Data security is most important requirement to the customers or user. If the organisation wants to run a business successfully, they need to give surety of data protection as it gives customers the assurance that their data is being collected, processed, and transferred through secure mechanism. Data is most critical and important for businesses of all sizes, from a small start-up to a global conglomerate and so is data privacy.

Data is information processed by a computer system and stored in a system known as server. This information may be in the form of text, image, documents, audio clips, software programs, patents, financial information, secret information, health data, personal information or other types of data.

Every organisation collect data with different mediums either by old traditional method or by modern digital methods. Be it hospitals, banks, companies, government departments etc data is everywhere. Processed data is known as information.

Sometimes a set of data can formulate a sensitive information, so Data privacy is a mechanism to maintain our privacy online, because information is a highly value asset and sought-after commodity by malicious users and cyber criminals. As an end user it is very essential to know what is happening with our online information, what can be done with the data or who all can have access to it. Users often give their consent and allow companies to track and store their data can have disastrous results, so one should have a say in the matter.

Normally organisation focus on the risks originated hackers and cyber criminals, however this is much more than this. Protecting your data privacy is as significant as managing your data security.

Firstly, and fore mostly, Data Privacy is an arm of data security and its motive is to safeguard the data from unauthorized access. Data privacy aims to the proper handling of information based on its significance-

• Regulatory requirements and data privacy laws
• Consent of the data owner
• Privacy Notice
• About the public expectation of privacy.

Main objective of Data privacy is to safeguard the users’ data as per the regulations and users’ rights. Main factors to consider are:

• How to collect and share the data legally
• Whether to data can be shared with the third parties and identification of the third parties with whom data can be shared.
• Adhering to the regulatory compliance and laws limits such as-HIPPA (Health Insurance Portability and Accountability Act), GDPR (The General Data Protection Regulation), GLBA (The Gramm-Leach-Bliley Act), CCPA (The California Consumer Privacy Act), ECPA (Electronic Communications Privacy Act 1986),Personal Information Protection and Electronic Data Act (PIPEDA) and so on. Different countries have different data protection regulations and all these regulations have their own set of rules and legislation pertaining to a specific area, purpose, and type of companies or individuals.

In a nutshell this means protection of critical user information primarily PII (personally identifiable information) of an individual:

PII consists of: – 

• Full Name,
• Address,
• Contact details,
• Date of birth,
• Social Security Number
• Bank Account Number
• Driving License Number
• Some more personal information such as an-
• • IP address,
  • Profile photo,
  • Social media post,
  • Financial Information
  • Medical Information
  • Location
  • And many based on regulatory compliance.

Importance of Data Privacy and Data Security for Business

 Data privacy and security helps in protection of customer’s data privacy.

It helps reduction of the number of information security incidents like data breaches that an organization can suffer.

• It is helpful in maintaining, improving and retaining brand value of the business.
• It is helpful in safeguarding the business from hefty penalties for violating the rules. Regulators impose huge penalties in case of data breach which could be few thousand dollars or a big part of revenue generated, and it’s different for various types of data breach incidents.
• Data sharing will be limited and identification of third party would be done on prior basis according to the risk level of data.
• It saves the organisations from the theft of data by hacker or cyber criminals, that can cause enormous monetary losses
• Data privacy limits the access of customer’s critical data and hence safeguarding the right of customers to be free from uninvited surveillance
• This helps the organisations to keep track of their data breach records and organisations can learn lesson in order to avoid future recurrence.
• Now a days most of the business run on customer’s critical data safeguarding the privacy expectations should be priority of the organisation.
• It helps the organisations from loss of revenue.
• It is also provided competitive advantages to business.
• Last but not the least it is helpful in adherence to the strict policies of how PII is collected, accessed, protected, and erased.
• Data security and privacy controls are helpful in enhancing company’s reputation and built customer trust.

Importance of Data Privacy for Users

• It provides assurance from unauthorised access of data.
• It will keep customers personal, health and financial information safe.
• It generates a trust value for the customer.
• It provides a legal right to the end user or customer to challenge the company in case of any data breach.
• Data can only be collected by receiving consent from the users.
• Companies which collect the data provides data security guarantee to the end user.

Tips and Tricks to help protect your personal data

Data privacy is such an important issue, nowadays many government organizations and companies spend a good part of their revenue each year to help protect their data—which could include your PII (Personally identifiable information)—from exposure. As an end user may not be able to implement high end security solutions to safeguard their personal data, however there are inexpensive ways whichyou can take to help protect your data. Below are a few suggestions:

• Use strong passwords for your online accounts also avoid having same password for multiple accounts. Change password on regular basis.
• Chane the default password for your home network devices, especially Wi-Fi device. A weak password is easy to guess and any unauthorized person can connect to your network with malicious intent.
• Avoid clicking on any random link received via mail or message, these can have malicious links which will give access of your device to cyber-criminal who could eavesdrop your network traffic including personal data.
• Don’t ever share your personal details like bank account number, credit card detail, social security number, Aadhar card number etc over call.
• Avoid writing your personal details like phone number and address at public platform unless necessary. This could sometimes be very dangerous if accessed by any cyber criminal.
• Avoid sharing too much personal information on social media platform.
• Always use security setting on social media accounts, which you can always secure your accounts by changing in Privacy settings. Always keep your social media count in most private mode in order to avoid disclosure of personal information.
• Use VPN (Virtual Private Network) for online activities, however avoid the freeware for financial transactions.
• Share your personal details over the websites which are using encryption.
• Carefully shred all the personal document, receipts, bank statements and your courier packaging as well before discarding.
• Use genuine software on your system.
• Install antivirus and anti malware.
• Always keep firewall on.

Data Protection regulations and laws of different countries are developed and designed in order to maintain the data privacy of the citizens of that particular country. There are many countries where data privacy is already in place, however there are countries where there are no such laws. Having a framework for data privacy and security will definitely safeguard the critical information. A set of defined roles and responsibilities, network security controls like firewalls, secure configurations, Intrusion detection and prevention systems, monitoring, logging the activities, having proper procedures and processes in place of conducting any activity like access provision, de-provisioning, change management, patch management, backup management, privilege access management, physical security management etc certainly provide a more secure environment to data and information systems. Expectation and responsibilities of third-party service providers also plays critical role in data security. Technical controls should be according to the organisations risk appetite and relevant regulations.

Although cyber criminals are inventing new techniques to intrude into the networks but using encryption techniques will help the data in non-readable formats.

 Data is the most precious asset for both organisation and customer, a vigilant consumer and an organisation with adequate resources, diligent employees, regular monitoring, proper governance, periodic reviews can safeguard their information assets and maintain data privacy and security.

#Keywords,-Data security, data privacy, encryption, Cybercriminals, hackers, GDPR,HIPPA,GLBA , CCPA , ECPA ,PIPEDA, password protection, network security, patch management,

]]> http://www.cyberlaws.org/cyber-security-compliance-for-startups/ Sun, 21 Feb 2021 17:27:31 +0000 http://www.cyberlaws.org/?p=622 CYBER SECURITY COMPLIANCE FOR START-UPS

Start-ups are integral to  economic success of any country, generating  millions new jobs in recent years and experiencing significant market growth as business owners tap new technologies to increase brand reach and impact. With the recently developed industry standards and regulatory requirements influencing all industries, cyber security compliance becomes a mandate for business success.

In this digital era, as the severity and number of cyber-attacks increases, industry standards organizations and governments seek to enforce cyber security by establishing mandatory compliance requirements. However, compliance requirements often lag behind cyber security risk. Therefore, to prepare for dynamic compliance requirements, businesses need to have a risk based approach which includes addressing and mitigating risk of cyber security so that they can stay ahead of the evolving requirements.

Think Big while Starting Small

Most of the time start-ups view their IT as inherently safe —there is a common thought, after all, why would hackers bother with smaller businesses when large-scale operations handle huge volumes of valuable data? Cyber security for start-ups may also take a back seat because almost all of mission-critical tasks that require owners’ attention.

Here’s the hard truth: Start-ups are often in the line of fire for digital compromise precisely because they don’t have built-in cyber security controls or well-articulated InfoSec policies.

Since there’s a lower chance of attacks being detected, identified and mitigated, attacker/hackers looking to test new threat vectors or grab consumer data may target start-ups

 Clearly, start-ups should not ignore risk pertaining to Cyber security. Few of the key activities includes

Compliance : From privacy regulations such as HIPAA and GDPR to start-up PCI compliance, our experts ensure your data handling and storage processes meet evolving expectations.

Internal Audits : Periodic internal audits are helpful in identifying critical gaps between the actual status and desired compliance status.

Risk Assessments :Regulatory bodies wanted to ensure that controls and measures taken by organisation are sufficient and reasonable to your organization, customers, and partners. There are many frameworks available in the market, organisation need to choose the right one as per their requirements and then identify acceptable risk. If possible more than one framework can be used to identify and compare the risks. Organisation shall identify and implement a balanced security strategy factoring in compliance and safeguards based on their specific business and objectives.

Security management : Proper security management services help streamline IT environment and protect business purpose. It provides a holistic view to the management about cyber security compliance.

Incident Response and remediation : When a breach does occur, organisations need to address the attack immediately, contain it, and remediate the threat. A properly trained, expert incident response team to stop, fix, and an ongoing incident response process and plan to keep data secure.

Vulnerability Assessment and Penetration testing : Not all vulnerabilities are obvious. Vulnerability assessments and penetration testing helps find and secure potential failure points.

Third Party Risk Management (TPRM)/Vendor Risk Management : Vendors or service providers are the integral part of most of the start-up businesses. Organisations need to ensure third-party partners are aligned with your organization’s risk controls. Organisations shall ensure that all the vendors are adhering all the desired requirements pertaining to cyber security compliance.

What are the data breach risks?

Data breaches has become very frequent irrespective of the organisations size.

The recent trends indicate that cyber criminals target small businesses which does not have adequate security to gain unauthorized access to data that they can sell on the dark web. Hacking and social engineering attacks focus on exploiting vulnerabilities in servers, systems, networks, software, and people to gain entry.

Many small businesses currently lack the necessary resources required to defend against these attacks, which increases the probability that hackers will continue to target them.

Below are the recent data breach trends

• One fourth of data breaches involved small businesses.
• Many of breaches include social engineering by exploiting lack of awareness of cyber security among employees.
• Maximum of breaches were financially motivated
• Most of the breaches were perpetrated by outsiders and script kiddies.
• Almost more than one fourth of breaches still take months or more to discover

What is cybersecurity compliance and why it is necessary?

Compliance, in general is the act of being aligned with guidelines, rules, regulations and legislation. In cybersecurity, compliance is a program that establishes risk-based controls to protect the confidentiality, integrity, and ensure availability of information stored, processed, or transferred.

Cyber security compliance is not a stand-alone compliance many a times, it is based on multiple standards or regulations to be adhered by any industry. Sometimes different standards can create uncertainty and surplus work for organizations using a checklist-based approach

For example, an e-commerce organisation needs to meet PCI DSS(Payment Card Industry Data Security Standards) if accepts payments through POS(Point-of Service) device, they also require to adhere HIPPA (Health Insurance Portability and Accountability Act) for their employees health information.If this organisation serves European customers then must be complaint with GDPR (General Data Protection Regulation)

What Data is subject to cybersecurity compliance? 

Cybersecurity and data protection laws and regulations primarily focus on the protection of sensitive data, such as

Financial Informatione.g. credit card numbers, card pin numbers, bank account number etc.

PersonallyIdentifiable Information (PII)e.g.First and last name,address,date of birthetc.

Protected Health Information (PHI)e.g. Medical history, records of admissions, prescription records etc.

Other sensitive datathat may be subject to state, regional, or industry regulations includes:

• IP addresses
• Email addresses, usernames, and passwords
• Personal email contents
• Personal messages
• Authenticators, including biometrics such as fingerprints, voiceprints, and facial recognition data
• Marital status
• Race
• Religion

Step by Step Cybersecurity Compliance Program

€Creation of a Compliance Team

For every business irrespective of size, a compliance team is compulsory. Since organizations mainly start-ups are continue to move their business-critical operations to the cloud, there is a need for an interdepartmental workflow and communication across business and IT departments.

Define the Scope

Identify and define the clear scope which includes business processes, information systems, legal requirements, contractual requirements, etc.

€Identify and Establish a Risk Management Process

RISK IDENTIFICATION

Identify all information assets and information processing systems, networks, servers, and data that they access.

 RISK ASSESSMENT

Review the risk level of each data type. Identify where high-risk information is stored, transmitted, and collected and rate the risk of those locations accordingly.

ANALYZE RISK

After assessing risk, you need to analyze risk. Traditionally, organizations use the following formula:

Risk = (Likelihood x Impact)

SET RISK ACCEPTANCE /TOLERANCE LEVEL

After analyzing the risk, you need to determine whether to transfer, treat, accept, or reduce the risk.

Implement Controls

Once the risk is identified treat the risk based on your risk tolerance, you need to determine how to mitigate or transfer risk. Controls can include:

• VPNs
• Access Management
• Firewalls
• Employee training
• Encryption
• Password policies
• Network security
• Third Party/Vendor risk management program

Create Policies

Document Policies and procedures for your compliance activities and controls. These policies acts as the foundation for any internal or external audits.

Continuously Monitor, Respond, and Improve

Continuous monitoring helps in identify new gaps in the cybersecurity compliance program and hence the weaknesses of the information systems and processes can be reduced to strengthen the security. Organizations need to regularly update all the systems in order to avoid any kind of data breach.

Since cyber security is an innovative method, where cyber criminals always try to find out new vulnerabilities in the systems and exploit it.These new vulnerabilities lead to Zero Day attack. Organisations need to monitor their networks and processes in order to identify any suspicious behavior and content it immediately. Internal audits and penetration testing are most effective ways of internal audits.

What are the Benefits of cybersecurity compliance?

There are lots of benefits:

€Enables you to protect your company’s reputation,

It maintain consumer trust, and build customer loyalty by ensuring  customer’s sensitive information is safe and secure

It reduces the risk of a data breach, hence the associated response and recovery costs.

It saves organisations from the less-quantifiable costs of a breach such as reputation damage, business interruption, and loss of business.

Enhance the trust of customers and regulatory bodies in the organisation

€Implementing the appropriate safeguards and security measures to protect sensitive customer and employee information strengthen company’s security posture.

€ It helps to protect intellectual property such as trade secrets, software code, product specifications, and other information that gives your company a competitive advantage.

Other Links :

CYBER SECURITY CHALLENGES FACED BY FINTECH START-UPS

LIST OF COMMON CYBER SECURITY THREATS WHICH EVERYONE SHOULD BE AWARE OF

In this era where every organisation like healthcare, financial, logistics and transportation, Construction ,government services ,real estate ,retail etc. are moving towards digitization and digitalization, also becoming prone to cyber threats.

While everyone is talking about new regulations and compliances like Data Privacy, Information Security, GDPR etc., organisations are still unable protect their network and data from cyber criminals. Personnel Data theft news is making headlines every other day.

What the Cyber Security threat is?

In a layman term it is a malicious act which can damage data, steal data or disrupt digital life and ultimately impact organisation’s business objectives. These threats Masters of disguise and manipulation, and contently evolve new ways to accomplish their task of stealing, harming and annoying organisations. Organisations shall adequately arm themselves with resources and information to safeguard against complex and growing computer security threats and stay safe online.

THESE ARE COMMON CYBER SECURITY THREATS

1. VIRUS

What a virus is? A computer virus is a malicious piece of program that may disturb the normal functioning .Virus are often sent as an attachment with email ,with an intention to infect your computer system as well as all other computers in your network. Sometimes virus are hosted on websites, whosoever visits malicious website gets infected.

Examples of Computer Virus are: Browser Hijacker, File Infector Virus, Boot Sector Virus, Web Scripting Virus, Polymorphic Virus etc

What virus can do? A computer virus can attach itself to email attachment, pdfs, doc files, USB, pen drives and hard drives .Any file which contains a virus is called infected file. If the infected file get copied to computer, virus also get copied

• A virus can damage software and data on a computer
• A virus can slow down the system processes
• A virus can destroy all data by formatting the hard drive
• A virus can steal critical information like password from your system
• It can display unwanted advertisements
• It can disable security setting and close your firewall
• It can hijack your web browser and slow down the speed and can steal critical data

2. MALWARE

What a malware is:

A malware is a malicious program or software that infects your computer, such as computer viruses, worms, Trojan horses, spyware, and adware.

What malware can do:

• A malware can intimidate you by a pop-up message that tells you your computer has a security problem or other false information.
• A malware can reformat the hard drive of your computer causing you to lose all your information.
• A malware can alter or delete critical files.
• A malware can steal sensitive information like username and passwords.
• A malware can send fake emails on your behalf.
• A malware can take control of your computer and all the software running on it

 3. TROJAN

What a trojan is?

A Trojan is malicious program that is disguised as, or embedded within, legitimate software. It is an executable file wrapped with some genuine program and software  that will install itself and run automatically once it’s downloaded.

Example:Trojan- Banker, Trojan-GameThief , Trojan-Dropper, Trojan Ransom, Trojan-SMS, Trojan- Spy etc

What trojan can do?

• A Trojan can delete your files.
• A Trojan is used to create your computer a zombie or a bot.
• A Trojan can watch you through your web cam.
• A Trojan log your keystrokes (such as a credit card number you entered in an online purchase).
• A Trojan record personal information like usernames, passwords

4. RANSOMWARE

What is a Ransomware ?

Ransomware is a type of malicious software that block the access to your computer system or your files, usually by encrypting it and displays a message that demands payment in order for the restriction to be removed. In many cases it comes with deadlines, if the victim doesn’t pay the ransom, the data is gone forever.

The two most common mode of spreading ransom ware are phishing emails that contain malicious attachments and website pop-up advertisements

Examples of ransom ware are: WannaCry, Crypto Locker, NonPetya, Bad Rabbitetc.

What Ransom ware can do?

There are two common types of ransomware:

• Locker Ransom ware: displays an image that prevents you from accessing your computer
• Encryption/Crypto  Ransom ware: encrypts files on your system’s hard drive and sometimes on shared network drives, USB drives, external hard drives, and even some cloud storage drives, preventing you from opening them

Ransom ware encrypts the computer or data files and display a ransom/payment notification for regaining access. Once the ransom is paid, victim will receive the decryption key and may attempt to decrypt the files. Sometimes the victims never receives the keys.

5. BOTNETS

What are botnets? Botnets -Botnet is a network of infected computers often known as zombies used for malicious purposes .This Botnet is combination of Robot and Network. So here the network of computer robots is used to perform cyber crime controlled by Cyber criminal known as bot masters.

Botnet is controlled by the originator and the infected computer might unaware of its being a zombie.

Example:IRC (Internet Relay Chat) botnet, P2P (Peer-to-Peer) botnet, HTTP (Hyper Text Transfer Protocol) botnet and the hybrid botnet

What Botnets can do?

• Botnet can be used to spread malicious emails.
• Botnet is used to spread malware.
• Botnet is used to perform Denial of Services attach

6. DDOS

What is DDOS?

This is an attack a network of zombie computers us used to sabotage specific website or server. These zombie computer are being controlled for performing specific task such as making the website and server unavailable .In DDOS the attacker use the vulnerability existing in user computer

What DOS/DDOS can do?

The purpose of DOS/ DDOS attack is to make essential services unavailable, which can sometimes leads to server crash.

• Loss of data
• Loss of revenue
• Impact on business reputation
• Disappointment to users, they may never return.
• Compensation of damage occurred by DDOS.

7. PHISHING

What is Phishing?

Phishing is a social engineering attack used by cyber criminals used for gathering personal information of including login credentials and credit card details using deceptive emails or website.

Attackers create fake emails, text messages and websites which look like they’re from authentic companies. This is also known as “spoofing”

What Phishing can do?

By phishing hackers/cyber criminals trick you into giving them information by asking you to update, validate or confirm your account. It is often presented in a manner than seems official and intimidating, to encourage you to take action.

Phishing provides hackers/cyber criminals with your username and passwords so that they can access your accounts (your online bank account, shopping accounts, etc.) and steal your credit card numbers

8.HACKING

What is Hacking? Hacking: Hacking is an attempt of unauthorised access to users computer by exploiting the existing vulnerabilities  for performing fraudulent activities like personal data stealing , invasion in privacy, financial fraud etc.

What Hacking can do?

Hackers find out weakness in your system and exploit it for different purpose

• Denial of service Attack
• Electronic Fund Transfer
• ATM Fraud
• Identity Theft
• Stealing intellectual information

Ways to prevent Cyber Security Threats

• Educate employees and individuals about cyber security and its countermeasure
• Use inbound and outbound firewalls on your network. Change the default passwords and customise it according to your business needs.
• Take backup of important business information and data on regular basis, in order to maintain business continuity after crisis.
• Install and regularly patch antivirus and antispyware on every server and computers on your network
• Have a controlled logical and physical access to all your computer and network components.
• Always use licenced software and update the patches for Operating Systems and Applications
• Impose a password policy, use a strong password and change them regularly. Remember, weak passwords are prone to hacking
• If you are using Wi Fi at work, use WPA2 and above security. You can hide the SSID and don’t forget to use strong password.
• Don’t give Admin privileges to every employees. Network and Computers shall be run on Principle of least Privilege.
• Segregate your data according to criticality and appropriate security shall be provided by using DLP, Endpoint protection etc.
• Never click on suspicious mails and, never ever download from P2P and file sharing system
• Regularly scan your application and network for vulnerabilities, also perform penetration testing at least once in every year.
• Regularly monitor your network for suspicious activities

Using common sense is the best protection .One shall never download free videos, files or songs from suspicious websites, never click on suspicious links .Never ever share your personal data online. Be aware of what is happening around.Cyber threats are effective if and only if you have weaknesses in your system. More vulnerabilities will expose the system to threats and hence more risky, however less loopholes means less risk.

Remember Precaution is better than Cure.