In the current age where information technology has penetrated in almost every area of our lives, both personal and professional has huge impact of Information technology, in other words our live has been completely dependent on technology. Be it organizational or personal, the amount of data collected and processed by big-companies and start -ups is alarming. Human beings have become so much dependent on technology, be it hardware or software, holdable to wearables to insertable, technology is all but inseparable.

Be it office or daily household tasks, technology has invaded in every sector and make the work easier and more efficient to perform., however, all the technology gadgets and services have one thing in common, that is data processing. In order to process the data like PII(Personally Identifiable Information),PHI Protected health information about individuals, and critical financial, scientific, confidential  data of organizations and countries is  extremely lucrative  to competitors and cybercriminals, ranging  hackers to , script kiddies, the wannabes, elites, activists, crackers, and phreakers to punks ciphers

For an example you are start-up organization providing information technology services to any government or any other big organization which is processing critical data, then a vulnerability in your system can be a potential risk which could lead to data breach of your client. As per recent trends, at least one new zero-day vulnerability was found each week. As zero-day vulnerabilities are discovered, they just serve as a tool for cybercriminals/hackers to intensify attacks. Hence by enabling proactive measures such as incident management or cyber crisis management plan can be an effective way to limit or even prevent the propagation of a cyber security attack.

IMPACTS OF CYBER SECURITY BREACHES IN START-UPS

Cybersecurity breaches impacts   organizations and companies in different ways. Many of which cause serious damage to the organizations and start-ups, if not permanent. Some effects of cyber breaches are:

• Organizations leads to financial losses: An intense cyber security breach can damage critical servers and hardware which could lead to financial loss. In addition to it an organisation which is not capable to secure its information assets and prone to frequent cyber security attacks is liable for penalties imposed by client or government.
• Organizations do experience loss of confidential data. This is often the major consequence of a cybersecurity attack. Confidential Data, which could range from credit card numbers, Aadhar number, PAN number, phone numbers, social security numbers, health records, right up to software design, code, military confidential or classified information, medical formulas could be stolen.
• Loss in Reputation and value degradation in the business market have often been cited as a significant concern. Trust and value built from customers (service providers) to companies(clients) after a mishandled cybersecurity attack starts discrediting and is brought into question, especially when the company fails to respond promptly to a cybersecurity attack.
• Competitiveness between firms and organizations becomes compromised. This can cause disaster, from which small to medium organizations or start-ups might never recover.

 Cyber security breaches or incidents can sustain by opting different kind of strategies. Few of them is setting up preventive measures to avoid a potential attack, and the other being how to respond when a breach or attack occurs as a corrective measure in case of any Zero-day attack. However, both the methodologies require intense monitoring of the information systems.

STEPS TO AVOID A POTENTIAL CYBERSECURITY ATTACK

Cyber security attacks are of various kinds and natures, and there is an enormous number of resources out there stating how to prepare for the inevitability of a cyber-attack. Cyber risk can come from various points like open ports, unattended laptops, desktops, improper patch management etc and this activity requires involvement of top to lowest level of employees the organisation. There is no perfect methodology or solution available to handle cyber security incidents or attacks in any organisation, however the impact can be minimised if handled properly. Below are the points to strengthen cyber security:

• Perform Cyber Security Risk Assessment: Perform an intensive risk assessment for your business and identify all the possible weak points which could lead to cyber security attack and find out a risk mitigation plan for each risk, don’t leave any risk unattended
• Employees Training. In any organisation aware employees can be helpful to handle cyber security incidents. Any organisation or start-up should provide adequate training those handling sensitive data.
• Regularly backup sensitive data. Data is the core of every company. Unavailability of data can destabilize, disrupt, and even lead to shut down of start-ups, or organizations. Having data backup at an alternate location online/offline is the key of surviving a cybersecurity breach or incident. Remember, data availability is one of the key components of cybersecurity.
• Employee Screening prior to employment. A proper policy and SOP for employee screening shall be developed and followed with due diligence. Since employees are often the weakest link in a cyber-security plan, all the future employees should be screened to validate their cyber-security skill sets desired for their respective positions in the organisation or start-ups.
• Keep systems updated by regular patch updates. Most of the start -ups and small companies don’t have proper patch management programs for systems and software which could lead to a serious cyber threat because these vulnerabilities can be exploited by cybercriminals to access your systems. Applying timely security patches to software and hardware systems routinely can reduce cyber security threats, as most of the threats exploit known vulnerabilities(weaknesses).
• Adapt Security culture and take cyber threat seriously. As part of the organisation’s culture, cyber-security must be priority by the management. Negligence can lead to unrecoverable cyber-attacks. Management should provide adequate budget for enhancement of cyber-security in the organisation.
• Develop Cyber Crisis Management Plan. Since Cyber incidents comes unannounced organizations and start-ups should identify and classify different cyber -security attack scenarios and generate mitigation plan for it. Table top exercises are helpful to understand the readiness. A contingency plan shall be developed

A well skilled team for handling cyber security in any organisation is very important. Having the Data Privacy Officer (DPO), Chief Information Security Officer (CISO), and the Chief Information Officer (CIO), etc., with well-defined role are helpful for any organisation

HOW TO RESPOND TO SECURITY BREACHES?

1. Establish an Incident Response Team (IRT).

Create an IRT with skillsets and capable to handle Cyber security incidents. Define roles and responsibilities of each member which may in some cases, take precedence over normal duties. The IRT can be comprised of a variety of departments including Information Technology, Finance Compliance and Human Resources.

Your (IRT)Incident Response Team should include your Chief Information Security Officer (CISO), who will lead the team organisation’s security policy direction. In case of start-up Virtual CISO can be a guide.

2. Identify the type and extent of incident.

A impact matrix for incident should be clearly defined for damage assessment and determine the appropriate response. For example, an incident where a computer virus is easily detected and removed and which has not impacted any external or internal parties can be categorised as low and should not be escalated.

However, an incident which impacts clients and customers should be escalated to the IRT.

3. Escalate incidents as necessary.

Employees are the first one to observe the cyber security incidents, any kind of incidents including abnormal system behaviour, phishing mails, fraud mails etc shall be immediately escalated to IRT so that timely corrective action can be taken.to mitigate suspicious vulnerabilities and avoid unexpected downtime.

4. Notify affected parties, government bodies and outside organizations.

Identify and assign responsibility to one member of the IRT managing communication to affected parties (e.g.  government bodies, investors, third party vendors, etc.). Depending on the severity of the incident, the IRT member should inform the affected parties and law enforcement agencies

5. Gather and analyse evidence.

IRT is responsible for identifying, gathering and analysing both physical and electronic evidence as part of the investigation. These evidences shall be kept securely as a part of artefacts. Lesson learnt should be documented for future.

6. Mitigate risk and exposure.

Technical members of the IRT shall be responsible for monitoring the situation and ensuring any effects or damage created as a result of the incident are appropriately repaired and measures are taken to minimize future occurrences.

Since cyber security is the responsibility of everybody in the organisation the necessary disciplinary action shall be defined for the guilty. An adequate amount of penalty or action shall act as a deterrence and helpful in reducing the cyber-security incidents.

Keywords: Cyber-Security, Information Security, Cyber-Security incidents, CISO, Virtual-CISO, hacking, cybercriminal, start-ups,incident-response

]]> https://www.cyberlaws.org/virtual-chief-information-security-officer/ Sun, 21 Feb 2021 07:03:39 +0000 http://www.cyberlaws.org/?p=617 VIRTUAL CISO-A Logical method to manage Cyber security compliance in Start-ups

During the current era, both big companies and small start-ups, are using Information Technology for ease of doing business, however it makes them vulnerable for Cyber-attacks. So, it becomes necessary for them to use Cyber security professionals e.g. CISO (Chief Information Security Officer) in order to protect information assets. ,It goes without saying  that information security activities in any organization consume more resources than ever before. Cyber criminals (Hackers) are becoming better all the time, and staying ahead of them is getting tougher. However, it’s not just more zero-day attacks by sophisticated criminals; competitors, growth of the organization, elevated infrastructure complexity and new compliance requirements also desire more cyber defence staff, adequate time and right technology to avoid becoming a victim of a cybersecurity breach.

In earlier days security was primarily focused on physical access to facilities and resources, or adding layers of logical controls to protect business application and data. However, security concerns of the present era don’t fit into this old traditional way anymore. Security concerns impact every aspect of an organization’s operations and should be an integral driver of strategic planning, along with all decision for future expansions.

Since cyberattacks have become smarter and more sophisticated at exploiting vulnerabilities, with the availability of many open-source tools it is easier for hackers to launch new attacks every other day. For the organizations and start-ups cyber security shall be a proactive program rather than a reactive which is to be launched at the time of cyber-attack. Thus, information security is an integral part of organizational strategic growth. It is just as important as goodwill, financial turnovers and product quality.

What is Chief Information Security Officer(CISO) and Virtual Chief Information Security Officer(V-CISO) ?

Top management team should be aware of the impact of lack of information security on their organization’s profitability and durability. A shortage of information security in the organization could result in heavy fines for non-compliance, punitive rulings after finding liability or negligence, or a loss of customers and partners after a confidence-shattering breach. There is a big risk of underestimating information security and it is too big to ignore.

In order to address the growing awareness of information security’s importance to strategic planning, many larger organizations and start-ups include a Chief Information Security Officer (CISO) at the executive level. Chief Information Security Officer is the executive who is responsible of Information security and cyber security compliance in the organization.

Many a times companies cannot afford the cost of having own CISO because of the huge salary range. There are situations where the organizations including start-ups need a CISO , but the budget doesn’t allow for a full-time person in that position.

However, there is a cost effective alternative. Organizations specially start-ups that lack the budget for a full time CISO can opt for an outsourced solution: The Virtual CISO, or V-CISO.

A Virtual-CISO is a information and cyber security expert who uses the expertise  of his/her years of industry experience to help organizations and start-ups  by developing and managing the implementation of the organization’s information security program in order to attain various government and non-government compliances. At a high level, V-CISOs help to build the organization’s security strategy, implementation and its management as well.

Organization’s internal security staff may work and report to V-CISO in order to strengthen the information security and cyber security framework and make it more impactful. In addition to this, the V-CISO is usually expected to be able to present the organization’s state of information security to an organization’s board, management team, auditors, or regulators.

Benefits of having a V-CISO

A V-CISO is generally a cybersecurity professional who works part-time basis offering information security services to multiple organizations at a time, working for several throughout any year. This gives organizations a flexibility to hire part-time CISO on requirement basis.

The V-CISO fills several needs through different types of services, including:

• Information Security and Cybersecurity guidance to management executives in order to adhere compliance guidelines
• Information Security architecture guidance
• Incident management including response
• Governance plans
• Cyber Security readiness assessment
• Compliance alignment recommendations (for ISO 27001,RBI Guidelines for banks ,NBFC, HIPAA, GDPR, PCI-DSS, CCPA and may more)
• Remediation prioritization
• Business Continuity Planning and Disaster Recovery Plans and DR drills.
• Identification of scope and objective for the information security compliance
• Risk management (risk identification and treatment)
• Vendor risk management
• Coordination of audits by regulators or customers

Why you organization need a Virtual CISO?

If your organization needs more information security compliance -related guidance at the management level, consider whether a V-CISO would be a good potential option. If you are a a start-up and your budget won’t support a CISO, you might need a V-CISO .If any of the below mentioned scenarios  are similar to  your situation, your organization might need a Virtual -CISO.

• If you are start-up and are really unaware whether you’re vulnerable to cyber security breaches: If your organization hasn’t yet assessed its information security risk, you might need a V-CISO to initiate and support that process.
• Your organization has been breached and no one from your team was able to detect the attack: Post-breach investigations and recommendations often lead to organizational leadership remodelling. One of those remodelling includes information security member of the executive suite. If this is the case, you might need a V-CISO.
• If you are a start-up dealing with critical customer data: In this case if you don’t want to hire a full time CISO, you need to have a V-CISO in order to safeguard your information assets and avoid high penalties because of non-compliance of various regulations
• Important or major changes have occurred that could impact security: If your organization is having mergers or acquisition, security risk should be assessed. Any significant outside influences, such as a global pandemic or natural disaster, which could impact business continuity as well all information security. If your organization doesn’t have anyone who can guide during these times and ensure security is not compromised you might need a V-CISO.
• If your organization wanted to share the workload for the existing CISO: Changes to the organization scope or environment, including new regulatory compliance requirements, may increase the demands of a CISO beyond their current capability. If your existing CISO requires helping hand, you might need a V-CISO.

There could be multiple reasons to have a V-CISO for your organization. An experienced V-CISO will provide valuable guidance and customised solutions as per your organizational needs. As well as it will save you from the burden of paying salary of a full-time CISO.

How to find a right V-CISO?

If you are struggling in your day-to-day information security requirements V-CISO would be a beneficial to your organization, and decided to have one. The very next step is how find the right one. A good amount or research and investigation can help you. Online reviews and existing customers feedback can help you to find a good fit, knowledgeable V-CISO for your organization.

The general process for engaging a V-CISO generally flows like this:

• Set up an initial consultation meeting (commonly one hour at no charge)
• The V-CISO delivers a proposal of scope of work including high-level information security readiness, proposed services and costs
• You may accept or reject the proposal, and then moves forward

• If you decide to engage a V-CISO, then negotiate an agreement that meets your requirements. If you need periodic gap and risk assessment and remediate report, make sure that is explicitly mentioned in the agreement deliverables.
• An agreement with a V-CISO can be set up for a hourly, monthly or quarterly basis . Make sure that you are getting the services you are paying for.
• A V-CISO can be an affordable and flexible approach to adding extensive information security experience and wisdom to your management team. If a V-CISO is a good fit, it can help your organization to identify and safeguard the weak links which could lead to aggressive cyberattacks.

#Key words- CISO,Virtual CISO, VCISO,vCISO, ISO 27001,GDPR,RBI, cyber security, information security, compliance, hackers, cyberattacks.

WHAT IS CYBER SECURITY?

Cyber Security is the process of protection of cyber assets (network, application, devices etc.) and critical data from any kind of cyber-attack.

Cyber-attacks are danger to organizations, employees, and consumers because it can reveal, remove or manipulate critical information with unauthorised access. Cyber Attacks are customised to access or destroy sensitive data or extort money. Cyber- attacks can, thus destroy businesses and damage people financial and personal lives.

Cyber security is practice of safeguarding Confidentiality, Integrity and availability (CIA) of Information assets.

IMPORTANCE OF CYBER SECURITY?

Since Technology and internet is prevalent now a days and has become an integral part of everyone’s life. Everybody is sharing so much of information through the networks internet that keeping it secure at all times, upholding the very principles of information security: integrity, availability and confidentiality has become challenging.

The rise in security threats on information assets like servers networks and other communication devices and increasing opportunities for fraud, theft, espionage , cyber terrorism and misuse of classified, personal (PHI and PII) and financial data, have contributed to the significant growth of cyber security in recent times, making it a top choice for career seekers today.

WHAT IS THE NEED OF CYBER SECURITY?

A data breach can bring a range of catastrophic consequences for any business. It can deteriorate anorganisation’s reputation through the loss of consumer and partner trust. The loss of critical information, such as intellectual property or source files, can cost a company its competitive advantage. Adata breach can impact organisation’s revenues due to non-compliance with data protection regulations. A data breach costs an affected organization in million, however a good cyber security system can save this amount. With incidents of data breaches cases with many famous companies, it’s essential that organizations adopt and implement a strong cyber security approach.

Data and employees are the most valuable assets of a company. There is a need cyber security professionals who are both well-educated and adequately trained in all kinds of government and corporate firms.

When employees are handling critical data on a regular basis, it’s important for them to understand computer security and how to protect the company.