Start-ups are integral to  economic success of any country, generating  millions new jobs in recent years and experiencing significant market growth as business owners tap new technologies to increase brand reach and impact. With the recently developed industry standards and regulatory requirements influencing all industries, cyber security compliance becomes a mandate for business success.

In this digital era, as the severity and number of cyber-attacks increases, industry standards organizations and governments seek to enforce cyber security by establishing mandatory compliance requirements. However, compliance requirements often lag behind cyber security risk. Therefore, to prepare for dynamic compliance requirements, businesses need to have a risk based approach which includes addressing and mitigating risk of cyber security so that they can stay ahead of the evolving requirements.

Think Big while Starting Small

Most of the time start-ups view their IT as inherently safe —there is a common thought, after all, why would hackers bother with smaller businesses when large-scale operations handle huge volumes of valuable data? Cyber security for start-ups may also take a back seat because almost all of mission-critical tasks that require owners’ attention.

Here’s the hard truth: Start-ups are often in the line of fire for digital compromise precisely because they don’t have built-in cyber security controls or well-articulated InfoSec policies.

Since there’s a lower chance of attacks being detected, identified and mitigated, attacker/hackers looking to test new threat vectors or grab consumer data may target start-ups

 Clearly, start-ups should not ignore risk pertaining to Cyber security. Few of the key activities includes

Compliance : From privacy regulations such as HIPAA and GDPR to start-up PCI compliance, our experts ensure your data handling and storage processes meet evolving expectations.

Internal Audits : Periodic internal audits are helpful in identifying critical gaps between the actual status and desired compliance status.

Risk Assessments :Regulatory bodies wanted to ensure that controls and measures taken by organisation are sufficient and reasonable to your organization, customers, and partners. There are many frameworks available in the market, organisation need to choose the right one as per their requirements and then identify acceptable risk. If possible more than one framework can be used to identify and compare the risks. Organisation shall identify and implement a balanced security strategy factoring in compliance and safeguards based on their specific business and objectives.

Security management : Proper security management services help streamline IT environment and protect business purpose. It provides a holistic view to the management about cyber security compliance.

Incident Response and remediation : When a breach does occur, organisations need to address the attack immediately, contain it, and remediate the threat. A properly trained, expert incident response team to stop, fix, and an ongoing incident response process and plan to keep data secure.

Vulnerability Assessment and Penetration testing : Not all vulnerabilities are obvious. Vulnerability assessments and penetration testing helps find and secure potential failure points.

Third Party Risk Management (TPRM)/Vendor Risk Management : Vendors or service providers are the integral part of most of the start-up businesses. Organisations need to ensure third-party partners are aligned with your organization’s risk controls. Organisations shall ensure that all the vendors are adhering all the desired requirements pertaining to cyber security compliance.

What are the data breach risks?

Data breaches has become very frequent irrespective of the organisations size.

The recent trends indicate that cyber criminals target small businesses which does not have adequate security to gain unauthorized access to data that they can sell on the dark web. Hacking and social engineering attacks focus on exploiting vulnerabilities in servers, systems, networks, software, and people to gain entry.

Many small businesses currently lack the necessary resources required to defend against these attacks, which increases the probability that hackers will continue to target them.

Below are the recent data breach trends

• One fourth of data breaches involved small businesses.
• Many of breaches include social engineering by exploiting lack of awareness of cyber security among employees.
• Maximum of breaches were financially motivated
• Most of the breaches were perpetrated by outsiders and script kiddies.
• Almost more than one fourth of breaches still take months or more to discover

What is cybersecurity compliance and why it is necessary?

Compliance, in general is the act of being aligned with guidelines, rules, regulations and legislation. In cybersecurity, compliance is a program that establishes risk-based controls to protect the confidentiality, integrity, and ensure availability of information stored, processed, or transferred.

Cyber security compliance is not a stand-alone compliance many a times, it is based on multiple standards or regulations to be adhered by any industry. Sometimes different standards can create uncertainty and surplus work for organizations using a checklist-based approach

For example, an e-commerce organisation needs to meet PCI DSS(Payment Card Industry Data Security Standards) if accepts payments through POS(Point-of Service) device, they also require to adhere HIPPA (Health Insurance Portability and Accountability Act) for their employees health information.If this organisation serves European customers then must be complaint with GDPR (General Data Protection Regulation)

What Data is subject to cybersecurity compliance? 

Cybersecurity and data protection laws and regulations primarily focus on the protection of sensitive data, such as

Financial Informatione.g. credit card numbers, card pin numbers, bank account number etc.

PersonallyIdentifiable Information (PII)e.g.First and last name,address,date of birthetc.

Protected Health Information (PHI)e.g. Medical history, records of admissions, prescription records etc.

Other sensitive datathat may be subject to state, regional, or industry regulations includes:

• IP addresses
• Email addresses, usernames, and passwords
• Personal email contents
• Personal messages
• Authenticators, including biometrics such as fingerprints, voiceprints, and facial recognition data
• Marital status
• Race
• Religion

Step by Step Cybersecurity Compliance Program

€Creation of a Compliance Team

For every business irrespective of size, a compliance team is compulsory. Since organizations mainly start-ups are continue to move their business-critical operations to the cloud, there is a need for an interdepartmental workflow and communication across business and IT departments.

Define the Scope

Identify and define the clear scope which includes business processes, information systems, legal requirements, contractual requirements, etc.

€Identify and Establish a Risk Management Process

RISK IDENTIFICATION

Identify all information assets and information processing systems, networks, servers, and data that they access.

 RISK ASSESSMENT

Review the risk level of each data type. Identify where high-risk information is stored, transmitted, and collected and rate the risk of those locations accordingly.

ANALYZE RISK

After assessing risk, you need to analyze risk. Traditionally, organizations use the following formula:

Risk = (Likelihood x Impact)

SET RISK ACCEPTANCE /TOLERANCE LEVEL

After analyzing the risk, you need to determine whether to transfer, treat, accept, or reduce the risk.

Implement Controls

Once the risk is identified treat the risk based on your risk tolerance, you need to determine how to mitigate or transfer risk. Controls can include:

• VPNs
• Access Management
• Firewalls
• Employee training
• Encryption
• Password policies
• Network security
• Third Party/Vendor risk management program

Create Policies

Document Policies and procedures for your compliance activities and controls. These policies acts as the foundation for any internal or external audits.

Continuously Monitor, Respond, and Improve

Continuous monitoring helps in identify new gaps in the cybersecurity compliance program and hence the weaknesses of the information systems and processes can be reduced to strengthen the security. Organizations need to regularly update all the systems in order to avoid any kind of data breach.

Since cyber security is an innovative method, where cyber criminals always try to find out new vulnerabilities in the systems and exploit it.These new vulnerabilities lead to Zero Day attack. Organisations need to monitor their networks and processes in order to identify any suspicious behavior and content it immediately. Internal audits and penetration testing are most effective ways of internal audits.

What are the Benefits of cybersecurity compliance?

There are lots of benefits:

€Enables you to protect your company’s reputation,

It maintain consumer trust, and build customer loyalty by ensuring  customer’s sensitive information is safe and secure

It reduces the risk of a data breach, hence the associated response and recovery costs.

It saves organisations from the less-quantifiable costs of a breach such as reputation damage, business interruption, and loss of business.

Enhance the trust of customers and regulatory bodies in the organisation

€Implementing the appropriate safeguards and security measures to protect sensitive customer and employee information strengthen company’s security posture.

€ It helps to protect intellectual property such as trade secrets, software code, product specifications, and other information that gives your company a competitive advantage.

Other Links :

CYBER SECURITY CHALLENGES FACED BY FINTECH START-UPS

During the current era, both big companies and small start-ups, are using Information Technology for ease of doing business, however it makes them vulnerable for Cyber-attacks. So, it becomes necessary for them to use Cyber security professionals e.g. CISO (Chief Information Security Officer) in order to protect information assets. ,It goes without saying  that information security activities in any organization consume more resources than ever before. Cyber criminals (Hackers) are becoming better all the time, and staying ahead of them is getting tougher. However, it’s not just more zero-day attacks by sophisticated criminals; competitors, growth of the organization, elevated infrastructure complexity and new compliance requirements also desire more cyber defence staff, adequate time and right technology to avoid becoming a victim of a cybersecurity breach.

In earlier days security was primarily focused on physical access to facilities and resources, or adding layers of logical controls to protect business application and data. However, security concerns of the present era don’t fit into this old traditional way anymore. Security concerns impact every aspect of an organization’s operations and should be an integral driver of strategic planning, along with all decision for future expansions.

Since cyberattacks have become smarter and more sophisticated at exploiting vulnerabilities, with the availability of many open-source tools it is easier for hackers to launch new attacks every other day. For the organizations and start-ups cyber security shall be a proactive program rather than a reactive which is to be launched at the time of cyber-attack. Thus, information security is an integral part of organizational strategic growth. It is just as important as goodwill, financial turnovers and product quality.

What is Chief Information Security Officer(CISO) and Virtual Chief Information Security Officer(V-CISO) ?

Top management team should be aware of the impact of lack of information security on their organization’s profitability and durability. A shortage of information security in the organization could result in heavy fines for non-compliance, punitive rulings after finding liability or negligence, or a loss of customers and partners after a confidence-shattering breach. There is a big risk of underestimating information security and it is too big to ignore.

In order to address the growing awareness of information security’s importance to strategic planning, many larger organizations and start-ups include a Chief Information Security Officer (CISO) at the executive level. Chief Information Security Officer is the executive who is responsible of Information security and cyber security compliance in the organization.

Many a times companies cannot afford the cost of having own CISO because of the huge salary range. There are situations where the organizations including start-ups need a CISO , but the budget doesn’t allow for a full-time person in that position.

However, there is a cost effective alternative. Organizations specially start-ups that lack the budget for a full time CISO can opt for an outsourced solution: The Virtual CISO, or V-CISO.

A Virtual-CISO is a information and cyber security expert who uses the expertise  of his/her years of industry experience to help organizations and start-ups  by developing and managing the implementation of the organization’s information security program in order to attain various government and non-government compliances. At a high level, V-CISOs help to build the organization’s security strategy, implementation and its management as well.

Organization’s internal security staff may work and report to V-CISO in order to strengthen the information security and cyber security framework and make it more impactful. In addition to this, the V-CISO is usually expected to be able to present the organization’s state of information security to an organization’s board, management team, auditors, or regulators.

Benefits of having a V-CISO

A V-CISO is generally a cybersecurity professional who works part-time basis offering information security services to multiple organizations at a time, working for several throughout any year. This gives organizations a flexibility to hire part-time CISO on requirement basis.

The V-CISO fills several needs through different types of services, including:

• Information Security and Cybersecurity guidance to management executives in order to adhere compliance guidelines
• Information Security architecture guidance
• Incident management including response
• Governance plans
• Cyber Security readiness assessment
• Compliance alignment recommendations (for ISO 27001,RBI Guidelines for banks ,NBFC, HIPAA, GDPR, PCI-DSS, CCPA and may more)
• Remediation prioritization
• Business Continuity Planning and Disaster Recovery Plans and DR drills.
• Identification of scope and objective for the information security compliance
• Risk management (risk identification and treatment)
• Vendor risk management
• Coordination of audits by regulators or customers

Why you organization need a Virtual CISO?

If your organization needs more information security compliance -related guidance at the management level, consider whether a V-CISO would be a good potential option. If you are a a start-up and your budget won’t support a CISO, you might need a V-CISO .If any of the below mentioned scenarios  are similar to  your situation, your organization might need a Virtual -CISO.

• If you are start-up and are really unaware whether you’re vulnerable to cyber security breaches: If your organization hasn’t yet assessed its information security risk, you might need a V-CISO to initiate and support that process.
• Your organization has been breached and no one from your team was able to detect the attack: Post-breach investigations and recommendations often lead to organizational leadership remodelling. One of those remodelling includes information security member of the executive suite. If this is the case, you might need a V-CISO.
• If you are a start-up dealing with critical customer data: In this case if you don’t want to hire a full time CISO, you need to have a V-CISO in order to safeguard your information assets and avoid high penalties because of non-compliance of various regulations
• Important or major changes have occurred that could impact security: If your organization is having mergers or acquisition, security risk should be assessed. Any significant outside influences, such as a global pandemic or natural disaster, which could impact business continuity as well all information security. If your organization doesn’t have anyone who can guide during these times and ensure security is not compromised you might need a V-CISO.
• If your organization wanted to share the workload for the existing CISO: Changes to the organization scope or environment, including new regulatory compliance requirements, may increase the demands of a CISO beyond their current capability. If your existing CISO requires helping hand, you might need a V-CISO.

There could be multiple reasons to have a V-CISO for your organization. An experienced V-CISO will provide valuable guidance and customised solutions as per your organizational needs. As well as it will save you from the burden of paying salary of a full-time CISO.

How to find a right V-CISO?

If you are struggling in your day-to-day information security requirements V-CISO would be a beneficial to your organization, and decided to have one. The very next step is how find the right one. A good amount or research and investigation can help you. Online reviews and existing customers feedback can help you to find a good fit, knowledgeable V-CISO for your organization.

The general process for engaging a V-CISO generally flows like this:

• Set up an initial consultation meeting (commonly one hour at no charge)
• The V-CISO delivers a proposal of scope of work including high-level information security readiness, proposed services and costs
• You may accept or reject the proposal, and then moves forward

• If you decide to engage a V-CISO, then negotiate an agreement that meets your requirements. If you need periodic gap and risk assessment and remediate report, make sure that is explicitly mentioned in the agreement deliverables.
• An agreement with a V-CISO can be set up for a hourly, monthly or quarterly basis . Make sure that you are getting the services you are paying for.
• A V-CISO can be an affordable and flexible approach to adding extensive information security experience and wisdom to your management team. If a V-CISO is a good fit, it can help your organization to identify and safeguard the weak links which could lead to aggressive cyberattacks.

#Key words- CISO,Virtual CISO, VCISO,vCISO, ISO 27001,GDPR,RBI, cyber security, information security, compliance, hackers, cyberattacks.

cyber security dos and don’ts during covid 19. Cyber Security has been a matter of concern for the organisations from a long time and on top of it Covid-19 brought lot of challenges to attain the same.

The COVID-19 situation has compelled organisations and individuals to take up security measures like social distancing and remote working. Governments and civil administration are bringing up new ways to ensure that their citizens would remain hopeful and stable. New economic plans, relief packages have been announced by the government. While the world is focused on the health and economic threats created by COVID-19, cyber criminals all around the world without a doubt are taking advantage on this crisis.

There is a huge spike in phishing attacks, ransomware attacks and malware attacks as attackers are using COVID-19 to lure employees and customers by impersonating government agencies, brands or any other important entity.Such attacks are aiming to infect more personal computers and phones. Attackers are targeting businesses as well as individuals by downloading ransomware disguised as legitimate applications.

Managing Cyber Security has become more challenging in the Work from Home scenario. Following are the Do’s and Don’t for employees and individuals.

DO’s

CYBERSECURITY DOS DURING COVI19

1. Use hard-to-guess passwords or passphrases. A password should have a minimum of 8 characters using uppercase letters, lowercase letters, numbers and special characters.
2. Create an acronym. An acronym is easy for you to remember but hard for anhacker attacker to guess. For example, pick a phrase that is meaningful to you, such as “My dad’s birthday is 12 December, 1975.” Using that phrase as your guide, you might use Mdbi12/Dec,75 for your password.
3. DO change your password in a regular interval, within every 30 days. This will make difficult for the hacker to use your cracked password.
4. DO use different passwords for different accounts. If one password gets compromised, your other accounts are still safe.
5. DO pay attention to the mails you receive, phishing traps in email and watch for tell-tale signs of a scam. DON’T open mail or attachments from an untrusted source. Whenever you receive a suspicious email, the best thing to do is to delete the message, and report it to your manager and Chief Information Security Officer (CISO)/designated security representative.
6. DO change your default username and password of your Wi-Fi router, remember that wireless is inherently insecure. Avoid using public Wi-Fi hotspots. Use your organisation provided virtual private network software to protect the data and the device.
7. Always keep your system updates, install the updates pushed by your organisation
8. DO keep your passwords or passphrases confidential. Never share your passwords with others or write them down. You are responsible for all activities associated with your credentials.
9. DO place confidential paper at proper places at home and destruct it properly prior to putting in dustbin.
10. DO destroy information properly eg. by shreddinga, when it is no longer needed.
11. Always backup your critical data to the drives and location provided by your IT Team
12. Never turn off antivirus system installed on your PC and keep it updated.
13. DO avoid printing confidential information outside personal printers. Always be aware of your surroundings when printing, copying, faxing or discussing sensitive information
14. DO keep your work devices are either shut down or locked—including any mobile phones you use to check email or make work phone calls.
15. DO report all cyber incidents and suspicious activity to your reporting manager and CISO/designated security representative.

DON’Ts

CYBERSECURITY DONTS DURING COVI19

1. DON’T leave sensitive information lying around the home if you live with roommates and young children.
2. DON’T leave important printouts or portable media containing private information on your desk. Keep them in a safe place drawer to reduce the risk of unauthorized disclosure
3. DON’T use your official laptops and desktops for personal work. Avoid accessing social networking sites via official systems.
4. DON’T share any private or sensitive information, such as bank details, credit card numbers, passwords or other private information, on public sites, including social media sites, and DON’T send it through email unless authorized to do so. Always use privacy settings on social media sites to restrict access to your personal information. In a nutshell avoid sharing too much personal information on social media.
5. DON’T click on illegitimate links from an unknown or untrusted source. Cyber criminals often use them to trick you into visiting malicious sites and downloading malware that can be used to steal data and damage networks.
6. DON’T use your private email address to send work-related emails and vice versa. Not only does it look unprofessional, but also expose your official email to unauthorized users many a times.
7. DON’T share your confidential information to unauthorized person over call and mail. Voice Phishing is a very easy way for an unauthorized person to call and pretend to be an employee or business partner.
8. DON’T respond to emails and phone calls requesting confidential data.
9. DON’T avoid patch installation warning on your systems.
10. DON’T install unauthorized software on your work computer, use only software authorized by your Information Technology department. Malicious applications often pose as legitimate software.
11. DON’T plug in portable devices without permission from your Information Technology department. These devices may contain malicious code just waiting to launch as soon as you plug them into a computer.
12. DO lock your computer by using (Windows + L)and mobile phone when not in use. This protects data from unauthorized access and use.
13. DON’T leave devices unattended. Keep all devices, such as laptops and cell phones physically secured. If your official device is lost or stolen, report it immediately to your manager and ISO/designated security representative.
14. DON’T leave wireless or Bluetooth services on laptop and mobiles turned on when not in use. Use password for Bluetooth and wireless connections. Use these services only in a safe environment.
15. DON’T use vulnerable video conferencing software

Cyber Security is a mutual responsibility of the organisation and its employees. Each and every individual play a crucial role in safeguarding organisations critical information assets. Current pandemic situation of course has increased the cyber security risk for the organisation, however proper technology measures and security awareness among employees shall certainly help to overcome these issue.

Keywords: COVID-19, pandemic, cyber security, DO’S and DON’TS, password security, Wi-Fi security, hacking, malware, phishing, patch management, antivirus.

#Tags: #COVID, #Workfromhome, #WFH, #compliance, #informationsecurity

Relevant Links

Cyber Security during COVID 19

Cyber Security Challenges by Fin tech

cyber Security Challenges Fintech. This era of digitization and digitization, where every segment of businesses is using technology to provide services to customers, banking and financial industry has transformed their services by financial technology- FinTech.

Fin Tech were providing their services in the form of e-wallets, online and mobile payment systems (Paytm,PayPal, Apple Pay), virtual buying of stocks, etc. But the recent times did bring a bunch of new disruptors that will displace traditional e-commerce providers.Such new FinTechstart-ups are offering more efficient services, seamless customer’s experience, and free person-to-person payments.

FinTechs business can increase profitability and enhance a company’s performance while helping them improve customer service. FinTech also provide an opportunity for companies to expand their portfolio online while solving industry issues such as credit card processing, money transfers, or processing a loan.

But everything is not so smooth with Fintech business. There are few cyber security challenges and risk associated with Fintech business, which every FintechStatups shall be aware of.

WHAT IS FIN TECH?

Fin Tech is the abbreviation used for Financial Technology which aims to compete with traditional method of finance. There are many financial institutions consider this term as backend of their business and sometimes regular banking apps are included in this term.

Fintech business includes mobile payments, money transfers, loans, crowd funding, asset management and many other things.

In simple words-FinTechis the implementation of modern technology in traditional financial services and in the management of financial aspects in various companies and business. Anything from the financial mobile apps and new software installed, processing the money transactions and calculating business models.

Risk in Financial Sector:

Even, in general ,every individual and organisation ,  are worried about information and cyber security , conditions in financial sector is more critical  and fin tech business take the issues more seriously. Some of the recent studies shows that banks are investing a large amount of their funds in designing and implementing security to safeguard themselves from cybercriminals

Few more areas of concern includes cloud based technologies, mobile updates and system upgrades. These findings show that cyber security is the most important risk which the Fin Tech companies are facing.

CYBERCRIME AND CYBER SECURITY IN FINTECH LANDSCAPE

As FinTech start-ups and companies continue to disrupt the global financial landscape, a peculiar feature and perhaps their biggest advantage is that they are not held back or burdened by law, regulations, or existing systems. Also, they are more aggressive, more agile, and more willing to explore and make risky choices. But this total dependence on technology and adventurous attitude to aid financial services delivery may also be their greatest weaknesses.

 

FINTECH FIRMS ARE FACING CYBER SECURITY CHALLENGES  IN FOLLOWING AREAS

Application Security

Fin Tech firms mainly relies on applications that can access users’ financial profiles to perform a variety of real-time transactions. Applications are used by multiple persons and, are an increasingly common attack vector, and vulnerable code can be exploited as an entryway into financial networks.

FinTech firms and Banking companies need to ensure that a secure application security strategy such as a virtual private network is in place to protect user data. This should include a web application firewall enabled with current threat intelligence to identify and mitigate known and unknown threats, as well as to detect and patch vulnerabilities

Network and Cloud Security

Like other organisations, many FinTech firms also utilize cloud services to provide consistent, salable performance with lower upfront costs, rather than the traditional network. However the cloud infrastructure shall be secured differently than a data center or traditional network. Banks and FinTech firms must ensure that the same security standards they apply to their networks are applied in the cloud.

Along with detection and prevention, this security must also be dynamically salable and adaptable to ensure that is can grow seamlessly alongside cloud use. Additionally, in order to secure financial data, FinTech firms need to implement aloud access security, along with internal segmentation to improve data visibility while integrating industry security standards.

Inadequate Threat Intelligence

Threat Intelligence is another challenge for Fin Tech firms, an integrated defense needs to be enabled with automated threat intelligence to become a holistic system. As Fin Tech firms and banks enter partnerships, it will be impossible for IT teams to gather and assess all of this threat intelligence promptly manually. Automation, artificial intelligence and Machine learning will be integral to this process.

Cyber criminals are already leveraging automation to make attacks more persistent and effective. Likewise, artificial intelligence, machine learning and automation integrated into network security tools enable the detection and prevention of attacks in real-time, allowing organizations to keep pace with cyber-criminals.

LACK OF ESTABLISHMENT OF BETTER SECURITY PROTOCOLS

This is one of the most significant issues that Fin Tech start-ups firms face is selecting best security mechanism, like security protocols to enhance encryption data. Inadequate security protocols, data is easily exposed, leaving companies vulnerable to attacks.

Tunneling protocols used in VPNs are effective at encrypting Fin Tech data. Some of the best-known tunneling protocols include:

• Internet Protocol
• Point-to-Point Tunneling Protocol.
• Layer Two Tunneling Protocol.
• Internet Key Exchange version 2.
• Secure Socket Tunneling Protocol.

These tunneling protocols provide different levels of protection and provide security in different ways. Fin Tech should research and become more familiar with the different types of protocols and how to use them within a virtual private network – this is especially true in a financial environment where cyber threats are imminent and ongoing

ADDRESSING VULNERABILITIES IN INFORMATION TECHNOLOGY SYSTEMS

Integration of multiple systems and technologies leads to multiple cyber vulnerabilities. When two systems that are not designed at the same time by the same developers often pose compatibility issues and challenges in security, given the limitations in technology. Technology Engineers face issues while integrating two different systems, sometimes engineers working on different systems doesn’t even know how the other system works and vice versa, which makes identification of vulnerabilities more difficult.

Cyber criminals like hackers exploit these vulnerabilities to gain access to the system.

Many cyber criminals gain access to applications and networks because of improper configuration during installation. There are other techniques that are often used like spear-phishing, where humans mistakenly open spam emails and download malicious attachments or enter confidential information into fake websites to which they are redirected. So this is important for all Fin tech Startups to  raise awareness of cyber criminal risks and educate the newly banked on digital and financial literacy to teach them best practices to ensure security when engaging in financial transactions online.

LACK OF COMPLIANCE REGULATIONS RELATED TO CYBER SECURITY

Rapid growth in happening fast in Fin Tech firms. Fin Tech start-ups are flexible enough to change and adapt to evolve alongside consumer demands, rapidly.They are flexible and quick partly because there are not the same regulatory rules as traditional financial services for them. However, there are no regulations are controlling the way start-ups conduct their business. This is making the Fin Tech firms vulnerable because, they can sacrifice cyber security in order to capture the market as fast as possible.

Fin Tech Companies are collecting and storing personal information, so they needs to safeguard customer data. Further the challenge of is the way they protect this data. Many of Fin Tech firms have adopted bank-level security measures and fine-tuned them for their digital platforms.

Use of secure applications , regular vulnerability assessments on networks and applications , patching the applications on time, using Secure socket Layer(SSL) encryption while transferring the data is the must for enhancing cyber security. Fintech can opt for ISO 27001:2013 (ISMS) for overall cyber security.

There is need of some strong regulation, which would inspire start-ups to invest some of that venture capital money into their security.  As the Fin Tech industry grows, so will their defense against breaches.

Related Articles

CYBER SECURITY CHALLENGES FACED BY FINTECH START-UPS

startups are easy targets. Startup world is filled with examples of data theft and how a beautiful idea just came down thrashing. Startups have a very narrow financial funnel and Startups are weaker targets, in case of any cyber attacks they are unable to handle legal implications and die. Most important is Planning, cybersecurity threats in today’s times can not be ignored. Startups are more vulnerable and this will increase day by day.

• Startups are Easy target or more easily vulnerable  – Large organizations already have procedures or have good infra & spending power to mitigate these threats, but small companies or startups are not so lucky. Cyber crime is increasing day by day and these startup’s are easy targets for them. Basic concern is protecting customer data. It’s all about protecting your digital assets, one of the ways is to use tools for Vulnerable Management.

• Tarnish Reputation  – Basically startups have to be more vigilant  about their reputation, only a single incident in news can tarnish their reputation. Startups business are like planes taking off from the runway, it’s very important to be very vigilant while taking off. Once startups have enough customer base or good investments, then it’s easy to handle.

• Dependency upon Third Party API’s – Most of the startups initially take support of third party API’s due to the fact that it’s impossible to develop API from scratch or the business model is not financially viable hence, third party API’s are the only source, using API means dependency and data exchange and we never know how this is taking place. Recommendation is that some legal documentation should be done before going for this arrangements.

• Less Spending upon IT Infra & Technology  – It’s very important that you select the best IT infra and technology solutions, we are living  in an advanced era, although there are many IT infra solutions available these days which offer services on the basis of bandwidth usage, this actually means Pay as you use. Ie: AWS , Google Storage’s etc These tools have actually made life easier because we are getting the same quality which larger setups are getting and are actually paying on the basis of usage, these advantages were actually not available even a few years back.

• Testing & Performance  – Most of the startups ignore this process called “Testing & Performance”. Although it’s a very important department, in case there is a financial crunch, startups can go for freelancers available at low cost and high quality.

• Lack of Legal know how – We all know startups are betting on new ideas or playing on new technology which might disrupt the market, and it’s not possible that a legal journey would be so simple for the company, hence just starting on mere ideas is not the only important. Analyzing the legal aspect would be a very wise decision. It’s recommended to hire a Cyber laws expert before going forward, this will not only help the company get a second opinion.

• Startups are Less Likely to fight back – Most of the startups have very small small financial backbone or narrow funnel for finances, In incidents like data thefts or legal notices, many startups haven’t even planned these financial aspects or we can say they have not planned for this situations, these incidents actually lose focus on the actual technology which they are working and leave the focus on what the actual idea was resulting in shutting down of startups or moving in wrong direction.

• Less due diligence  – Duedelegence for the idea is very important, a startup team should spend more and more time on this, Managing their resources, Technology aspects, research, IPR, demographic, usage, bandwidth, People, taste etc.   There are the most important aspects in understanding businesses. It’s also important to understand the Cyber Laws, although the world is becoming borderless, the internet has no boundaries, but these cyber laws would be acting as borders for different communities. Hence it’s very important for IT startups to design their  software in a way that is easily configurable according to the change in laws. Scalability not only refers to the tech infra, but also refers to how immediately you change your policies and how easily it is configurable in your software.

Recommendation

Get your Idea Patented 

The Most important aspect of an idea is to get that registered, you again need some attorney and get to read some local or national laws just going to get your idea registered. Although it’s difficult and time consuming but people have come up with innovative ideas to get it mark in the history that they thought for the idea first and small small efforts they did in this direction could save them from losing their idea. 

Cyber Risk Analysis 

Cyber Risk Analysis is the best due diligence which you can start initially, this report will basically touch endpoints where cyber risks are involved. Moreover this gives more insights before taking steps.

Before going for full scalability, have a cyber laws lawyer on your panel.

It’s very important, startups need to have cyber security & Legal advisors on their panel, this will help them analyse local laws and understand the legal implications before taking any steps. This will help companies to do due diligence before going further. 

Keep a cyber security plan always ready in case of emergency response.

In case of data breach or cyberattacks, always be ready with Plan B and try to minimize the risk to customers data, because that will be the only way to safeguard, once this risk is mitigated all other risks seem secondary and will automatically be secured. 

Always be in touch with the regulators or authorities regarding any thefts which you think would be in advance addressed to policy makers.

If you think your product is new and is somewhat governance is needed with public authorities or regulators, always get connected via events with the regulators of industry. You never know  whom you need to connect at the time of crisis.

 Before releasing any version of your product always keep your Terms & conditions, and disclaimer updated and enforced.

The most important part is the disclaimer policy, most of the court cases have fought and won or loose on the basis of Terms & Conditions of usage and Disclaimer. It is strongly recommended that always keep your Policies Updates and keep it reviewed with your legal consultant every time. 

Be proactive in addressing issues with your users. 

Let’s assume, your system is attacked in past months, and you want users to change their passwords asap, don’t hesitate to this announcement, It’s a responsible step, we have seen any automobile companies recalling cars for some defective part, it’s similar to that, you are becoming responsible company trying to save your customers and their data.

Hence by becoming a proactive founder dont let your Startups become  Easy target and vulnerable. SAVE YOUR STARTUP

Related Articles :

CYBER SECURITY CHALLENGES FACED BY FINTECH START-UPS

ISO 27001: ISO 27001 is a standard that is folloVendord for the Information Security Management System (ISMS) of an organization in which, the said company’s compliance status is checked, based on which new policies are created and applied. It’s a mandate in many sectors such as companies involved in the Cyber Security domain.ISMS includes the 3 major elements of cyber security: Confidentiality, Integrity, Availability (CIA).

To ensure compliance to the CIA in terms of ISO 27k1 the companies need to

• Audit
• Assess the risks
• Formulate policies
• Implement policies
• Continuous monitoring & Updates

The departments/processes that go through the above mentioned process are both, IT & Non IT Infrastructure of a company, but the audit of ISO 27k1 is mainly focused on the IT Infrastructure of a company.

ISO 27001 CERTIFICATION:

Being ISO 27001 Certified means, the certification body that you choose for this process (PECB or IRCA), gives you an attested confirmation that your organization is compliant to all the guidelines of ISO 27k1.

Now there are two types of certifications in ISO: Individual / Organization

The process for an Individual certified professional is completely different from that of a Certified Organization, these certified professionals then move on to performing the process of certifying the organization.

INDIVIDUAL

Types of ISO certified Professionals

• Lead Auditor
• Lead Implementer

A lead auditor is the one who is responsible for leading the audit team in an organization. He or she prepares the audit plan, delivers meetings and submits audit report at the end of quarter or year. Conducting audits is the main responsibility of a lead auditor and that needs to be done on a daily basis.

A Lead implementer is the one responsible for bringing the Lead auditor plan into action and makes sure all the policies are implemented and properly controlled.

Process of getting certified

According to PECB, the process for getting ISO 27k1 LA/LI certified is nearly not as lengthy for individuals as it is for the organizations.

Previous experience: minimum 4 years of job experience in IT is crucial, out of which at least 2 years has to be in cyber security.

Training & Examination: After attending 5 days of training in ISO 27k1 LA/LI, in the course outline guided by the certification body of your choice/requirement, you have to submitted a certain examination fee to the certification body, after which, an invoice in your name along with your exam question papers are prepared & sent to the authorized training center for you to attempt the exam.

Certification process: After attempting the certification exam, the candidate fills the certification forms in which they put in the required information, In the back-end the certification body verifies the information given by the candidates and if the compliance is there, the certificate is issued.

INFORMATION TECHNOLOGY (IT) RISK MANAGEMENT

 What is Risk?

Risk is any unwanted event which impact organisation’s objectives to attain business goal.

There are various type of business risk exists in any organisation

• Strategic Risk
• Operational Risk
• Financial Risk
• Compliance Risk

Risk Management is a process of Identifying, analysis and evaluating the organisations risks and then providing appropriate controls in order to mitigate the risk.

What is IT Risk?

In this digital age most of the businesses are using Information Technology. Hence IT is playing very pivotal role in many businesses.

If any organisation use IT to manage their business, it is very important to understand and identify risk related to their information systems and data, then to manage and reduce the risk, and develop a response plan in the case of any IT crisis.

Nowadays business have regulatory and legal compliance obligations in relation to data privacy, electronics transitions and staff training which are the factors which can influence IT Risk Management strategies.

Main IT risks include software and hardware failure, malicious and virus attacks, humanerrors, misconfigurations as well as natural disaster like flood,fire earthquake and cyclones.

General IT Risk

These Risk can be subcategorised further:

• Hardware and software failure – Abuse of rights and Corruption of data ,Electromagnetic radiation ,loss of power supply
• Malware – malicious software designed to disrupt computer operation

• Viruses – computer code that can copy itself and spread from one computer to another, often disrupting computer operations
• Spam, scams and phishing – unsolicited email that seeks to fool people into revealing personal details or buying fraudulent goods
• Human error–error in data processing, data disposal errors, or accidental opening of infected email attachments.

NATURAL DISASTERS SUCH AS FIRE, EARTHQUAKE, CYCLONE AND FLOODS ALSO ACTS AS RISK TO IT INFRASTRUCTURE. IN ABSENCE OF BUSINESS CONTINUITY PLAN, IT MAY LEAD TO DATA LOSS, CORRUPTION IN DATA RECORDS AND UNAVAILABILITY OF IT SERVICES TO THE CUSTOMERS.

How to Manage Information Security Risk?

Management of IT risk involves a series of activities in this chronological order:

• Risk Identification
• Risk Assessment
• Risk Mitigation
• Development of Response Plan
• Review of Risk Management procedures

How to reduce Information Technology Risk?

There are lots of risks and threats on business which can impact IT Operations. Applying appropriate measures will protect the IT system through unauthorised access.

Few steps to improve IT Security

1. Proper access control to computer, servers, networks and Wi-Fi.
2. Using strong password
3. Encryption of critical data
4. Using firewall. IDS ,IPS on the network
5. Update software and antivirus with latest patches.
6. Data backup for all the critical data
7. Information security training and awareness to the staff
8. Using secure software developments processes.
9. Implementing SSL for secure online communication.
10. Last but not the least having Cyber Security Insurance.

 Few famous standards and frameworks which can help organisations to mitigate IT risks are:

• ISO 31000
• COBIT
• COSO
• NIST Risk Management Framework
• ISO 27001
• ISO 27005

For any organisation risk identification is the first step for risk mitigation. An undetected risk is the most dangerous thing, a treatment methodology can be only be implemented once the risk is identified. Organisation need a right approach and skilled workforce to this job.Step by Step risk management process will help organisation’s to mitigate IT related risk and get an effective and efficient IT system to achieve business goals.

CYBER SECURITY WORKSHOPS: AN EFFECTIVE WAY TO UNDERSTAND CYBER RISKS FOR BEGINNERS AND PROFESSIONALS

Workshops has always been a great source of knowledge about the subject. Cyber Security being such a crucial issue nowadays, attending workshops on Cyber security will help the attendees about the Cyber world with respect to their working domain and help them to use the Cyber more effectively and efficiently.

People of all age group and occupation are associated with Cyber nowadays. Everyone in connected through web in their personnel and professional life, however most of the people still doesn’t know the about cyber crimes and risks.

There are certainly many benefits of Cyber Security Workshop’s to different categories:

Students:

Students are nowadays using multiple online platforms to enhance their skillsets. Students will have following benefits

Students can learn about cyber security in Workshops and can learn about various risk scenarios in the personal life and can educate their parents and elders.

Student can understand the career aspect of Cyber Security by leaning different technical concepts.

Young mind is an agile mind, by attending Workshops students can develop new ways of defending cyber-attacks.

Cyber Security is very demanding career nowadays, students can have a foundation of Cyber Security by attending workshops.

Fresher:

Cyber Security workshops can be very helpful in shaping up the career of Fresher’s in the field of Information Technology. If you are a Technology enthusiast and having degree or diploma in Technology, and looking for a job in Cyber security domain, these workshops are very good medium of networking.

There are many benefits of attending the workshop like

In workshops students can meet others with similar interests can, thus can understand the current market requirements and develop the skillsets accordingly.

Cyber Security workshop will give the technical as well as career aspect scenarios to the Fresher’s, wherein they can learn different ways to pursue career in Information and Cyber Security domains.Attending workshops will give you an opportunity to meet people an professionals in the industry and thus can have an opportunity to get a job by developing contacts.

Experienced Professionals:

If you are an experienced professional, then attending Cyber Security workshops will help you in various ways like:

These kind of workshop helps the professionals to understand their responsibility towards organisation’s cyber security. Once you are aware of Cyber Security, you would be able to understand the risk related to Cyber, and thus you will be able to safeguard your organisation from the different risks.

One who is willing to switch his or her career to Cyber Security can attend the workshops to understand the basics of Cyber Security and thus can gradually migrate to the domain if found interesting.

Professional who are already managing Information Technology Infrastructure and applications will learn the different kind scenarios which could be risk for them. Such workshops will help them to implement security in IT infrastructure and application development.

A working professional can inculcate learning of cyber security workshops in their existing job roles, and can mitigate many risk by doing this. In this way one can be helpful to safeguard organisation’s information assets from any kind of internal and external threats

Managers:

Professional who are working as managers have huge responsibilities of the organisation. A manager who is aware of Cyber Security will highlight and mitigate any such risk which could be harmful for the organisation. Cyber Security workshops can be helpful in multiple ways:

By attending these kind of workshops one would definitely understand the importance of cyber security and can implement the same thing within the team and the organisation.

Since awareness and trainings have become mandatory for maintaining Cyber Security and Information Security related compliance. One can show the attendance certification as a proof of attendance.

These kind of workshops would help the Managers to understand any kind of IT reports from any Vendor and one can understand the risk coming from vendors as well, if they are not adhere the Cyber Security principles.

Again, managers can network with other enthusiasts and experts through the workshop and can understand the current risk perspective of the market.

Businessman:

Every business is now a days dependent on Cyber. Everyone is using IT infrastructure and applications for running their business. Cyber Security workshops could be beneficial for Businessman’s because of following factors:

With the help of such workshops businessman will understand the Cyber Security risk which can harm their business and how they can mitigate those risk.

This is a very good medium to understand the Cyber Security and how to enhance the Security of IT infrastructure and application to make them hack proof.

Later on one can develop the Cyber Security framework for their own organisation.Cyber Security workshops helps the business persons to implement the Cyber Security related compliances more effectively because now they can understand the concepts and importance.

So in this way we can say that Workshops, seminars and training camps are very important and useful for any category like children, youth or any elderly man whosoever is using Information technology in their day to day or professional life. There are many free and paid trainings, workshops, seminars and webinars are available where one can either start their Cyber Security journey or any experienced person can enhance their skillsets by attending such events.

These are very good medium of interaction with other people and professionals who can share their knowledge base with you and can be helpful to shape up your career or business. This Information technology world is constantly changing and one needs to be updated all the times, so these workshops are very good medium to do so.

Progressive, Businesses and Educational Institutes   organise workshops for their employees and students time to time. In these events the participants will learn about different kind of attacks which could lead to data leakage. One would come to know about different kind of social engineering attacks like phishing, vishing(voice phishing) and thus will not be the victim of such situations.

# Tags: Freshers, managers, students, experienced professional, businessman,

#Keywords: Cyber Security workshops, seminars, training, information security, risk, compliance, cyber security,