPACTS:

• Damage to company reputation and brand image
• Loss of sensitive data and intellectual property
• Loss in business opportunities
• Cost of replacing the systems.
• Penalties from regulatory bodies or contractual compensation

LIST OF FEW KNOWN CYBER THREATS

• Ransomware
• Spoofing
• Spam
• Spyware
• Trojan Horses
• Viruses
• Hacking
• Malware
• DDOS
• Worms

In a nutshell Cyber Crisis Management Plan help the organisation to manage post crisis chaos. When everything is defined and everyone is trained to handle the adverse situation like cyber crisis it becomes much easier to resume business operations. Sometimes few situations are unavoidable even after having a robust system in place, CCMP help the organisations to deal in such situations and thus helpful in Business Continuity purpose.

CYBER SECURITY WORKSHOPS: AN EFFECTIVE WAY TO UNDERSTAND CYBER RISKS FOR BEGINNERS AND PROFESSIONALS

Workshops has always been a great source of knowledge about the subject. Cyber Security being such a crucial issue nowadays, attending workshops on Cyber security will help the attendees about the Cyber world with respect to their working domain and help them to use the Cyber more effectively and efficiently.

People of all age group and occupation are associated with Cyber nowadays. Everyone in connected through web in their personnel and professional life, however most of the people still doesn’t know the about cyber crimes and risks.

There are certainly many benefits of Cyber Security Workshop’s to different categories:

Students:

Students are nowadays using multiple online platforms to enhance their skillsets. Students will have following benefits

Students can learn about cyber security in Workshops and can learn about various risk scenarios in the personal life and can educate their parents and elders.

Student can understand the career aspect of Cyber Security by leaning different technical concepts.

Young mind is an agile mind, by attending Workshops students can develop new ways of defending cyber-attacks.

Cyber Security is very demanding career nowadays, students can have a foundation of Cyber Security by attending workshops.

Fresher:

Cyber Security workshops can be very helpful in shaping up the career of Fresher’s in the field of Information Technology. If you are a Technology enthusiast and having degree or diploma in Technology, and looking for a job in Cyber security domain, these workshops are very good medium of networking.

There are many benefits of attending the workshop like

In workshops students can meet others with similar interests can, thus can understand the current market requirements and develop the skillsets accordingly.

Cyber Security workshop will give the technical as well as career aspect scenarios to the Fresher’s, wherein they can learn different ways to pursue career in Information and Cyber Security domains.Attending workshops will give you an opportunity to meet people an professionals in the industry and thus can have an opportunity to get a job by developing contacts.

Experienced Professionals:

If you are an experienced professional, then attending Cyber Security workshops will help you in various ways like:

These kind of workshop helps the professionals to understand their responsibility towards organisation’s cyber security. Once you are aware of Cyber Security, you would be able to understand the risk related to Cyber, and thus you will be able to safeguard your organisation from the different risks.

One who is willing to switch his or her career to Cyber Security can attend the workshops to understand the basics of Cyber Security and thus can gradually migrate to the domain if found interesting.

Professional who are already managing Information Technology Infrastructure and applications will learn the different kind scenarios which could be risk for them. Such workshops will help them to implement security in IT infrastructure and application development.

A working professional can inculcate learning of cyber security workshops in their existing job roles, and can mitigate many risk by doing this. In this way one can be helpful to safeguard organisation’s information assets from any kind of internal and external threats

Managers:

Professional who are working as managers have huge responsibilities of the organisation. A manager who is aware of Cyber Security will highlight and mitigate any such risk which could be harmful for the organisation. Cyber Security workshops can be helpful in multiple ways:

By attending these kind of workshops one would definitely understand the importance of cyber security and can implement the same thing within the team and the organisation.

Since awareness and trainings have become mandatory for maintaining Cyber Security and Information Security related compliance. One can show the attendance certification as a proof of attendance.

These kind of workshops would help the Managers to understand any kind of IT reports from any Vendor and one can understand the risk coming from vendors as well, if they are not adhere the Cyber Security principles.

Again, managers can network with other enthusiasts and experts through the workshop and can understand the current risk perspective of the market.

Businessman:

Every business is now a days dependent on Cyber. Everyone is using IT infrastructure and applications for running their business. Cyber Security workshops could be beneficial for Businessman’s because of following factors:

With the help of such workshops businessman will understand the Cyber Security risk which can harm their business and how they can mitigate those risk.

This is a very good medium to understand the Cyber Security and how to enhance the Security of IT infrastructure and application to make them hack proof.

Later on one can develop the Cyber Security framework for their own organisation.Cyber Security workshops helps the business persons to implement the Cyber Security related compliances more effectively because now they can understand the concepts and importance.

So in this way we can say that Workshops, seminars and training camps are very important and useful for any category like children, youth or any elderly man whosoever is using Information technology in their day to day or professional life. There are many free and paid trainings, workshops, seminars and webinars are available where one can either start their Cyber Security journey or any experienced person can enhance their skillsets by attending such events.

These are very good medium of interaction with other people and professionals who can share their knowledge base with you and can be helpful to shape up your career or business. This Information technology world is constantly changing and one needs to be updated all the times, so these workshops are very good medium to do so.

Progressive, Businesses and Educational Institutes   organise workshops for their employees and students time to time. In these events the participants will learn about different kind of attacks which could lead to data leakage. One would come to know about different kind of social engineering attacks like phishing, vishing(voice phishing) and thus will not be the victim of such situations.

# Tags: Freshers, managers, students, experienced professional, businessman,

#Keywords: Cyber Security workshops, seminars, training, information security, risk, compliance, cyber security,

HOW CEH Certification can add VALUE to your RESUME

Certified Ethical Hacker (CEH) is a globally recognised qualification, which an individual obtains by proving his or her skillset of assessing the security of IT applications and networks by verifying the vulnerabilities or loopholes of the target systems, using the same methodologies, tools and techniques as a hacker, but in a lawful and legitimate manner with a due permission of IT system owners.

Information technology is an integral part of almost every business nowadays and so do Cyber Security. Using technology gives ease of access and fast processing of data, at the same time is also gives exposure to many risks which could harm the business and even lead to severe impacts sometimes. Information Technology and Cyber security going hand on hand now a days. Certified Ethical Hacker is one of the most popular certification which could help an individual to start or migrate their career in cyber security.

An IT of any organisation comprises of Network and Application, companies need to monitor and  secure both of these in order to safeguard their critical data. CEH gives a comprehensive overview of a Hacker’s mind set and methodology. We can replicate the same steps in our environment and find out loopholes which could attract any malicious user and patch them before they can get exploited.

Security Assessments has following steps:

Reconnaissance: Generally known as Recce or information gathering, of the target network or application.  This phase you collect the targets information from various public and private domains.

Network Scanning: Here we scan the networks or applications to find out the vulnerabilities or weakness in it and remember you need to do this in stealth mode else the target can identify the scan and can block your connection.

Gaining Access. Once we get the vulnerabilities you are good to enter or penetrate into the system by exploiting it and you can have even the Administrator or root access.

Maintaining Access: Here we learn how we can hide ourselves into the system by migrating to system files and then can have access for a longer time.

Covering Tracks: Once all the necessary information is captured now you would like to remove all your footprints or logs from the system so that you cannot get traced back.

Skillset of a CEH certified candidate:

• A Certified Ethical Hacker knows multiple techniques of information gathering through different resources like publically available information, websites, social media and thus identifying the publically available weak link or the basic information of the tools and techniques used by the organisation.
• A CEH knows various techniques to scan the network using customised commands and thus can identify the unnecessary ports or exploitable version of services present on company’s server and network
• A CEH knows how a web application can be exploited for different kinds of vulnerabilities like SQL injection, privilege escalation, command injection, Cross site scripting (XSS), weak passwords, weak sessions etc.
• A CEH knows how to identify vulnerabilities in Wi-Fi network and how to exploit it
• A CEH is aware of different kinds of malwares and working methodologies of malware and also knows how to detect hidden malwares in files or software by performing reverse engineering
• A certified CEH have a good knowledge of Cloud Computing and Internet of Things (IoT) hacking. Since IoT and Cloud Computing both are most used technologies now a days, and a CEH having good knowledge of security assessment of these can identify loopholes in these systems prior to getting exploited by a malicious user.
• A CEH knows the security assessment techniques for mobile applications both android and is.
• A CEH knows how the network devices like firewall, IDS, Honeypots works and how it can be exploited.
• A CEH knows different techniques of sniffing a network and how to capture critical information travelling through networks. In this way he or she can help the organisation to find out vulnerabilities present in the network and the organisation can patch it before getting exploited.
• A Certified Ethical Hacker knows different techniques to identify vulnerabilities which could lead to session hijacking of any web application.
• In addition to all above skillsets a CEH also knows different tools like Nessus, Burp Suite, Wireshark, NMap, ZenMap, Metasploit , Acunetix and many tools which are commonly used in Security assessments

Scope after getting CEH

• You can work as a Security Tester or Security analyst who is performing Vulnerability Analysis and Penetration Testing (VAPT) on web application, mobile application and networks
• One can work as network security analyst in Security Operations Centre(SOC), where the organisations network is constantly being monitored and subsequent actions are taken against any kind of malicious traffic.
• If you have good knack in programming languages, you can work as secure code reviewer, which is again a very demanding job nowadays.
• If you have good knowledge of programming skills with a knowledge of ethical hacking you can work as an exploit writer. Many companies are working on this.
• Last but not the least one can work as a freelancer Bug Bounty Hunter and can get paid well.

Ethical Hackers or Security Testers are the professionals who has very good knowledge of networks and applications, at the same time they know how to maintain security of both so that it can be safeguarded from hackers. Ethical hackers constantly test organisations applications, network devices networks and find out vulnerabilities in it and ask the IT team to patch those vulnerabilities.

Attaining cyber security skillset of along CEH certification is definitely a very good credential for one which can help anyone to lend a good job in any organisation.

Now a days many renowned companies are developing their own Cyber Security team and they also get their Infrastructure tested by third parties just to ensure on their security. While hiring a Third Party organisations are very particular about the individual’s qualification and experience, CEH certification is answer for that because it provide assurance about the candidate’s skillsets. As a whole CEH certification holds a good reputation in the industry,

#Tags:   Jobs, Hacking, Career, CV,Certification

#Keywords: Cyber Security, CEH, Certified Ethical Hacker, Security Testing, information Security, IoTHacking,Mobile Application Hacking, Web Application Hacking

INFORMATION SECURITY-KNOW WHAT COMPLIANCE YOUR ORGANIZATION NEED

Data is the most critical part of any business. Every organization is either producing their own data or acquiring it from their employees or customers, so it becomes the organization’s responsibility to safeguard that data from unauthorized access. Digitization and digitalization has changed the working techniques of every organization. Almost all of the data is on information systems, which increases the risk of information exposure to the outside world .Many organisations already knows the importance of information Security and are working in a controlled environment one or the other way, however there are many organisations who still does not consider information security necessary for their business. Statutory and regulatory bodies has made information security mandatory for many businesses. Let’s discuss about different information compliances for organisations.

Why Organisations need IT Security Compliance

Compliance is a set of guidelines by the regulatory body which the organisation needs to adhere. Compliances brings great benefits for the organisations:

• Improvement in Information Security: IT security regulations improve organisations security measures by setting baseline requirements. This baseline requirements helps keeping business data-security levels relatively consistent within respective industries..
• Increase Control on Information Systems: Improved security goes hand-in-hand with increased control. This is helpful in preventing employee mistakes and insider theft with enhanced authentication mechanism while keeping an eye on outside threats.
• Minimize Organisations Losses: Improved security, in turn, prevents breaches, which are costly to businesses. There are many organisations which end up losing very large amount of their revenue in sales, repair costs and legal fees, all of which can be avoided with the right preventive measures
• Maintain Trust with customers:A better information security system definitely built and maintain customer trust. Customers trust organisations which keeps their information safe, secure and available at the right time.

There are numerous IT Security compliances exits each related to different industry verticals. The most common compliance includes

Health Insurance Portability and Accountability Act of 1996(HIPAA)

INDUSTRIES AFFECTED:This act affects any organisation or office that deals with healthcare data. That includes but is not limited to doctor’s offices, insurance companies, business associates, and employers.

WHAT HIPAA regulates: This act is divided into 5 titles.

Title I: It protects health insurance coverage of employees either they change job or laid off.

Title II: It controls health care fraud and abuse. It also establishes policies and procedures for maintaining the privacy and security of individually identifiable health information, outlines numerous offenses relating to health care, and establishes civil and criminal penalties for violations

Title III:This sets guidelines for pre-tax medical spending accounts.

Title IV:This sets guidelines for group health plans regarding coverage of persons with pre-existing conditions, and modifies continuation of coverage requirements

Title V:This governs company-owned life insurance policies.

General Data Protection Regulation (EU) 2016/679 (GDPR)

INDUSTRIES AFFECTED: This regulation impacts all the organisations which process personal data in any form. This includes any cloud service provider, marketing company, insurance provider, law firms, data analytics companies and many more. GDPR applies to all organisations collecting and processing personal data for people residing in the European Union, even if that organisation is not physically located or based in the European Union.

WHAT GDPR regulates : General Data Protection Regulation(GDPR) has 11 chapters’ general provisions, principles, rights of data subjects, controller and processor, transfer of personal data to third countries or international organisations, independent supervisory authorities, cooperation and consistency, remedies, penalties and liabilities, delegated acts and implementing acts, final provisions.

GDPR, motive is to protect personal data of European Union (EU)citizens from data breaches.

Payment Card Industry Data Security Standard (PCI-DSS)

INDUSTRIES AFFECTED:Payment Card Industry Data Security Standard (PCI DSS) is meant for all the organisations which handles credit card data.

WHAT PCI DSS regulates: PCI DSS has given a set of 12 regulations which are designed to protect customer credit card information and to reduce fraud. Compliance requirements pertaining to PCI DSS are: Build and maintain a secure network and system, protect cardholder data, maintain a vulnerability Management program, strong access control measures, regular monitoring and testing networks, maintain an information security policy

Sarbanes-Oxley Act of 2002(SOX)

INDUSTRIES AFFECTED: This regulation is meant for all U.S. public company boards, management and public accounting firms. In addition to this a number of provisions of the Act also apply to privately held companies, such as the willful destruction of evidence to impede a federal investigation

WHAT SOX regulates:Sarbanes-Oxley Act has eleven sections: Public Company Accounting Oversight Board(PCAOB), Auditor’s independence, corporate responsibility, enhanced financial disclosures, analyst conflict of interest, commission resources and authority, perform various  studies and report their findings, corporate and criminal fraud accountability, white collar crime penalty enhancement, corporate tax returns, corporate fraud accountability.

According to this act organisations required to maintain financial records for seven years. It was implemented to prevent financial scandals like Enron.

The Federal Information Security Management Act (FISMA)

INDUSTRIES AFFECTED:Federal Information Security Management Act (FISMA) is for all federal agencies in the US. According to FISMA act all the federal agencies need to develop, document, and implement an agency-wide program to provide information security for the information and information systems. This also includes the information and information systems provided or managed by another agency, contractor, or other source.

WHAT FISMA regulates: FISMA defines a framework for managing information security of information systems. According to NIST FISMA is divided into: Inventory of information systems, categorization of information and information systems according to risk, implementation of security controls, risk assessment, system security plan, certification and accreditation and continuous monitoring

 There are many other laws and regulations present to protect information. However it is not always very clear to the many decision makers or compliance officers which regulations or compliance is applied to their organisation. Compliance is very critical part of any business. Not adhering a mandatory compliance can lead to serious consequences, sometimes unnecessary disruption in the business. So this is very necessary for organisations to identify and understand all the desired regulations for the business and adhere to all the requirements of it.

#tags:SOX, FISMA, HIPAA, GDPR, regulatory

#keywords: compliance, SOX,FISMA, PCIDSS, HIPAA,GDPR, information security, data protection