Data security is most important requirement to the customers or user. If the organisation wants to run a business successfully, they need to give surety of data protection as it gives customers the assurance that their data is being collected, processed, and transferred through secure mechanism. Data is most critical and important for businesses of all sizes, from a small start-up to a global conglomerate and so is data privacy.

Data is information processed by a computer system and stored in a system known as server. This information may be in the form of text, image, documents, audio clips, software programs, patents, financial information, secret information, health data, personal information or other types of data.

Every organisation collect data with different mediums either by old traditional method or by modern digital methods. Be it hospitals, banks, companies, government departments etc data is everywhere. Processed data is known as information.

Sometimes a set of data can formulate a sensitive information, so Data privacy is a mechanism to maintain our privacy online, because information is a highly value asset and sought-after commodity by malicious users and cyber criminals. As an end user it is very essential to know what is happening with our online information, what can be done with the data or who all can have access to it. Users often give their consent and allow companies to track and store their data can have disastrous results, so one should have a say in the matter.

Normally organisation focus on the risks originated hackers and cyber criminals, however this is much more than this. Protecting your data privacy is as significant as managing your data security.

Firstly, and fore mostly, Data Privacy is an arm of data security and its motive is to safeguard the data from unauthorized access. Data privacy aims to the proper handling of information based on its significance-

• Regulatory requirements and data privacy laws
• Consent of the data owner
• Privacy Notice
• About the public expectation of privacy.

Main objective of Data privacy is to safeguard the users’ data as per the regulations and users’ rights. Main factors to consider are:

• How to collect and share the data legally
• Whether to data can be shared with the third parties and identification of the third parties with whom data can be shared.
• Adhering to the regulatory compliance and laws limits such as-HIPPA (Health Insurance Portability and Accountability Act), GDPR (The General Data Protection Regulation), GLBA (The Gramm-Leach-Bliley Act), CCPA (The California Consumer Privacy Act), ECPA (Electronic Communications Privacy Act 1986),Personal Information Protection and Electronic Data Act (PIPEDA) and so on. Different countries have different data protection regulations and all these regulations have their own set of rules and legislation pertaining to a specific area, purpose, and type of companies or individuals.

In a nutshell this means protection of critical user information primarily PII (personally identifiable information) of an individual:

PII consists of: – 

• Full Name,
• Address,
• Contact details,
• Date of birth,
• Social Security Number
• Bank Account Number
• Driving License Number
• Some more personal information such as an-
• • IP address,
  • Profile photo,
  • Social media post,
  • Financial Information
  • Medical Information
  • Location
  • And many based on regulatory compliance.

Importance of Data Privacy and Data Security for Business

 Data privacy and security helps in protection of customer’s data privacy.

It helps reduction of the number of information security incidents like data breaches that an organization can suffer.

• It is helpful in maintaining, improving and retaining brand value of the business.
• It is helpful in safeguarding the business from hefty penalties for violating the rules. Regulators impose huge penalties in case of data breach which could be few thousand dollars or a big part of revenue generated, and it’s different for various types of data breach incidents.
• Data sharing will be limited and identification of third party would be done on prior basis according to the risk level of data.
• It saves the organisations from the theft of data by hacker or cyber criminals, that can cause enormous monetary losses
• Data privacy limits the access of customer’s critical data and hence safeguarding the right of customers to be free from uninvited surveillance
• This helps the organisations to keep track of their data breach records and organisations can learn lesson in order to avoid future recurrence.
• Now a days most of the business run on customer’s critical data safeguarding the privacy expectations should be priority of the organisation.
• It helps the organisations from loss of revenue.
• It is also provided competitive advantages to business.
• Last but not the least it is helpful in adherence to the strict policies of how PII is collected, accessed, protected, and erased.
• Data security and privacy controls are helpful in enhancing company’s reputation and built customer trust.

Importance of Data Privacy for Users

• It provides assurance from unauthorised access of data.
• It will keep customers personal, health and financial information safe.
• It generates a trust value for the customer.
• It provides a legal right to the end user or customer to challenge the company in case of any data breach.
• Data can only be collected by receiving consent from the users.
• Companies which collect the data provides data security guarantee to the end user.

Tips and Tricks to help protect your personal data

Data privacy is such an important issue, nowadays many government organizations and companies spend a good part of their revenue each year to help protect their data—which could include your PII (Personally identifiable information)—from exposure. As an end user may not be able to implement high end security solutions to safeguard their personal data, however there are inexpensive ways whichyou can take to help protect your data. Below are a few suggestions:

• Use strong passwords for your online accounts also avoid having same password for multiple accounts. Change password on regular basis.
• Chane the default password for your home network devices, especially Wi-Fi device. A weak password is easy to guess and any unauthorized person can connect to your network with malicious intent.
• Avoid clicking on any random link received via mail or message, these can have malicious links which will give access of your device to cyber-criminal who could eavesdrop your network traffic including personal data.
• Don’t ever share your personal details like bank account number, credit card detail, social security number, Aadhar card number etc over call.
• Avoid writing your personal details like phone number and address at public platform unless necessary. This could sometimes be very dangerous if accessed by any cyber criminal.
• Avoid sharing too much personal information on social media platform.
• Always use security setting on social media accounts, which you can always secure your accounts by changing in Privacy settings. Always keep your social media count in most private mode in order to avoid disclosure of personal information.
• Use VPN (Virtual Private Network) for online activities, however avoid the freeware for financial transactions.
• Share your personal details over the websites which are using encryption.
• Carefully shred all the personal document, receipts, bank statements and your courier packaging as well before discarding.
• Use genuine software on your system.
• Install antivirus and anti malware.
• Always keep firewall on.

Data Protection regulations and laws of different countries are developed and designed in order to maintain the data privacy of the citizens of that particular country. There are many countries where data privacy is already in place, however there are countries where there are no such laws. Having a framework for data privacy and security will definitely safeguard the critical information. A set of defined roles and responsibilities, network security controls like firewalls, secure configurations, Intrusion detection and prevention systems, monitoring, logging the activities, having proper procedures and processes in place of conducting any activity like access provision, de-provisioning, change management, patch management, backup management, privilege access management, physical security management etc certainly provide a more secure environment to data and information systems. Expectation and responsibilities of third-party service providers also plays critical role in data security. Technical controls should be according to the organisations risk appetite and relevant regulations.

Although cyber criminals are inventing new techniques to intrude into the networks but using encryption techniques will help the data in non-readable formats.

 Data is the most precious asset for both organisation and customer, a vigilant consumer and an organisation with adequate resources, diligent employees, regular monitoring, proper governance, periodic reviews can safeguard their information assets and maintain data privacy and security.

#Keywords,-Data security, data privacy, encryption, Cybercriminals, hackers, GDPR,HIPPA,GLBA , CCPA , ECPA ,PIPEDA, password protection, network security, patch management,

]]> http://www.cyberlaws.org/cyber-security-compliance-for-startups/ Sun, 21 Feb 2021 17:27:31 +0000 http://www.cyberlaws.org/?p=622 CYBER SECURITY COMPLIANCE FOR START-UPS

Start-ups are integral to  economic success of any country, generating  millions new jobs in recent years and experiencing significant market growth as business owners tap new technologies to increase brand reach and impact. With the recently developed industry standards and regulatory requirements influencing all industries, cyber security compliance becomes a mandate for business success.

In this digital era, as the severity and number of cyber-attacks increases, industry standards organizations and governments seek to enforce cyber security by establishing mandatory compliance requirements. However, compliance requirements often lag behind cyber security risk. Therefore, to prepare for dynamic compliance requirements, businesses need to have a risk based approach which includes addressing and mitigating risk of cyber security so that they can stay ahead of the evolving requirements.

Think Big while Starting Small

Most of the time start-ups view their IT as inherently safe —there is a common thought, after all, why would hackers bother with smaller businesses when large-scale operations handle huge volumes of valuable data? Cyber security for start-ups may also take a back seat because almost all of mission-critical tasks that require owners’ attention.

Here’s the hard truth: Start-ups are often in the line of fire for digital compromise precisely because they don’t have built-in cyber security controls or well-articulated InfoSec policies.

Since there’s a lower chance of attacks being detected, identified and mitigated, attacker/hackers looking to test new threat vectors or grab consumer data may target start-ups

 Clearly, start-ups should not ignore risk pertaining to Cyber security. Few of the key activities includes

Compliance : From privacy regulations such as HIPAA and GDPR to start-up PCI compliance, our experts ensure your data handling and storage processes meet evolving expectations.

Internal Audits : Periodic internal audits are helpful in identifying critical gaps between the actual status and desired compliance status.

Risk Assessments :Regulatory bodies wanted to ensure that controls and measures taken by organisation are sufficient and reasonable to your organization, customers, and partners. There are many frameworks available in the market, organisation need to choose the right one as per their requirements and then identify acceptable risk. If possible more than one framework can be used to identify and compare the risks. Organisation shall identify and implement a balanced security strategy factoring in compliance and safeguards based on their specific business and objectives.

Security management : Proper security management services help streamline IT environment and protect business purpose. It provides a holistic view to the management about cyber security compliance.

Incident Response and remediation : When a breach does occur, organisations need to address the attack immediately, contain it, and remediate the threat. A properly trained, expert incident response team to stop, fix, and an ongoing incident response process and plan to keep data secure.

Vulnerability Assessment and Penetration testing : Not all vulnerabilities are obvious. Vulnerability assessments and penetration testing helps find and secure potential failure points.

Third Party Risk Management (TPRM)/Vendor Risk Management : Vendors or service providers are the integral part of most of the start-up businesses. Organisations need to ensure third-party partners are aligned with your organization’s risk controls. Organisations shall ensure that all the vendors are adhering all the desired requirements pertaining to cyber security compliance.

What are the data breach risks?

Data breaches has become very frequent irrespective of the organisations size.

The recent trends indicate that cyber criminals target small businesses which does not have adequate security to gain unauthorized access to data that they can sell on the dark web. Hacking and social engineering attacks focus on exploiting vulnerabilities in servers, systems, networks, software, and people to gain entry.

Many small businesses currently lack the necessary resources required to defend against these attacks, which increases the probability that hackers will continue to target them.

Below are the recent data breach trends

• One fourth of data breaches involved small businesses.
• Many of breaches include social engineering by exploiting lack of awareness of cyber security among employees.
• Maximum of breaches were financially motivated
• Most of the breaches were perpetrated by outsiders and script kiddies.
• Almost more than one fourth of breaches still take months or more to discover

What is cybersecurity compliance and why it is necessary?

Compliance, in general is the act of being aligned with guidelines, rules, regulations and legislation. In cybersecurity, compliance is a program that establishes risk-based controls to protect the confidentiality, integrity, and ensure availability of information stored, processed, or transferred.

Cyber security compliance is not a stand-alone compliance many a times, it is based on multiple standards or regulations to be adhered by any industry. Sometimes different standards can create uncertainty and surplus work for organizations using a checklist-based approach

For example, an e-commerce organisation needs to meet PCI DSS(Payment Card Industry Data Security Standards) if accepts payments through POS(Point-of Service) device, they also require to adhere HIPPA (Health Insurance Portability and Accountability Act) for their employees health information.If this organisation serves European customers then must be complaint with GDPR (General Data Protection Regulation)

What Data is subject to cybersecurity compliance? 

Cybersecurity and data protection laws and regulations primarily focus on the protection of sensitive data, such as

Financial Informatione.g. credit card numbers, card pin numbers, bank account number etc.

PersonallyIdentifiable Information (PII)e.g.First and last name,address,date of birthetc.

Protected Health Information (PHI)e.g. Medical history, records of admissions, prescription records etc.

Other sensitive datathat may be subject to state, regional, or industry regulations includes:

• IP addresses
• Email addresses, usernames, and passwords
• Personal email contents
• Personal messages
• Authenticators, including biometrics such as fingerprints, voiceprints, and facial recognition data
• Marital status
• Race
• Religion

Step by Step Cybersecurity Compliance Program

€Creation of a Compliance Team

For every business irrespective of size, a compliance team is compulsory. Since organizations mainly start-ups are continue to move their business-critical operations to the cloud, there is a need for an interdepartmental workflow and communication across business and IT departments.

Define the Scope

Identify and define the clear scope which includes business processes, information systems, legal requirements, contractual requirements, etc.

€Identify and Establish a Risk Management Process

RISK IDENTIFICATION

Identify all information assets and information processing systems, networks, servers, and data that they access.

 RISK ASSESSMENT

Review the risk level of each data type. Identify where high-risk information is stored, transmitted, and collected and rate the risk of those locations accordingly.

ANALYZE RISK

After assessing risk, you need to analyze risk. Traditionally, organizations use the following formula:

Risk = (Likelihood x Impact)

SET RISK ACCEPTANCE /TOLERANCE LEVEL

After analyzing the risk, you need to determine whether to transfer, treat, accept, or reduce the risk.

Implement Controls

Once the risk is identified treat the risk based on your risk tolerance, you need to determine how to mitigate or transfer risk. Controls can include:

• VPNs
• Access Management
• Firewalls
• Employee training
• Encryption
• Password policies
• Network security
• Third Party/Vendor risk management program

Create Policies

Document Policies and procedures for your compliance activities and controls. These policies acts as the foundation for any internal or external audits.

Continuously Monitor, Respond, and Improve

Continuous monitoring helps in identify new gaps in the cybersecurity compliance program and hence the weaknesses of the information systems and processes can be reduced to strengthen the security. Organizations need to regularly update all the systems in order to avoid any kind of data breach.

Since cyber security is an innovative method, where cyber criminals always try to find out new vulnerabilities in the systems and exploit it.These new vulnerabilities lead to Zero Day attack. Organisations need to monitor their networks and processes in order to identify any suspicious behavior and content it immediately. Internal audits and penetration testing are most effective ways of internal audits.

What are the Benefits of cybersecurity compliance?

There are lots of benefits:

€Enables you to protect your company’s reputation,

It maintain consumer trust, and build customer loyalty by ensuring  customer’s sensitive information is safe and secure

It reduces the risk of a data breach, hence the associated response and recovery costs.

It saves organisations from the less-quantifiable costs of a breach such as reputation damage, business interruption, and loss of business.

Enhance the trust of customers and regulatory bodies in the organisation

€Implementing the appropriate safeguards and security measures to protect sensitive customer and employee information strengthen company’s security posture.

€ It helps to protect intellectual property such as trade secrets, software code, product specifications, and other information that gives your company a competitive advantage.

Other Links :

CYBER SECURITY CHALLENGES FACED BY FINTECH START-UPS

During the current era, both big companies and small start-ups, are using Information Technology for ease of doing business, however it makes them vulnerable for Cyber-attacks. So, it becomes necessary for them to use Cyber security professionals e.g. CISO (Chief Information Security Officer) in order to protect information assets. ,It goes without saying  that information security activities in any organization consume more resources than ever before. Cyber criminals (Hackers) are becoming better all the time, and staying ahead of them is getting tougher. However, it’s not just more zero-day attacks by sophisticated criminals; competitors, growth of the organization, elevated infrastructure complexity and new compliance requirements also desire more cyber defence staff, adequate time and right technology to avoid becoming a victim of a cybersecurity breach.

In earlier days security was primarily focused on physical access to facilities and resources, or adding layers of logical controls to protect business application and data. However, security concerns of the present era don’t fit into this old traditional way anymore. Security concerns impact every aspect of an organization’s operations and should be an integral driver of strategic planning, along with all decision for future expansions.

Since cyberattacks have become smarter and more sophisticated at exploiting vulnerabilities, with the availability of many open-source tools it is easier for hackers to launch new attacks every other day. For the organizations and start-ups cyber security shall be a proactive program rather than a reactive which is to be launched at the time of cyber-attack. Thus, information security is an integral part of organizational strategic growth. It is just as important as goodwill, financial turnovers and product quality.

What is Chief Information Security Officer(CISO) and Virtual Chief Information Security Officer(V-CISO) ?

Top management team should be aware of the impact of lack of information security on their organization’s profitability and durability. A shortage of information security in the organization could result in heavy fines for non-compliance, punitive rulings after finding liability or negligence, or a loss of customers and partners after a confidence-shattering breach. There is a big risk of underestimating information security and it is too big to ignore.

In order to address the growing awareness of information security’s importance to strategic planning, many larger organizations and start-ups include a Chief Information Security Officer (CISO) at the executive level. Chief Information Security Officer is the executive who is responsible of Information security and cyber security compliance in the organization.

Many a times companies cannot afford the cost of having own CISO because of the huge salary range. There are situations where the organizations including start-ups need a CISO , but the budget doesn’t allow for a full-time person in that position.

However, there is a cost effective alternative. Organizations specially start-ups that lack the budget for a full time CISO can opt for an outsourced solution: The Virtual CISO, or V-CISO.

A Virtual-CISO is a information and cyber security expert who uses the expertise  of his/her years of industry experience to help organizations and start-ups  by developing and managing the implementation of the organization’s information security program in order to attain various government and non-government compliances. At a high level, V-CISOs help to build the organization’s security strategy, implementation and its management as well.

Organization’s internal security staff may work and report to V-CISO in order to strengthen the information security and cyber security framework and make it more impactful. In addition to this, the V-CISO is usually expected to be able to present the organization’s state of information security to an organization’s board, management team, auditors, or regulators.

Benefits of having a V-CISO

A V-CISO is generally a cybersecurity professional who works part-time basis offering information security services to multiple organizations at a time, working for several throughout any year. This gives organizations a flexibility to hire part-time CISO on requirement basis.

The V-CISO fills several needs through different types of services, including:

• Information Security and Cybersecurity guidance to management executives in order to adhere compliance guidelines
• Information Security architecture guidance
• Incident management including response
• Governance plans
• Cyber Security readiness assessment
• Compliance alignment recommendations (for ISO 27001,RBI Guidelines for banks ,NBFC, HIPAA, GDPR, PCI-DSS, CCPA and may more)
• Remediation prioritization
• Business Continuity Planning and Disaster Recovery Plans and DR drills.
• Identification of scope and objective for the information security compliance
• Risk management (risk identification and treatment)
• Vendor risk management
• Coordination of audits by regulators or customers

Why you organization need a Virtual CISO?

If your organization needs more information security compliance -related guidance at the management level, consider whether a V-CISO would be a good potential option. If you are a a start-up and your budget won’t support a CISO, you might need a V-CISO .If any of the below mentioned scenarios  are similar to  your situation, your organization might need a Virtual -CISO.

• If you are start-up and are really unaware whether you’re vulnerable to cyber security breaches: If your organization hasn’t yet assessed its information security risk, you might need a V-CISO to initiate and support that process.
• Your organization has been breached and no one from your team was able to detect the attack: Post-breach investigations and recommendations often lead to organizational leadership remodelling. One of those remodelling includes information security member of the executive suite. If this is the case, you might need a V-CISO.
• If you are a start-up dealing with critical customer data: In this case if you don’t want to hire a full time CISO, you need to have a V-CISO in order to safeguard your information assets and avoid high penalties because of non-compliance of various regulations
• Important or major changes have occurred that could impact security: If your organization is having mergers or acquisition, security risk should be assessed. Any significant outside influences, such as a global pandemic or natural disaster, which could impact business continuity as well all information security. If your organization doesn’t have anyone who can guide during these times and ensure security is not compromised you might need a V-CISO.
• If your organization wanted to share the workload for the existing CISO: Changes to the organization scope or environment, including new regulatory compliance requirements, may increase the demands of a CISO beyond their current capability. If your existing CISO requires helping hand, you might need a V-CISO.

There could be multiple reasons to have a V-CISO for your organization. An experienced V-CISO will provide valuable guidance and customised solutions as per your organizational needs. As well as it will save you from the burden of paying salary of a full-time CISO.

How to find a right V-CISO?

If you are struggling in your day-to-day information security requirements V-CISO would be a beneficial to your organization, and decided to have one. The very next step is how find the right one. A good amount or research and investigation can help you. Online reviews and existing customers feedback can help you to find a good fit, knowledgeable V-CISO for your organization.

The general process for engaging a V-CISO generally flows like this:

• Set up an initial consultation meeting (commonly one hour at no charge)
• The V-CISO delivers a proposal of scope of work including high-level information security readiness, proposed services and costs
• You may accept or reject the proposal, and then moves forward

• If you decide to engage a V-CISO, then negotiate an agreement that meets your requirements. If you need periodic gap and risk assessment and remediate report, make sure that is explicitly mentioned in the agreement deliverables.
• An agreement with a V-CISO can be set up for a hourly, monthly or quarterly basis . Make sure that you are getting the services you are paying for.
• A V-CISO can be an affordable and flexible approach to adding extensive information security experience and wisdom to your management team. If a V-CISO is a good fit, it can help your organization to identify and safeguard the weak links which could lead to aggressive cyberattacks.

#Key words- CISO,Virtual CISO, VCISO,vCISO, ISO 27001,GDPR,RBI, cyber security, information security, compliance, hackers, cyberattacks.

LIST OF COMMON CYBER SECURITY THREATS WHICH EVERYONE SHOULD BE AWARE OF

In this era where every organisation like healthcare, financial, logistics and transportation, Construction ,government services ,real estate ,retail etc. are moving towards digitization and digitalization, also becoming prone to cyber threats.

While everyone is talking about new regulations and compliances like Data Privacy, Information Security, GDPR etc., organisations are still unable protect their network and data from cyber criminals. Personnel Data theft news is making headlines every other day.

What the Cyber Security threat is?

In a layman term it is a malicious act which can damage data, steal data or disrupt digital life and ultimately impact organisation’s business objectives. These threats Masters of disguise and manipulation, and contently evolve new ways to accomplish their task of stealing, harming and annoying organisations. Organisations shall adequately arm themselves with resources and information to safeguard against complex and growing computer security threats and stay safe online.

THESE ARE COMMON CYBER SECURITY THREATS

1. VIRUS

What a virus is? A computer virus is a malicious piece of program that may disturb the normal functioning .Virus are often sent as an attachment with email ,with an intention to infect your computer system as well as all other computers in your network. Sometimes virus are hosted on websites, whosoever visits malicious website gets infected.

Examples of Computer Virus are: Browser Hijacker, File Infector Virus, Boot Sector Virus, Web Scripting Virus, Polymorphic Virus etc

What virus can do? A computer virus can attach itself to email attachment, pdfs, doc files, USB, pen drives and hard drives .Any file which contains a virus is called infected file. If the infected file get copied to computer, virus also get copied

• A virus can damage software and data on a computer
• A virus can slow down the system processes
• A virus can destroy all data by formatting the hard drive
• A virus can steal critical information like password from your system
• It can display unwanted advertisements
• It can disable security setting and close your firewall
• It can hijack your web browser and slow down the speed and can steal critical data

2. MALWARE

What a malware is:

A malware is a malicious program or software that infects your computer, such as computer viruses, worms, Trojan horses, spyware, and adware.

What malware can do:

• A malware can intimidate you by a pop-up message that tells you your computer has a security problem or other false information.
• A malware can reformat the hard drive of your computer causing you to lose all your information.
• A malware can alter or delete critical files.
• A malware can steal sensitive information like username and passwords.
• A malware can send fake emails on your behalf.
• A malware can take control of your computer and all the software running on it

 3. TROJAN

What a trojan is?

A Trojan is malicious program that is disguised as, or embedded within, legitimate software. It is an executable file wrapped with some genuine program and software  that will install itself and run automatically once it’s downloaded.

Example:Trojan- Banker, Trojan-GameThief , Trojan-Dropper, Trojan Ransom, Trojan-SMS, Trojan- Spy etc

What trojan can do?

• A Trojan can delete your files.
• A Trojan is used to create your computer a zombie or a bot.
• A Trojan can watch you through your web cam.
• A Trojan log your keystrokes (such as a credit card number you entered in an online purchase).
• A Trojan record personal information like usernames, passwords

4. RANSOMWARE

What is a Ransomware ?

Ransomware is a type of malicious software that block the access to your computer system or your files, usually by encrypting it and displays a message that demands payment in order for the restriction to be removed. In many cases it comes with deadlines, if the victim doesn’t pay the ransom, the data is gone forever.

The two most common mode of spreading ransom ware are phishing emails that contain malicious attachments and website pop-up advertisements

Examples of ransom ware are: WannaCry, Crypto Locker, NonPetya, Bad Rabbitetc.

What Ransom ware can do?

There are two common types of ransomware:

• Locker Ransom ware: displays an image that prevents you from accessing your computer
• Encryption/Crypto  Ransom ware: encrypts files on your system’s hard drive and sometimes on shared network drives, USB drives, external hard drives, and even some cloud storage drives, preventing you from opening them

Ransom ware encrypts the computer or data files and display a ransom/payment notification for regaining access. Once the ransom is paid, victim will receive the decryption key and may attempt to decrypt the files. Sometimes the victims never receives the keys.

5. BOTNETS

What are botnets? Botnets -Botnet is a network of infected computers often known as zombies used for malicious purposes .This Botnet is combination of Robot and Network. So here the network of computer robots is used to perform cyber crime controlled by Cyber criminal known as bot masters.

Botnet is controlled by the originator and the infected computer might unaware of its being a zombie.

Example:IRC (Internet Relay Chat) botnet, P2P (Peer-to-Peer) botnet, HTTP (Hyper Text Transfer Protocol) botnet and the hybrid botnet

What Botnets can do?

• Botnet can be used to spread malicious emails.
• Botnet is used to spread malware.
• Botnet is used to perform Denial of Services attach

6. DDOS

What is DDOS?

This is an attack a network of zombie computers us used to sabotage specific website or server. These zombie computer are being controlled for performing specific task such as making the website and server unavailable .In DDOS the attacker use the vulnerability existing in user computer

What DOS/DDOS can do?

The purpose of DOS/ DDOS attack is to make essential services unavailable, which can sometimes leads to server crash.

• Loss of data
• Loss of revenue
• Impact on business reputation
• Disappointment to users, they may never return.
• Compensation of damage occurred by DDOS.

7. PHISHING

What is Phishing?

Phishing is a social engineering attack used by cyber criminals used for gathering personal information of including login credentials and credit card details using deceptive emails or website.

Attackers create fake emails, text messages and websites which look like they’re from authentic companies. This is also known as “spoofing”

What Phishing can do?

By phishing hackers/cyber criminals trick you into giving them information by asking you to update, validate or confirm your account. It is often presented in a manner than seems official and intimidating, to encourage you to take action.

Phishing provides hackers/cyber criminals with your username and passwords so that they can access your accounts (your online bank account, shopping accounts, etc.) and steal your credit card numbers

8.HACKING

What is Hacking? Hacking: Hacking is an attempt of unauthorised access to users computer by exploiting the existing vulnerabilities  for performing fraudulent activities like personal data stealing , invasion in privacy, financial fraud etc.

What Hacking can do?

Hackers find out weakness in your system and exploit it for different purpose

• Denial of service Attack
• Electronic Fund Transfer
• ATM Fraud
• Identity Theft
• Stealing intellectual information

Ways to prevent Cyber Security Threats

• Educate employees and individuals about cyber security and its countermeasure
• Use inbound and outbound firewalls on your network. Change the default passwords and customise it according to your business needs.
• Take backup of important business information and data on regular basis, in order to maintain business continuity after crisis.
• Install and regularly patch antivirus and antispyware on every server and computers on your network
• Have a controlled logical and physical access to all your computer and network components.
• Always use licenced software and update the patches for Operating Systems and Applications
• Impose a password policy, use a strong password and change them regularly. Remember, weak passwords are prone to hacking
• If you are using Wi Fi at work, use WPA2 and above security. You can hide the SSID and don’t forget to use strong password.
• Don’t give Admin privileges to every employees. Network and Computers shall be run on Principle of least Privilege.
• Segregate your data according to criticality and appropriate security shall be provided by using DLP, Endpoint protection etc.
• Never click on suspicious mails and, never ever download from P2P and file sharing system
• Regularly scan your application and network for vulnerabilities, also perform penetration testing at least once in every year.
• Regularly monitor your network for suspicious activities

Using common sense is the best protection .One shall never download free videos, files or songs from suspicious websites, never click on suspicious links .Never ever share your personal data online. Be aware of what is happening around.Cyber threats are effective if and only if you have weaknesses in your system. More vulnerabilities will expose the system to threats and hence more risky, however less loopholes means less risk.

Remember Precaution is better than Cure.

What Is GDPR?

What is GDPR? GDPR give guidelines to organizations for handling the information of their customers/individuals. GDPR actually gives more controls to individuals over their personal information. Moreover GDPR specifies how consumer data should be used and how it should be protected.

This will change the way how data is handles around the world.

In case of non-compliance, defaulters can be fined in proportion to the severity and scale of violation. GDPR came in to (into) force on May 25th, 2018. Companies must be able to show compliance by May 25th, 2018.
Main focus of the compliance is towards, protecting the personal information of the individuals.

How will this Impact my Business ?

GDPR sets new Rules, Restrictions on commercial data usage, Businesses will have to shell out more money on Compliance Spending, Inspire Trust & Confidence, and they have to safeguard customer data security rights, which will take a more priority over the internet.Companies have already started rewriting their policies, Most Important Change is how companies share data with other vendors.

CYBERLAWS GDPR CHECKLIST

⦁  Consent : Companies cannot use illegible terms and conditions filled with legalese. It must be easy to withdraw consent as it is to give it.

⦁ Mandatory Breach Notification : Data processors have to notify their controllers and customers of any risk within 72 hours of any event of data breach.

⦁ Right to Access : Data subjects have the right to obtain confirmation from data controllers of whether their personal data are being processed or not. Data controllers should provide an electronic copy of personal data for free to data subjects. This is called Confirmation of personal data usage& one has to give Free Electronic copy of data.

⦁ Right to Be forgotten : When data is no longer relevant to its original purpose, individuals have the right and request data controller to erase their personal data and ceases its dissemination, yes people have right to be forgotten, but in certain case this doesn’t apply.

⦁ Data Portability : In recent times you must have experience mobile number portability, similarly individuals can obtain and reuse their personal data for their own purposes by transferring it across different IT environments.

⦁ Privacy By Design : Calls for inclusion of data protection from the onset of designing systems, implementing appropriate technical and infrastructural measures.

⦁ Data Protection Officer(DPO) : Data Protection Officers [DPO],must be appointed in public authorities or organizations that engage in large scale (>250 employees) for systematic monitoring or processing of sensitive personal data.

Penalties

Businesses can be fined Up to 4% of global turnover or 20 Million Euros.
Moreover even if your Business does not have a location in the Europe or if you handle the personal information of any European citizen, you will need to comply with the General Data Protection Regulation. The risk will hit with hefty fines

Type of data GDPR Protects

We have a set of data which is covered in GDPR. This data can be Names, Addresses, And ID Numbers, Geo Location, IP Address, Cookie Data,and RFID Tags. Moreover not only above, Health & Genetic Data, Bio-metric Data, Racial & Ethnic data, Political Opinions &Sexual Orientations etc are also covered in GDPR.

How this Regulation will impact beyond boundaries?

The concept of GDPR popularized in 2016 and put to effect in 2018. People are downloading Apps on their mobiles &while downloading, the App asks for the permissions i.e.: access phone book, access location, access cookies etc. we give those permissions without realizing/understanding the repercussions. Companies have been collecting data at a huge pace, one of the common reason is to find the consumer behaviors. This can be in the interest of the business but this becomes dangerous if this crosses line or if misused.

This data is shared on Big data Pools and where analytics came in to picture, analytics can be used in positive as well as in negative ways.

Hence it’s a good step towards data privacy.
The factors this collection of data will impact on your choice hence this may impact your future. We are giving permissions of our future to companies and this can be misused across boundaries.

INFORMATION SECURITY-KNOW WHAT COMPLIANCE YOUR ORGANIZATION NEED

Data is the most critical part of any business. Every organization is either producing their own data or acquiring it from their employees or customers, so it becomes the organization’s responsibility to safeguard that data from unauthorized access. Digitization and digitalization has changed the working techniques of every organization. Almost all of the data is on information systems, which increases the risk of information exposure to the outside world .Many organisations already knows the importance of information Security and are working in a controlled environment one or the other way, however there are many organisations who still does not consider information security necessary for their business. Statutory and regulatory bodies has made information security mandatory for many businesses. Let’s discuss about different information compliances for organisations.

Why Organisations need IT Security Compliance

Compliance is a set of guidelines by the regulatory body which the organisation needs to adhere. Compliances brings great benefits for the organisations:

• Improvement in Information Security: IT security regulations improve organisations security measures by setting baseline requirements. This baseline requirements helps keeping business data-security levels relatively consistent within respective industries..
• Increase Control on Information Systems: Improved security goes hand-in-hand with increased control. This is helpful in preventing employee mistakes and insider theft with enhanced authentication mechanism while keeping an eye on outside threats.
• Minimize Organisations Losses: Improved security, in turn, prevents breaches, which are costly to businesses. There are many organisations which end up losing very large amount of their revenue in sales, repair costs and legal fees, all of which can be avoided with the right preventive measures
• Maintain Trust with customers:A better information security system definitely built and maintain customer trust. Customers trust organisations which keeps their information safe, secure and available at the right time.

There are numerous IT Security compliances exits each related to different industry verticals. The most common compliance includes

Health Insurance Portability and Accountability Act of 1996(HIPAA)

INDUSTRIES AFFECTED:This act affects any organisation or office that deals with healthcare data. That includes but is not limited to doctor’s offices, insurance companies, business associates, and employers.

WHAT HIPAA regulates: This act is divided into 5 titles.

Title I: It protects health insurance coverage of employees either they change job or laid off.

Title II: It controls health care fraud and abuse. It also establishes policies and procedures for maintaining the privacy and security of individually identifiable health information, outlines numerous offenses relating to health care, and establishes civil and criminal penalties for violations

Title III:This sets guidelines for pre-tax medical spending accounts.

Title IV:This sets guidelines for group health plans regarding coverage of persons with pre-existing conditions, and modifies continuation of coverage requirements

Title V:This governs company-owned life insurance policies.

General Data Protection Regulation (EU) 2016/679 (GDPR)

INDUSTRIES AFFECTED: This regulation impacts all the organisations which process personal data in any form. This includes any cloud service provider, marketing company, insurance provider, law firms, data analytics companies and many more. GDPR applies to all organisations collecting and processing personal data for people residing in the European Union, even if that organisation is not physically located or based in the European Union.

WHAT GDPR regulates : General Data Protection Regulation(GDPR) has 11 chapters’ general provisions, principles, rights of data subjects, controller and processor, transfer of personal data to third countries or international organisations, independent supervisory authorities, cooperation and consistency, remedies, penalties and liabilities, delegated acts and implementing acts, final provisions.

GDPR, motive is to protect personal data of European Union (EU)citizens from data breaches.

Payment Card Industry Data Security Standard (PCI-DSS)

INDUSTRIES AFFECTED:Payment Card Industry Data Security Standard (PCI DSS) is meant for all the organisations which handles credit card data.

WHAT PCI DSS regulates: PCI DSS has given a set of 12 regulations which are designed to protect customer credit card information and to reduce fraud. Compliance requirements pertaining to PCI DSS are: Build and maintain a secure network and system, protect cardholder data, maintain a vulnerability Management program, strong access control measures, regular monitoring and testing networks, maintain an information security policy

Sarbanes-Oxley Act of 2002(SOX)

INDUSTRIES AFFECTED: This regulation is meant for all U.S. public company boards, management and public accounting firms. In addition to this a number of provisions of the Act also apply to privately held companies, such as the willful destruction of evidence to impede a federal investigation

WHAT SOX regulates:Sarbanes-Oxley Act has eleven sections: Public Company Accounting Oversight Board(PCAOB), Auditor’s independence, corporate responsibility, enhanced financial disclosures, analyst conflict of interest, commission resources and authority, perform various  studies and report their findings, corporate and criminal fraud accountability, white collar crime penalty enhancement, corporate tax returns, corporate fraud accountability.

According to this act organisations required to maintain financial records for seven years. It was implemented to prevent financial scandals like Enron.

The Federal Information Security Management Act (FISMA)

INDUSTRIES AFFECTED:Federal Information Security Management Act (FISMA) is for all federal agencies in the US. According to FISMA act all the federal agencies need to develop, document, and implement an agency-wide program to provide information security for the information and information systems. This also includes the information and information systems provided or managed by another agency, contractor, or other source.

WHAT FISMA regulates: FISMA defines a framework for managing information security of information systems. According to NIST FISMA is divided into: Inventory of information systems, categorization of information and information systems according to risk, implementation of security controls, risk assessment, system security plan, certification and accreditation and continuous monitoring

 There are many other laws and regulations present to protect information. However it is not always very clear to the many decision makers or compliance officers which regulations or compliance is applied to their organisation. Compliance is very critical part of any business. Not adhering a mandatory compliance can lead to serious consequences, sometimes unnecessary disruption in the business. So this is very necessary for organisations to identify and understand all the desired regulations for the business and adhere to all the requirements of it.

#tags:SOX, FISMA, HIPAA, GDPR, regulatory

#keywords: compliance, SOX,FISMA, PCIDSS, HIPAA,GDPR, information security, data protection