Cyberlaws.org http://www.cyberlaws.org Compliance | Security | Legal Tue, 13 Jul 2021 06:00:28 +0000 en-US hourly 1 https://wordpress.org/?v=5.9.9 http://www.cyberlaws.org/wp-content/uploads/2020/03/cropped-logo-1-32x32.png Cyberlaws.org http://www.cyberlaws.org 32 32 Guide to Secure Passwords and Logins in 2021 http://www.cyberlaws.org/guide-to-secure-passwords-and-logins-in-2021/ Tue, 13 Jul 2021 05:55:59 +0000 http://www.cyberlaws.org/?p=738 Guide to Secure Passwords and Logins in 2021

Image from Pixabay.com 

According to research done by the Ponemon Institute, people use one password for up to five accounts on average. If this password is compromised, all their accounts are at risk of hacking, leading to data loss and even financial loss. Statistics also show that at least 60% of passwords used by companies do not meet the minimum-security threshold.

Since the inception of the internet, password security has been one of the most discussed topics regarding online security. While it was ok to use simple passwords like your name or year of birth as your password 20 years ago, this is impossible in the modern-day where hackers lurk online waiting to pounce on weak passwords.

The use of weak passwords has had catastrophic consequences for businesses and individuals, with more than 80% of data breaches occurring because of weak Password security. As more people and institutions rely on the cloud to store data, login credentials are the only line of defense for this data, hence the need for well-protected credentials.

Here is how to secure your passwords in 2021.

Use a Password Manager

Most people use the same password for multiple accounts to avoid having to memorize different passwords. If this sounds like you, a password manager is the solution you need. There are numerous password managers available in the market. With a password manager, you do not have to memorize your password since it creates and saves unique passwords for all your accounts.

The best password manager also alerts you whenever a password is compromised or too weak and needs changing. The password manager auto-fills the login details whenever you need to access an account, taking away the need to remember all your credentials.

Set strong passwords

The first line of defense against password loss is to use a strong password. The length of your password matters as it reduces the odds that a hacker would crack all the characters. Ensure it comprises letters, special characters, and numbers.

Avoid reusing passwords

Reusing passwords is one of the most common causes of multiple account hacks. Imagine having to use one key for your home, car, mailbox, office, and storage. If you lost this key, the one who finds it would have access to all these places. The same goes for passwords. If you use one password for multiple accounts, a hacker can access all these accounts if they get hold of your password.

Reinforce security with 2FA

2FA has become a requirement for password security. It provides additional protection for your accounts even after your password is hacked. With 2FA, anyone trying to access your account will need to verify their identity using a unique code sent to a mobile device. Unless a hacker has access to all your devices, their hacking attempts are rendered useless by 2FA.

]]> WHY DATA PRIVACY IS IMPORTANT FOR EVERY ORGANIZATION? http://www.cyberlaws.org/data-security-is-most-important-requirement-to-the-customers-or-user-if-the-organisation-wants-to-run-a-business-successfully/ Thu, 15 Apr 2021 17:12:41 +0000 http://www.cyberlaws.org/?p=673 What is Data and Data Privacy?

Data security is most important requirement to the customers or user. If the organisation wants to run a business successfully, they need to give surety of data protection as it gives customers the assurance that their data is being collected, processed, and transferred through secure mechanism. Data is most critical and important for businesses of all sizes, from a small start-up to a global conglomerate and so is data privacy.

Data is information processed by a computer system and stored in a system known as server. This information may be in the form of text, image, documents, audio clips, software programs, patents, financial information, secret information, health data, personal information or other types of data.

Every organisation collect data with different mediums either by old traditional method or by modern digital methods. Be it hospitals, banks, companies, government departments etc data is everywhere. Processed data is known as information.

Sometimes a set of data can formulate a sensitive information, so Data privacy is a mechanism to maintain our privacy online, because information is a highly value asset and sought-after commodity by malicious users and cyber criminals. As an end user it is very essential to know what is happening with our online information, what can be done with the data or who all can have access to it. Users often give their consent and allow companies to track and store their data can have disastrous results, so one should have a say in the matter.

Normally organisation focus on the risks originated hackers and cyber criminals, however this is much more than this. Protecting your data privacy is as significant as managing your data security.

Firstly, and fore mostly, Data Privacy is an arm of data security and its motive is to safeguard the data from unauthorized access. Data privacy aims to the proper handling of information based on its significance-

  • Regulatory requirements and data privacy laws
  • Consent of the data owner
  • Privacy Notice
  • About the public expectation of privacy.

Main objective of Data privacy is to safeguard the users’ data as per the regulations and users’ rights. Main factors to consider are:

  • How to collect and share the data legally
  • Whether to data can be shared with the third parties and identification of the third parties with whom data can be shared.
  • Adhering to the regulatory compliance and laws limits such as-HIPPA (Health Insurance Portability and Accountability Act), GDPR (The General Data Protection Regulation), GLBA (The Gramm-Leach-Bliley Act), CCPA (The California Consumer Privacy Act), ECPA (Electronic Communications Privacy Act 1986),Personal Information Protection and Electronic Data Act (PIPEDA) and so on. Different countries have different data protection regulations and all these regulations have their own set of rules and legislation pertaining to a specific area, purpose, and type of companies or individuals.

In a nutshell this means protection of critical user information primarily PII (personally identifiable information) of an individual:

PII consists of: – 

  • Full Name,
  • Address,
  • Contact details,
  • Date of birth,
  • Social Security Number
  • Bank Account Number
  • Driving License Number
  • Some more personal information such as an-
    • IP address,
    • Profile photo,
    • Social media post,
    • Financial Information
    • Medical Information
    • Location
    • And many based on regulatory compliance.

Importance of Data Privacy and Data Security for Business

 Data privacy and security helps in protection of customer’s data privacy.

It helps reduction of the number of information security incidents like data breaches that an organization can suffer.

  • It is helpful in maintaining, improving and retaining brand value of the business.
  • It is helpful in safeguarding the business from hefty penalties for violating the rules. Regulators impose huge penalties in case of data breach which could be few thousand dollars or a big part of revenue generated, and it’s different for various types of data breach incidents.
  • Data sharing will be limited and identification of third party would be done on prior basis according to the risk level of data.
  • It saves the organisations from the theft of data by hacker or cyber criminals, that can cause enormous monetary losses
  • Data privacy limits the access of customer’s critical data and hence safeguarding the right of customers to be free from uninvited surveillance
  • This helps the organisations to keep track of their data breach records and organisations can learn lesson in order to avoid future recurrence.
  • Now a days most of the business run on customer’s critical data safeguarding the privacy expectations should be priority of the organisation.
  • It helps the organisations from loss of revenue.
  • It is also provided competitive advantages to business.
  • Last but not the least it is helpful in adherence to the strict policies of how PII is collected, accessed, protected, and erased.
  • Data security and privacy controls are helpful in enhancing company’s reputation and built customer trust.

Importance of Data Privacy for Users

  • It provides assurance from unauthorised access of data.
  • It will keep customers personal, health and financial information safe.
  • It generates a trust value for the customer.
  • It provides a legal right to the end user or customer to challenge the company in case of any data breach.
  • Data can only be collected by receiving consent from the users.
  • Companies which collect the data provides data security guarantee to the end user.

Tips and Tricks to help protect your personal data

Data privacy is such an important issue, nowadays many government organizations and companies spend a good part of their revenue each year to help protect their data—which could include your PII (Personally identifiable information)—from exposure. As an end user may not be able to implement high end security solutions to safeguard their personal data, however there are inexpensive ways whichyou can take to help protect your data. Below are a few suggestions:

  • Use strong passwords for your online accounts also avoid having same password for multiple accounts. Change password on regular basis.
  • Chane the default password for your home network devices, especially Wi-Fi device. A weak password is easy to guess and any unauthorized person can connect to your network with malicious intent.
  • Avoid clicking on any random link received via mail or message, these can have malicious links which will give access of your device to cyber-criminal who could eavesdrop your network traffic including personal data.
  • Don’t ever share your personal details like bank account number, credit card detail, social security number, Aadhar card number etc over call.
  • Avoid writing your personal details like phone number and address at public platform unless necessary. This could sometimes be very dangerous if accessed by any cyber criminal.
  • Avoid sharing too much personal information on social media platform.
  • Always use security setting on social media accounts, which you can always secure your accounts by changing in Privacy settings. Always keep your social media count in most private mode in order to avoid disclosure of personal information.
  • Use VPN (Virtual Private Network) for online activities, however avoid the freeware for financial transactions.
  • Share your personal details over the websites which are using encryption.
  • Carefully shred all the personal document, receipts, bank statements and your courier packaging as well before discarding.
  • Use genuine software on your system.
  • Install antivirus and anti malware.
  • Always keep firewall on.

Data Protection regulations and laws of different countries are developed and designed in order to maintain the data privacy of the citizens of that particular country. There are many countries where data privacy is already in place, however there are countries where there are no such laws. Having a framework for data privacy and security will definitely safeguard the critical information. A set of defined roles and responsibilities, network security controls like firewalls, secure configurations, Intrusion detection and prevention systems, monitoring, logging the activities, having proper procedures and processes in place of conducting any activity like access provision, de-provisioning, change management, patch management, backup management, privilege access management, physical security management etc certainly provide a more secure environment to data and information systems. Expectation and responsibilities of third-party service providers also plays critical role in data security. Technical controls should be according to the organisations risk appetite and relevant regulations.

Although cyber criminals are inventing new techniques to intrude into the networks but using encryption techniques will help the data in non-readable formats.

 Data is the most precious asset for both organisation and customer, a vigilant consumer and an organisation with adequate resources, diligent employees, regular monitoring, proper governance, periodic reviews can safeguard their information assets and maintain data privacy and security.

#Keywords,-Data security, data privacy, encryption, Cybercriminals, hackers, GDPR,HIPPA,GLBA , CCPA , ECPA ,PIPEDA, password protection, network security, patch management,

]]> HOW ORGANISATIONS CAN ENSURE CYBER SECURITY DURING REMOTE WORKING http://www.cyberlaws.org/how-organisations-can-ensure-cyber-security-during-remote-working/ Sat, 03 Apr 2021 16:12:16 +0000 http://www.cyberlaws.org/?p=667 HOW ORGANISATIONS CAN ENSURE CYBER SECURITY DURING REMOTE WORKING

Global pandemic has entirely changed the work culture of the organisation, while over 75 percentage  of the private sector employees are working from home and rest of the employees are working remotely at least once a week  percent of global employees work remotely at least once per week and willing to work from home more often if their job permits.

Presently, most of the organisations including start-ups ever are offering the option to work from home because of the serious health threats to the employees and to ensure the business continuity.Top managements and business leaders from all sorts of companies including the start-ups are recognising the benefits of permitting remote work for their companies

Previously, most of the organisation’s weren’t set up to work remotely, and most of the time prefers working on office premises only,but, the COVID-19 pandemic and resulting lockdown of many countries mean that many companies and their employees are now mostly full-time working from home (WFH).

Keeping business continuity in focus organisations allowed remote working, however the cyber security and information security has become a serious concern. One side work from home option has reduced commuting time for employees, more liberty for workers and even increased productivity, on the other side there are cyber security risks and challenges that come with allowing their employees to work from home or from any remote location.

What are the Risks of Work from Home/Remote Work?

Data security and cyber security is paramount, while work from home. Organisations need to have secure communication channels to access their Information systems hosted on premises, some organisations mainly start-ups may face operational risks such as not being able to support a huge number of simultaneous remote connections to their infrastructure and IT services. This could be troublesome for employees that need access to internal resources for business support and may even place additional burden on IT teams if they’re not properly prepared.

While this is a business disruption risk, and can cause unnecessary stress for an IT department that’s already overworked and overburdened trying to fix the issue on-the-go. Which could lead to the risk k of not properly implementing access, authorization and authentication policies which may result in employees accessing resources that they shouldn’t.

In order to reduce the risk of unapproved remote access to organisation’s Information Technology infrastructure, IT teams and information/ cyber security teams shall make it explicit which applications, services and VPN clients are supported by the organization IT infrastructure. Any unauthorised attempt to access internal Information Technology infrastructure with illegitimate and unknown tools should be treated as a cyber risk and blocked immediately.

Since many companies have a well-defined and strict IT and Information security policy for centrally managing and deploying software. Security patch updates to endpoints, gradual rollout procedures should be designed for deploying those updates. Delivering them all at once to remote devices connected with secured VPN technology, could create bandwidth traffic jam and affect inbound and outbound traffic. Data backups of individual laptops could be a tough task if backup servers are hosted inside the premises. Last but not least, enabling disk encryption for all endpoints should be a priority as it minimizes the risk of having sensitive data accessed or compromised due to unauthorised access or device theft.

 

Cyber Security Guidelines for Work from Home?

  1. Having a Teleworking/Work from Home Policy

First and foremost, thing -Define “Remote,” “Work from Home” or “Teleworking” policy is a must if your organisation or start-up is allowing employees to work from home or locations outside of the office premise. This policy shall establish a set of procedures and guidelines that employees must follow in order to work from home. will reduce the inherent risks of working remotely since the organisation and employees are explicitly aware of the WFH responsibilities and its consequences.

Teleworking/ remote working policy shall include:

  • Employee responsibilities
  • Procedure of reporting of information security incident.
  • Approval process from remote connections
  • Workspace security mandates.
  • System configuration/ hardening steps
  • Use of encryption for data stored and in transit and Ensure encryption is used for all data that is stored and in transit
  • Mandate use of a secured channel such as VPN for remote workers
  1. Information security training’s to Top management and employees.

Conduct periodic monthly or quarterly training sessions to keep your employees and top management aware and educated on cyber security and information security risks and their responsibilities when it comes to organisation’s information security program and working from home.

Basic cyber security drills shall be conducted on regular basis and organisation’s information security awareness program shall be updated accordingly. Employees shall be aware of phishing attacks, spam mails as well as securing home Wi-Fi network.

Each and every employee shall be aware about the risk of using public Wi-Fi for organisation’s system. Employees should be aware whom to contact in case of any cyber security incidents.

Top management is more prone to cyber security attacks. They shall be adequately trained.

Organisation shall assess the Information Security awareness status of the employees and top management on timely basis.

  1. Use of advance technology and tools for Data Protection

A well-defined policy in place will help employees know what they need to do and how to do it, but providing them with the right technology tools will also reduce the risks of working remotely. Depending on the organisations and the role of their employees, the technology could vary. Below are the few examples of some tools helpful in data protection during remote working:

  • Enable built-in Firewalls: Firewalls are the defence for information security risks. Now a days every Operating Systems has inbuilt firewall which can prevent malicious inbound or outbound requests
  • Enable built-in Encryption: Systems data will be encrypted by using built in encryption techniques, this is helpful in case the drive is lost or stolen. However, the passkeys shall be remembered by the IT administrator.
  • Use Virtual Private Network (VPN): VPN provides a secured tunnel to the data travelling to the servers and make it difficult to crack for malicious users or hackers. Organisation shall only accept traffic coming through VPNs and employees shall always use VPN for connection to office network specially when they are in a shared network at home or outside
  • Use of Password Managers:This will help employees to store their passwords and generate secure password.This reduces the risk of using the same password for all services and applications by employees.
  1. Enablement of two-factor authentication

Use of two factor authentications to critical information assets is a must, since it provides a surety that the data request is coming from a genuine source. This method reduces the risk of phishing and malware attacks.

  1. Monitor your third-party vendors and service providers

Many a times organisations outsource few services for them. In this case the vendors shall be regularly monitored as the Suppliers information security policy. Assess your vendors cyber security program on regular basis because a vendor can also be sometimes acting a risk for organisations information security

  1. Use of access control

Organisation shall implement an access control policy in order to reduce the data breach or data leaks. Least privileged shall be given while granting permission to any user. Access should be based on the role of employees in the organisation, and these accesses shall be monitored on timely basis

  1. Enforcement of strong passwords on Applications, servers and employee devices

Organisation shall ensure that strong password policy is enforced on employee devices applications and servers,

  1. Use of web security protection

Last but not the least organizations should deploy security solution like antivirus, anti-phishing, anti-malware security solutions employee endpoints and technologies capable of preventing network vulnerabilities from exploitation. There are many solutions available in the market nowadays.

Only deploying these solutions is not sufficient, it shall be updated and monitored regularly and necessary actions shall be taken on it. Organisation shall deploy the solutions which can accurately detect the phishing attempts and any known malware attacks.

Work from home or remote working has given a golden opportunity to hackers and cyber criminals as well as it is a challenge for organisations IT Team and information security team. Managing Cyber Security during remote working is really tedious job for the organisations, however use of proper technology and monitoring can certainly mange this work. Organisations shall take cyber security as a risk and shall appropriately invest in safeguarding their Information assets. A vigilant and aware team can save organisation from cyber attacks and hence from financial, reputation and business operational loss.

# Keyword: Information security, cyber security, data protection, VPN, training and awareness VPN, strong password, business continuity, access control, remote working, work from home, cyber security risk.

]]> Cybersecurity in Crypto Currency Business http://www.cyberlaws.org/crypto-currency-is-secured-by-using-cryptography-techniques/ Thu, 18 Mar 2021 10:14:29 +0000 http://www.cyberlaws.org/?p=649 Cybersecurity in Cryptocurrency Business

A crypto currency as the name suggest is a secured virtual or digital currency. Crypto currency is secured by using cryptography techniques, which makes it highly secure and nearly impossible to forge or replicate. Crypto currencies are based on block chain technology on decentralized networks—a distributed ledger enforced by a disparate network of computers.

As crypto currencies become more popular worldwide, there’s concern that cyber criminals or hackers will try to use them to masquerade their illegitimate activities in other platforms, particularly when it comes to laundering funds.

The digital currency using principles of cryptography to secure transactions. Where the regulators and governments are still trying to figure out appropriate legal structures and business norms governing crypto currencies., hackers and cybercriminals are finding intelligent ways to exploit that window of opportunity by identifying the vulnerabilities in crypto currency business.

 Since Cyber Security of crypto currency is a concerning issue and it is obvious that the cyber security industry has to significantly consider crypto currency security and the issues surrounding it. The crypto currency being untrack able and irreversible transactions leads to many potential issues for consumers and organizations alike who occupy crypto currency.

Despite the cyber security threats and risk, many individuals still want to participate in the crypto currency market and would want to acquire it – few of them are technology enthusiasts who would want to be the part of new wave of technology and another big number is of those who wants to become a millionaire in quick span of time. If you’re either of the category of those people, these tips may help secure your crypto currency account.

There are few To Do’s on which the security experts agree to keep crypto currency out of the hands of cyber criminals or hackers-

Use of Hard Wallets

The first and foremost thing to consider is to keep cyber security the topmost priority, since an individual’s private key is the way to access crypto currency, therefore it’s essential to keep it safe. Do not keep your keys online in safeguard yourself. One may use a hardware wallet — an item that looks like a USB and contains their private code. Your key will be kept in an encoded format in hardware wallets and one can simply plug the wallet to your system in case of any transaction, code will always remain in the device and hence there will be hardly any chance that it would be accessed or stolen from your system by cyber criminals or any other unauthorised users. One can make duplicates of the wallets which can be kept another safe place, so that there would be a backup always available with you. It is highly recommended to use crypto currency hard for the strong security.

Use unique and strong Passwords/Passphrases:

Use of strong passwords will help to keep crypto currency security safer, the passwords/passphrase used for crypto currency accounts should not resemble any passwords/passphrases utilized for other types of logins. Passwords should always be considered as security and not as a convenience. Long and complex phrases with digits and letters and special characters that would be impossible to guess are recommended to use. A good password should be non-guessable by cybercriminals or hackers. Avoid using personal information like name, age, date of birth and spouse name as password. Also don’t share too much personal information online. Try to remember your password, in any case if you want to stored it at some place, better to keep it offline and out of reach from any unauthorised person.

Create Separate encrypted email accounts

Next recommendation is to create a separate encrypted email account for the communication regarding crypto currency. There are ample of secured and encrypted email services which offers free accounts which are often best to use, one can get extra premium features by paying a small amount which enhances the security of the account. Commonly free available email servers can be easily compromised and can leave important information accessible to unauthorized personal or cyber criminals. Having a separate encrypted email account which is not connected to other types of activities especially social media, keeps confidential & critical information and communication separate from each other and less prone to cyber-attack.

Use Ad Blocker Software:

Use of ad blocker software for computers and devices utilized for crypto currency is vital, now a days many anti-viruses are providing ad-blocking services. The ad blocker features on the browsers shall also be enabled for extra security. Keeping your systems free of malware and other types of cyber-attacks automatically reduce the risk. Restarting the computer and cleaning the cookies after each is highly advisable in conjunction with the software.

Validate the URL:

While you are dealing with crypto currency it is very important to validate the URL (Uniform Resource Locator) of the site you were utilizing before entering any critical information. Phishing attacks are very common attacks regarding crypto currency websites. Avoid clicking on any link received on mail or message without verifying it. Phishing attacks can be avoided by confirming the web address is correct address associated with the desired account or platform.

Unlike paper-based currencies which are controlled by governments, crypto currencies or digital currencies are fully decentralized and operate independently of any regulation. Crypto currency is still not regulated in many countries, so there are no security audits assessments or controls when it comes to crypto currency systems, In spite of that a lot of media coverage and high returns are luring customers to invest in it. The security risks, however, are real and that can be financially disastrous for those who don’t pay attention towards them and not keen to know how to safeguard themselves from the dangers associated with digital currency.

Crypto currency is certainly providing an ease of use and globalisation of currency, however the improper and insure   can lead to a catastrophic result. Technology if not used properly can results into disaster.

Undoubtedly, acquiring crypto currency is both extremely interesting and filled with risk. Knowing what the threats are and how to safeguard digital assets will help you make an informed decision to determine if investing in digital currency is the right choice for you or not.

Keywords: Cryptocurrency, cybersecurity, digital currency, cybercriminals, hackers, password protection, ad-blocker, digital keys, cyber attacks.

]]> How to Handle Cyber-Security Incidents in Start-Ups http://www.cyberlaws.org/how-to-handle-cyber-security-incidents-in-start-ups/ Sun, 07 Mar 2021 12:10:01 +0000 http://www.cyberlaws.org/?p=644 HOW to HANDLE CYBER-SECURITY INCIDENTS in Start-Ups

In the current age where information technology has penetrated in almost every area of our lives, both personal and professional has huge impact of Information technology, in other words our live has been completely dependent on technology. Be it organizational or personal, the amount of data collected and processed by big-companies and start -ups is alarming. Human beings have become so much dependent on technology, be it hardware or software, holdable to wearables to insertable, technology is all but inseparable.

Be it office or daily household tasks, technology has invaded in every sector and make the work easier and more efficient to perform., however, all the technology gadgets and services have one thing in common, that is data processing. In order to process the data like PII(Personally Identifiable Information),PHI Protected health information about individuals, and critical financial, scientific, confidential  data of organizations and countries is  extremely lucrative  to competitors and cybercriminals, ranging  hackers to , script kiddies, the wannabes, elites, activists, crackers, and phreakers to punks ciphers

For an example you are start-up organization providing information technology services to any government or any other big organization which is processing critical data, then a vulnerability in your system can be a potential risk which could lead to data breach of your client. As per recent trends, at least one new zero-day vulnerability was found each week. As zero-day vulnerabilities are discovered, they just serve as a tool for cybercriminals/hackers to intensify attacks. Hence by enabling proactive measures such as incident management or cyber crisis management plan can be an effective way to limit or even prevent the propagation of a cyber security attack.

IMPACTS OF CYBER SECURITY BREACHES IN START-UPS

Cybersecurity breaches impacts   organizations and companies in different ways. Many of which cause serious damage to the organizations and start-ups, if not permanent. Some effects of cyber breaches are:

  • Organizations leads to financial losses: An intense cyber security breach can damage critical servers and hardware which could lead to financial loss. In addition to it an organisation which is not capable to secure its information assets and prone to frequent cyber security attacks is liable for penalties imposed by client or government.
  • Organizations do experience loss of confidential data. This is often the major consequence of a cybersecurity attack. Confidential Data, which could range from credit card numbers, Aadhar number, PAN number, phone numbers, social security numbers, health records, right up to software design, code, military confidential or classified information, medical formulas could be stolen.
  • Loss in Reputation and value degradation in the business market have often been cited as a significant concern. Trust and value built from customers (service providers) to companies(clients) after a mishandled cybersecurity attack starts discrediting and is brought into question, especially when the company fails to respond promptly to a cybersecurity attack.
  • Competitiveness between firms and organizations becomes compromised. This can cause disaster, from which small to medium organizations or start-ups might never recover.

 Cyber security breaches or incidents can sustain by opting different kind of strategies. Few of them is setting up preventive measures to avoid a potential attack, and the other being how to respond when a breach or attack occurs as a corrective measure in case of any Zero-day attack. However, both the methodologies require intense monitoring of the information systems.

STEPS TO AVOID A POTENTIAL CYBERSECURITY ATTACK

Cyber security attacks are of various kinds and natures, and there is an enormous number of resources out there stating how to prepare for the inevitability of a cyber-attack. Cyber risk can come from various points like open ports, unattended laptops, desktops, improper patch management etc and this activity requires involvement of top to lowest level of employees the organisation. There is no perfect methodology or solution available to handle cyber security incidents or attacks in any organisation, however the impact can be minimised if handled properly. Below are the points to strengthen cyber security:

  • Perform Cyber Security Risk Assessment: Perform an intensive risk assessment for your business and identify all the possible weak points which could lead to cyber security attack and find out a risk mitigation plan for each risk, don’t leave any risk unattended
  • Employees Training. In any organisation aware employees can be helpful to handle cyber security incidents. Any organisation or start-up should provide adequate training those handling sensitive data.
  • Regularly backup sensitive data. Data is the core of every company. Unavailability of data can destabilize, disrupt, and even lead to shut down of start-ups, or organizations. Having data backup at an alternate location online/offline is the key of surviving a cybersecurity breach or incident. Remember, data availability is one of the key components of cybersecurity.
  • Employee Screening prior to employment. A proper policy and SOP for employee screening shall be developed and followed with due diligence. Since employees are often the weakest link in a cyber-security plan, all the future employees should be screened to validate their cyber-security skill sets desired for their respective positions in the organisation or start-ups.
  • Keep systems updated by regular patch updates. Most of the start -ups and small companies don’t have proper patch management programs for systems and software which could lead to a serious cyber threat because these vulnerabilities can be exploited by cybercriminals to access your systems. Applying timely security patches to software and hardware systems routinely can reduce cyber security threats, as most of the threats exploit known vulnerabilities(weaknesses).
  • Adapt Security culture and take cyber threat seriously. As part of the organisation’s culture, cyber-security must be priority by the management. Negligence can lead to unrecoverable cyber-attacks. Management should provide adequate budget for enhancement of cyber-security in the organisation.
  • Develop Cyber Crisis Management Plan. Since Cyber incidents comes unannounced organizations and start-ups should identify and classify different cyber -security attack scenarios and generate mitigation plan for it. Table top exercises are helpful to understand the readiness. A contingency plan shall be developed

A well skilled team for handling cyber security in any organisation is very important. Having the Data Privacy Officer (DPO), Chief Information Security Officer (CISO), and the Chief Information Officer (CIO), etc., with well-defined role are helpful for any organisation

HOW TO RESPOND TO SECURITY BREACHES?

  1. Establish an Incident Response Team (IRT).

Create an IRT with skillsets and capable to handle Cyber security incidents. Define roles and responsibilities of each member which may in some cases, take precedence over normal duties. The IRT can be comprised of a variety of departments including Information Technology, Finance Compliance and Human Resources.

Your (IRT)Incident Response Team should include your Chief Information Security Officer (CISO), who will lead the team organisation’s security policy direction. In case of start-up Virtual CISO can be a guide.

  1. Identify the type and extent of incident.

A impact matrix for incident should be clearly defined for damage assessment and determine the appropriate response. For example, an incident where a computer virus is easily detected and removed and which has not impacted any external or internal parties can be categorised as low and should not be escalated.

However, an incident which impacts clients and customers should be escalated to the IRT.

  1. Escalate incidents as necessary.

Employees are the first one to observe the cyber security incidents, any kind of incidents including abnormal system behaviour, phishing mails, fraud mails etc shall be immediately escalated to IRT so that timely corrective action can be taken.to mitigate suspicious vulnerabilities and avoid unexpected downtime.

  1. Notify affected parties, government bodies and outside organizations.

Identify and assign responsibility to one member of the IRT managing communication to affected parties (e.g.  government bodies, investors, third party vendors, etc.). Depending on the severity of the incident, the IRT member should inform the affected parties and law enforcement agencies

  1. Gather and analyse evidence.

IRT is responsible for identifying, gathering and analysing both physical and electronic evidence as part of the investigation. These evidences shall be kept securely as a part of artefacts. Lesson learnt should be documented for future.

  1. Mitigate risk and exposure.

Technical members of the IRT shall be responsible for monitoring the situation and ensuring any effects or damage created as a result of the incident are appropriately repaired and measures are taken to minimize future occurrences.

Since cyber security is the responsibility of everybody in the organisation the necessary disciplinary action shall be defined for the guilty. An adequate amount of penalty or action shall act as a deterrence and helpful in reducing the cyber-security incidents.

Keywords: Cyber-Security, Information Security, Cyber-Security incidents, CISO, Virtual-CISO, hacking, cybercriminal, start-ups,incident-response

]]> Cyber Security Compliance for Startups http://www.cyberlaws.org/cyber-security-compliance-for-startups/ Sun, 21 Feb 2021 17:27:31 +0000 http://www.cyberlaws.org/?p=622 CYBER SECURITY COMPLIANCE FOR START-UPS

Start-ups are integral to  economic success of any country, generating  millions new jobs in recent years and experiencing significant market growth as business owners tap new technologies to increase brand reach and impact. With the recently developed industry standards and regulatory requirements influencing all industries, cyber security compliance becomes a mandate for business success.

In this digital era, as the severity and number of cyber-attacks increases, industry standards organizations and governments seek to enforce cyber security by establishing mandatory compliance requirements. However, compliance requirements often lag behind cyber security risk. Therefore, to prepare for dynamic compliance requirements, businesses need to have a risk based approach which includes addressing and mitigating risk of cyber security so that they can stay ahead of the evolving requirements.

 

Think Big while Starting Small

Most of the time start-ups view their IT as inherently safe —there is a common thought, after all, why would hackers bother with smaller businesses when large-scale operations handle huge volumes of valuable data? Cyber security for start-ups may also take a back seat because almost all of mission-critical tasks that require owners’ attention.

Here’s the hard truth: Start-ups are often in the line of fire for digital compromise precisely because they don’t have built-in cyber security controls or well-articulated InfoSec policies.

Since there’s a lower chance of attacks being detected, identified and mitigated, attacker/hackers looking to test new threat vectors or grab consumer data may target start-ups

 Clearly, start-ups should not ignore risk pertaining to Cyber security. Few of the key activities includes

Compliance : From privacy regulations such as HIPAA and GDPR to start-up PCI compliance, our experts ensure your data handling and storage processes meet evolving expectations.

Internal Audits : Periodic internal audits are helpful in identifying critical gaps between the actual status and desired compliance status.

Risk Assessments :Regulatory bodies wanted to ensure that controls and measures taken by organisation are sufficient and reasonable to your organization, customers, and partners. There are many frameworks available in the market, organisation need to choose the right one as per their requirements and then identify acceptable risk. If possible more than one framework can be used to identify and compare the risks. Organisation shall identify and implement a balanced security strategy factoring in compliance and safeguards based on their specific business and objectives.

Security management Proper security management services help streamline IT environment and protect business purpose. It provides a holistic view to the management about cyber security compliance.

Incident Response and remediation : When a breach does occur, organisations need to address the attack immediately, contain it, and remediate the threat. A properly trained, expert incident response team to stop, fix, and an ongoing incident response process and plan to keep data secure.

Vulnerability Assessment and Penetration testing : Not all vulnerabilities are obvious. Vulnerability assessments and penetration testing helps find and secure potential failure points.

Third Party Risk Management (TPRM)/Vendor Risk Management : Vendors or service providers are the integral part of most of the start-up businesses. Organisations need to ensure third-party partners are aligned with your organization’s risk controls. Organisations shall ensure that all the vendors are adhering all the desired requirements pertaining to cyber security compliance.

What are the data breach risks?

Data breaches has become very frequent irrespective of the organisations size.

The recent trends indicate that cyber criminals target small businesses which does not have adequate security to gain unauthorized access to data that they can sell on the dark web. Hacking and social engineering attacks focus on exploiting vulnerabilities in servers, systems, networks, software, and people to gain entry.

Many small businesses currently lack the necessary resources required to defend against these attacks, which increases the probability that hackers will continue to target them.

Below are the recent data breach trends

  • One fourth of data breaches involved small businesses.
  • Many of breaches include social engineering by exploiting lack of awareness of cyber security among employees.
  • Maximum of breaches were financially motivated
  • Most of the breaches were perpetrated by outsiders and script kiddies.
  • Almost more than one fourth of breaches still take months or more to discover

What is cybersecurity compliance and why it is necessary?

Compliance, in general is the act of being aligned with guidelines, rules, regulations and legislation. In cybersecurity, compliance is a program that establishes risk-based controls to protect the confidentiality, integrity, and ensure availability of information stored, processed, or transferred.

Cyber security compliance is not a stand-alone compliance many a times, it is based on multiple standards or regulations to be adhered by any industry. Sometimes different standards can create uncertainty and surplus work for organizations using a checklist-based approach

For example, an e-commerce organisation needs to meet PCI DSS(Payment Card Industry Data Security Standards) if accepts payments through POS(Point-of Service) device, they also require to adhere HIPPA (Health Insurance Portability and Accountability Act) for their employees health information.If this organisation serves European customers then must be complaint with GDPR (General Data Protection Regulation)

What Data is subject to cybersecurity compliance? 

Cybersecurity and data protection laws and regulations primarily focus on the protection of sensitive data, such as

Financial Informatione.g. credit card numbers, card pin numbers, bank account number etc.

PersonallyIdentifiable Information (PII)e.g.First and last name,address,date of birthetc.

Protected Health Information (PHI)e.g. Medical history, records of admissions, prescription records etc.

Other sensitive datathat may be subject to state, regional, or industry regulations includes:

  • IP addresses
  • Email addresses, usernames, and passwords
  • Personal email contents
  • Personal messages
  • Authenticators, including biometrics such as fingerprints, voiceprints, and facial recognition data
  • Marital status
  • Race
  • Religion

Step by Step Cybersecurity Compliance Program

€Creation of a Compliance Team

For every business irrespective of size, a compliance team is compulsory. Since organizations mainly start-ups are continue to move their business-critical operations to the cloud, there is a need for an interdepartmental workflow and communication across business and IT departments.

Define the Scope

Identify and define the clear scope which includes business processes, information systems, legal requirements, contractual requirements, etc.

€Identify and Establish a Risk Management Process

RISK IDENTIFICATION

Identify all information assets and information processing systems, networks, servers, and data that they access.

 RISK ASSESSMENT

Review the risk level of each data type. Identify where high-risk information is stored, transmitted, and collected and rate the risk of those locations accordingly.

ANALYZE RISK

After assessing risk, you need to analyze risk. Traditionally, organizations use the following formula:

Risk = (Likelihood x Impact)

SET RISK ACCEPTANCE /TOLERANCE LEVEL

After analyzing the risk, you need to determine whether to transfer, treat, accept, or reduce the risk.

Implement Controls

Once the risk is identified treat the risk based on your risk tolerance, you need to determine how to mitigate or transfer risk. Controls can include:

  • VPNs
  • Access Management
  • Firewalls
  • Employee training
  • Encryption
  • Password policies
  • Network security
  • Third Party/Vendor risk management program

Create Policies

Document Policies and procedures for your compliance activities and controls. These policies acts as the foundation for any internal or external audits.

Continuously Monitor, Respond, and Improve

Continuous monitoring helps in identify new gaps in the cybersecurity compliance program and hence the weaknesses of the information systems and processes can be reduced to strengthen the security. Organizations need to regularly update all the systems in order to avoid any kind of data breach.

Since cyber security is an innovative method, where cyber criminals always try to find out new vulnerabilities in the systems and exploit it.These new vulnerabilities lead to Zero Day attack. Organisations need to monitor their networks and processes in order to identify any suspicious behavior and content it immediately. Internal audits and penetration testing are most effective ways of internal audits.

What are the Benefits of cybersecurity compliance?

There are lots of benefits:

€Enables you to protect your company’s reputation,

It maintain consumer trust, and build customer loyalty by ensuring  customer’s sensitive information is safe and secure

It reduces the risk of a data breach, hence the associated response and recovery costs.

It saves organisations from the less-quantifiable costs of a breach such as reputation damage, business interruption, and loss of business.

Enhance the trust of customers and regulatory bodies in the organisation

€Implementing the appropriate safeguards and security measures to protect sensitive customer and employee information strengthen company’s security posture.

€ It helps to protect intellectual property such as trade secrets, software code, product specifications, and other information that gives your company a competitive advantage.

 

Other Links :

CYBER SECURITY CHALLENGES FACED BY FINTECH START-UPS

 

]]> VIRTUAL CISO-A Logical method to manage Cyber security compliance in Start-ups http://www.cyberlaws.org/virtual-chief-information-security-officer/ Sun, 21 Feb 2021 07:03:39 +0000 http://www.cyberlaws.org/?p=617 VIRTUAL CISO-A Logical method to manage Cyber security compliance in Start-ups

 

During the current era, both big companies and small start-ups, are using Information Technology for ease of doing business, however it makes them vulnerable for Cyber-attacks. So, it becomes necessary for them to use Cyber security professionals e.g. CISO (Chief Information Security Officer) in order to protect information assets. ,It goes without saying  that information security activities in any organization consume more resources than ever before. Cyber criminals (Hackers) are becoming better all the time, and staying ahead of them is getting tougher. However, it’s not just more zero-day attacks by sophisticated criminals; competitors, growth of the organization, elevated infrastructure complexity and new compliance requirements also desire more cyber defence staff, adequate time and right technology to avoid becoming a victim of a cybersecurity breach.

In earlier days security was primarily focused on physical access to facilities and resources, or adding layers of logical controls to protect business application and data. However, security concerns of the present era don’t fit into this old traditional way anymore. Security concerns impact every aspect of an organization’s operations and should be an integral driver of strategic planning, along with all decision for future expansions.

Since cyberattacks have become smarter and more sophisticated at exploiting vulnerabilities, with the availability of many open-source tools it is easier for hackers to launch new attacks every other day. For the organizations and start-ups cyber security shall be a proactive program rather than a reactive which is to be launched at the time of cyber-attack. Thus, information security is an integral part of organizational strategic growth. It is just as important as goodwill, financial turnovers and product quality.

 

 

What is Chief Information Security Officer(CISO) and Virtual Chief Information Security Officer(V-CISO) ?

Top management team should be aware of the impact of lack of information security on their organization’s profitability and durability. A shortage of information security in the organization could result in heavy fines for non-compliance, punitive rulings after finding liability or negligence, or a loss of customers and partners after a confidence-shattering breach. There is a big risk of underestimating information security and it is too big to ignore.

In order to address the growing awareness of information security’s importance to strategic planning, many larger organizations and start-ups include a Chief Information Security Officer (CISO) at the executive level. Chief Information Security Officer is the executive who is responsible of Information security and cyber security compliance in the organization.

Many a times companies cannot afford the cost of having own CISO because of the huge salary range. There are situations where the organizations including start-ups need a CISO , but the budget doesn’t allow for a full-time person in that position.

However, there is a cost effective alternative. Organizations specially start-ups that lack the budget for a full time CISO can opt for an outsourced solution: The Virtual CISO, or V-CISO.

A Virtual-CISO is a information and cyber security expert who uses the expertise  of his/her years of industry experience to help organizations and start-ups  by developing and managing the implementation of the organization’s information security program in order to attain various government and non-government compliances. At a high level, V-CISOs help to build the organization’s security strategy, implementation and its management as well.

Organization’s internal security staff may work and report to V-CISO in order to strengthen the information security and cyber security framework and make it more impactful. In addition to this, the V-CISO is usually expected to be able to present the organization’s state of information security to an organization’s board, management team, auditors, or regulators.

Benefits of having a V-CISO

A V-CISO is generally a cybersecurity professional who works part-time basis offering information security services to multiple organizations at a time, working for several throughout any year. This gives organizations a flexibility to hire part-time CISO on requirement basis.

The V-CISO fills several needs through different types of services, including:

  • Information Security and Cybersecurity guidance to management executives in order to adhere compliance guidelines
  • Information Security architecture guidance
  • Incident management including response
  • Governance plans
  • Cyber Security readiness assessment
  • Compliance alignment recommendations (for ISO 27001,RBI Guidelines for banks ,NBFC, HIPAA, GDPR, PCI-DSS, CCPA and may more)
  • Remediation prioritization
  • Business Continuity Planning and Disaster Recovery Plans and DR drills.
  • Identification of scope and objective for the information security compliance
  • Risk management (risk identification and treatment)
  • Vendor risk management
  • Coordination of audits by regulators or customers

Why you organization need a Virtual CISO?

If your organization needs more information security compliance -related guidance at the management level, consider whether a V-CISO would be a good potential option. If you are a a start-up and your budget won’t support a CISO, you might need a V-CISO .If any of the below mentioned scenarios  are similar to  your situation, your organization might need a Virtual -CISO.

  • If you are start-up and are really unaware whether you’re vulnerable to cyber security breaches: If your organization hasn’t yet assessed its information security risk, you might need a V-CISO to initiate and support that process.
  • Your organization has been breached and no one from your team was able to detect the attack: Post-breach investigations and recommendations often lead to organizational leadership remodelling. One of those remodelling includes information security member of the executive suite. If this is the case, you might need a V-CISO.
  • If you are a start-up dealing with critical customer data: In this case if you don’t want to hire a full time CISO, you need to have a V-CISO in order to safeguard your information assets and avoid high penalties because of non-compliance of various regulations
  • Important or major changes have occurred that could impact security: If your organization is having mergers or acquisition, security risk should be assessed. Any significant outside influences, such as a global pandemic or natural disaster, which could impact business continuity as well all information security. If your organization doesn’t have anyone who can guide during these times and ensure security is not compromised you might need a V-CISO.
  • If your organization wanted to share the workload for the existing CISO: Changes to the organization scope or environment, including new regulatory compliance requirements, may increase the demands of a CISO beyond their current capability. If your existing CISO requires helping hand, you might need a V-CISO.

There could be multiple reasons to have a V-CISO for your organization. An experienced V-CISO will provide valuable guidance and customised solutions as per your organizational needs. As well as it will save you from the burden of paying salary of a full-time CISO.

How to find a right V-CISO?

If you are struggling in your day-to-day information security requirements V-CISO would be a beneficial to your organization, and decided to have one. The very next step is how find the right one. A good amount or research and investigation can help you. Online reviews and existing customers feedback can help you to find a good fit, knowledgeable V-CISO for your organization.

The general process for engaging a V-CISO generally flows like this:

  • Set up an initial consultation meeting (commonly one hour at no charge)
  • The V-CISO delivers a proposal of scope of work including high-level information security readiness, proposed services and costs
  • You may accept or reject the proposal, and then moves forward
  • If you decide to engage a V-CISO, then negotiate an agreement that meets your requirements. If you need periodic gap and risk assessment and remediate report, make sure that is explicitly mentioned in the agreement deliverables.
  • An agreement with a V-CISO can be set up for a hourly, monthly or quarterly basis . Make sure that you are getting the services you are paying for.
  • A V-CISO can be an affordable and flexible approach to adding extensive information security experience and wisdom to your management team. If a V-CISO is a good fit, it can help your organization to identify and safeguard the weak links which could lead to aggressive cyberattacks.

#Key words- CISO,Virtual CISO, VCISO,vCISO, ISO 27001,GDPR,RBI, cyber security, information security, compliance, hackers, cyberattacks.

]]> cyber security dos and don’ts during covid 19 http://www.cyberlaws.org/cybersecurity-dos-and-donts-during-covi19/ Sat, 06 Jun 2020 01:35:55 +0000 http://www.cyberlaws.org/?p=510 Cyber Security dos and don’ts during covid 19

cyber security dos and don’ts during covid 19. Cyber Security has been a matter of concern for the organisations from a long time and on top of it Covid-19 brought lot of challenges to attain the same.

The COVID-19 situation has compelled organisations and individuals to take up security measures like social distancing and remote working. Governments and civil administration are bringing up new ways to ensure that their citizens would remain hopeful and stable. New economic plans, relief packages have been announced by the government. While the world is focused on the health and economic threats created by COVID-19, cyber criminals all around the world without a doubt are taking advantage on this crisis.

There is a huge spike in phishing attacks, ransomware attacks and malware attacks as attackers are using COVID-19 to lure employees and customers by impersonating government agencies, brands or any other important entity.Such attacks are aiming to infect more personal computers and phones. Attackers are targeting businesses as well as individuals by downloading ransomware disguised as legitimate applications.

Managing Cyber Security has become more challenging in the Work from Home scenario. Following are the Do’s and Don’t for employees and individuals.

DO’s

CYBERSECURITY DOS DURING COVI19

  1. Use hard-to-guess passwords or passphrases. A password should have a minimum of 8 characters using uppercase letters, lowercase letters, numbers and special characters.
  2. Create an acronym. An acronym is easy for you to remember but hard for anhacker attacker to guess. For example, pick a phrase that is meaningful to you, such as “My dad’s birthday is 12 December, 1975.” Using that phrase as your guide, you might use Mdbi12/Dec,75 for your password.
  3. DO change your password in a regular interval, within every 30 days. This will make difficult for the hacker to use your cracked password.
  4. DO use different passwords for different accounts. If one password gets compromised, your other accounts are still safe.
  5. DO pay attention to the mails you receive, phishing traps in email and watch for tell-tale signs of a scam. DON’T open mail or attachments from an untrusted source. Whenever you receive a suspicious email, the best thing to do is to delete the message, and report it to your manager and Chief Information Security Officer (CISO)/designated security representative.
  6. DO change your default username and password of your Wi-Fi router, remember that wireless is inherently insecure. Avoid using public Wi-Fi hotspots. Use your organisation provided virtual private network software to protect the data and the device.
  7. Always keep your system updates, install the updates pushed by your organisation
  8. DO keep your passwords or passphrases confidential. Never share your passwords with others or write them down. You are responsible for all activities associated with your credentials.
  9. DO place confidential paper at proper places at home and destruct it properly prior to putting in dustbin.
  10. DO destroy information properly eg. by shreddinga, when it is no longer needed.
  11. Always backup your critical data to the drives and location provided by your IT Team
  12. Never turn off antivirus system installed on your PC and keep it updated.
  13. DO avoid printing confidential information outside personal printers. Always be aware of your surroundings when printing, copying, faxing or discussing sensitive information
  14. DO keep your work devices are either shut down or locked—including any mobile phones you use to check email or make work phone calls.
  15. DO report all cyber incidents and suspicious activity to your reporting manager and CISO/designated security representative.

DON’Ts

CYBERSECURITY DONTS DURING COVI19

  1. DON’T leave sensitive information lying around the home if you live with roommates and young children.
  2. DON’T leave important printouts or portable media containing private information on your desk. Keep them in a safe place drawer to reduce the risk of unauthorized disclosure
  3. DON’T use your official laptops and desktops for personal work. Avoid accessing social networking sites via official systems.
  4. DON’T share any private or sensitive information, such as bank details, credit card numbers, passwords or other private information, on public sites, including social media sites, and DON’T send it through email unless authorized to do so. Always use privacy settings on social media sites to restrict access to your personal information. In a nutshell avoid sharing too much personal information on social media.
  5. DON’T click on illegitimate links from an unknown or untrusted source. Cyber criminals often use them to trick you into visiting malicious sites and downloading malware that can be used to steal data and damage networks.
  6. DON’T use your private email address to send work-related emails and vice versa. Not only does it look unprofessional, but also expose your official email to unauthorized users many a times.
  7. DON’T share your confidential information to unauthorized person over call and mail. Voice Phishing is a very easy way for an unauthorized person to call and pretend to be an employee or business partner.
  8. DON’T respond to emails and phone calls requesting confidential data.
  9. DON’T avoid patch installation warning on your systems.
  10. DON’T install unauthorized software on your work computer, use only software authorized by your Information Technology department. Malicious applications often pose as legitimate software.
  11. DON’T plug in portable devices without permission from your Information Technology department. These devices may contain malicious code just waiting to launch as soon as you plug them into a computer.
  12. DO lock your computer by using (Windows + L)and mobile phone when not in use. This protects data from unauthorized access and use.
  13. DON’T leave devices unattended. Keep all devices, such as laptops and cell phones physically secured. If your official device is lost or stolen, report it immediately to your manager and ISO/designated security representative.
  14. DON’T leave wireless or Bluetooth services on laptop and mobiles turned on when not in use. Use password for Bluetooth and wireless connections. Use these services only in a safe environment.
  15. DON’T use vulnerable video conferencing software

Cyber Security is a mutual responsibility of the organisation and its employees. Each and every individual play a crucial role in safeguarding organisations critical information assets. Current pandemic situation of course has increased the cyber security risk for the organisation, however proper technology measures and security awareness among employees shall certainly help to overcome these issue.

Keywords: COVID-19, pandemic, cyber security, DO’S and DON’TS, password security, Wi-Fi security, hacking, malware, phishing, patch management, antivirus.

#Tags: #COVID, #Workfromhome, #WFH, #compliance, #informationsecurity

Relevant Links

Cyber Security during COVID 19

]]> CYBER SECURITY CHALLENGES FACED BY FINTECH START-UPS http://www.cyberlaws.org/cyber-security-challenges-faced-by-fin-tech-start-ups/ Tue, 26 May 2020 16:22:56 +0000 http://www.cyberlaws.org/?p=423

Cyber Security Challenges by Fin tech

cyber Security Challenges Fintech. This era of digitization and digitization, where every segment of businesses is using technology to provide services to customers, banking and financial industry has transformed their services by financial technology- FinTech.

Fin Tech were providing their services in the form of e-wallets, online and mobile payment systems (Paytm,PayPal, Apple Pay), virtual buying of stocks, etc. But the recent times did bring a bunch of new disruptors that will displace traditional e-commerce providers.Such new FinTechstart-ups are offering more efficient services, seamless customer’s experience, and free person-to-person payments.

FinTechs business can increase profitability and enhance a company’s performance while helping them improve customer service. FinTech also provide an opportunity for companies to expand their portfolio online while solving industry issues such as credit card processing, money transfers, or processing a loan.

But everything is not so smooth with Fintech business. There are few cyber security challenges and risk associated with Fintech business, which every FintechStatups shall be aware of.

 

WHAT IS FIN TECH?

Fin Tech is the abbreviation used for Financial Technology which aims to compete with traditional method of finance. There are many financial institutions consider this term as backend of their business and sometimes regular banking apps are included in this term.

Fintech business includes mobile payments, money transfers, loans, crowd funding, asset management and many other things.

In simple words-FinTechis the implementation of modern technology in traditional financial services and in the management of financial aspects in various companies and business. Anything from the financial mobile apps and new software installed, processing the money transactions and calculating business models.

Risk in Financial Sector:

Even, in general ,every individual and organisation ,  are worried about information and cyber security , conditions in financial sector is more critical  and fin tech business take the issues more seriously. Some of the recent studies shows that banks are investing a large amount of their funds in designing and implementing security to safeguard themselves from cybercriminals

Few more areas of concern includes cloud based technologies, mobile updates and system upgrades. These findings show that cyber security is the most important risk which the Fin Tech companies are facing.

CYBERCRIME AND CYBER SECURITY IN FINTECH LANDSCAPE

As FinTech start-ups and companies continue to disrupt the global financial landscape, a peculiar feature and perhaps their biggest advantage is that they are not held back or burdened by law, regulations, or existing systems. Also, they are more aggressive, more agile, and more willing to explore and make risky choices. But this total dependence on technology and adventurous attitude to aid financial services delivery may also be their greatest weaknesses.

 

FINTECH FIRMS ARE FACING CYBER SECURITY CHALLENGES  IN FOLLOWING AREAS

CYBER SECURITY CHALLENGES FACED BY Fin Tech START-UPS
CYBER SECURITY CHALLENGES FACED BY Fin Tech START-UPS

Application Security

Fin Tech firms mainly relies on applications that can access users’ financial profiles to perform a variety of real-time transactions. Applications are used by multiple persons and, are an increasingly common attack vector, and vulnerable code can be exploited as an entryway into financial networks.

FinTech firms and Banking companies need to ensure that a secure application security strategy such as a virtual private network is in place to protect user data. This should include a web application firewall enabled with current threat intelligence to identify and mitigate known and unknown threats, as well as to detect and patch vulnerabilities

Network and Cloud Security

Like other organisations, many FinTech firms also utilize cloud services to provide consistent, salable performance with lower upfront costs, rather than the traditional network. However the cloud infrastructure shall be secured differently than a data center or traditional network. Banks and FinTech firms must ensure that the same security standards they apply to their networks are applied in the cloud.

Along with detection and prevention, this security must also be dynamically salable and adaptable to ensure that is can grow seamlessly alongside cloud use. Additionally, in order to secure financial data, FinTech firms need to implement aloud access security, along with internal segmentation to improve data visibility while integrating industry security standards.

Inadequate Threat Intelligence

Threat Intelligence is another challenge for Fin Tech firms, an integrated defense needs to be enabled with automated threat intelligence to become a holistic system. As Fin Tech firms and banks enter partnerships, it will be impossible for IT teams to gather and assess all of this threat intelligence promptly manually. Automation, artificial intelligence and Machine learning will be integral to this process.

Cyber criminals are already leveraging automation to make attacks more persistent and effective. Likewise, artificial intelligence, machine learning and automation integrated into network security tools enable the detection and prevention of attacks in real-time, allowing organizations to keep pace with cyber-criminals.

LACK OF ESTABLISHMENT OF BETTER SECURITY PROTOCOLS

This is one of the most significant issues that Fin Tech start-ups firms face is selecting best security mechanism, like security protocols to enhance encryption data. Inadequate security protocols, data is easily exposed, leaving companies vulnerable to attacks.

Tunneling protocols used in VPNs are effective at encrypting Fin Tech data. Some of the best-known tunneling protocols include:

  • Internet Protocol
  • Point-to-Point Tunneling Protocol.
  • Layer Two Tunneling Protocol.
  • Internet Key Exchange version 2.
  • Secure Socket Tunneling Protocol.

These tunneling protocols provide different levels of protection and provide security in different ways. Fin Tech should research and become more familiar with the different types of protocols and how to use them within a virtual private network – this is especially true in a financial environment where cyber threats are imminent and ongoing

ADDRESSING VULNERABILITIES IN INFORMATION TECHNOLOGY SYSTEMS

Integration of multiple systems and technologies leads to multiple cyber vulnerabilities. When two systems that are not designed at the same time by the same developers often pose compatibility issues and challenges in security, given the limitations in technology. Technology Engineers face issues while integrating two different systems, sometimes engineers working on different systems doesn’t even know how the other system works and vice versa, which makes identification of vulnerabilities more difficult.

Cyber criminals like hackers exploit these vulnerabilities to gain access to the system.

Many cyber criminals gain access to applications and networks because of improper configuration during installation. There are other techniques that are often used like spear-phishing, where humans mistakenly open spam emails and download malicious attachments or enter confidential information into fake websites to which they are redirected. So this is important for all Fin tech Startups to  raise awareness of cyber criminal risks and educate the newly banked on digital and financial literacy to teach them best practices to ensure security when engaging in financial transactions online.

LACK OF COMPLIANCE REGULATIONS RELATED TO CYBER SECURITY

Rapid growth in happening fast in Fin Tech firms. Fin Tech start-ups are flexible enough to change and adapt to evolve alongside consumer demands, rapidly.They are flexible and quick partly because there are not the same regulatory rules as traditional financial services for them. However, there are no regulations are controlling the way start-ups conduct their business. This is making the Fin Tech firms vulnerable because, they can sacrifice cyber security in order to capture the market as fast as possible.

Fin Tech Companies are collecting and storing personal information, so they needs to safeguard customer data. Further the challenge of is the way they protect this data. Many of Fin Tech firms have adopted bank-level security measures and fine-tuned them for their digital platforms.

Use of secure applications , regular vulnerability assessments on networks and applications , patching the applications on time, using Secure socket Layer(SSL) encryption while transferring the data is the must for enhancing cyber security. Fintech can opt for ISO 27001:2013 (ISMS) for overall cyber security.

There is need of some strong regulation, which would inspire start-ups to invest some of that venture capital money into their security.  As the Fin Tech industry grows, so will their defense against breaches.

 

Related Articles

CYBER SECURITY CHALLENGES FACED BY FINTECH START-UPS

]]> HOW TO RECOVER HACKED WORDPRESS WEBSITE? http://www.cyberlaws.org/how-to-recover-hacked-wordpress-website/ Sun, 24 May 2020 22:48:48 +0000 http://www.cyberlaws.org/?p=395

RECOVER HACKED WORDPRESS WEBSITE

WordPress  is the most popular CMS nowadays because of this, WordPress websites are getting hacked more than other websites. But one should have a habit of taking backups and keep an eye on your website on a daily basis so that you can track, that when your website got hacked and then you can restore your backups.

Apart from taking backups your website, you should do steps to secure it initially only as hackers always find one or the other way of getting into your file structure.

It’s important to secure your website initially to avoid any future attacks. But now when your website has been hacked or you are unable to view your website, you can follow these steps

Step 1 – Locate The Error

You can locate error by following means :

  • Unable to log into your WordPress Admin Panel (yourwebsite.com/wp-admin)
  • Your website is redirecting to different URL
  • Google has marked your website insecure [RED SCREEN]

Step 2- Contact your hosting service provider

Many of the hosting service providers provide support for your hacked website but if you have bought cheap hosting services then they do not provide any support for this kind of errors.

Hosting service providers will perform a security check on your website and will notify you if your website has been hacked or not.

But before making any changes to the website, Contact them !!

Step 3: Restore your backup

If you have a habit of taking backup of your website, then you can restore it to the previous version.

After you have restored your old backup, remember this that it is already vulnerable to attacks. At that time perform the security points to your website to avoid malicious attacks again.

RECOVER HACKED WORDPRESS WEBSITE
RECOVER HACKED WORDPRESS WEBSITE

 

Step 4: Change your login credentials

Now that you have restored your backup, changes your login credentials immediately so that your website doesn’t get hacked again.

Step 5 : Install security plugins

There are many security plugins available online, but best is Sucuri Security wordpress plugin to secure your website from further attacks

Posted in blog, Servers, wordpress | Tagged clean wordpress website, hacked wordpress website, secure wordpress website, wordpress, wordpress security
Relevant Links
]]>