Needs of Data Privacy and Proactive Steps to Mitigate Cyber Attack
K.S.Sreedharan is the Director of Compliance at ManageEngine, Zoho Corporation. He is also the Data Protection Officer for Zoho. He has about 3 decades of industry experience 2 of which has been in the IT industry with AdventNet and Zoho, the foremost Product Companies to operate out of Chennai, India.
● A recent report by AWS states that Indian companies can grow revenues by 13.6% by effective data usage. Why is it important for India Inc. to dive deep on data privacy and focus on ethical data usage?
The question is effective data usage for whom. If it is for the customers of the service to improve their own business, data usage is still acceptable provided it does not infringe upon the rights of the data subjects. But if it is effective data usage for the service provider that handles the data on behalf of the customers and that can correlate data from various sources to further its own business, ethical data usage becomes more important. If we expect our personal data to be ethically handled, customers and employees too will have the same expectation.
Times are changing. The privacy landscape is slowly shifting from one that is necessitated by regulations to one of a being a key business differentiator. Some of the principles of privacy, like data minimization, storage limitation, and purpose limitation, help in reducing the collection, processing, and storage of unnecessary data. This can help improve resource utilization and also reduce the cost of securing data. For all these reasons, it is important that India Inc. deep dive into data privacy.
● In a difficult economic environment, when the market sees a need for increased spending on data privacy, how can ManageEngine help companies strategize their consumer-data privacy policies?
With the aid of their IT and privacy teams, organisations must categorise the many types of customer information they acquire. Additionally, they need to decide on and put into practise a strategy for protecting the various data types, which can call for varied storage protocols. Given the rise of advanced machine learning (ML) systems that gather client data, IT teams can reduce risk by carefully monitoring the algorithms.
The preferences of clients for data processing are recognised and respected by ManageEngine. ManageEngine offers data processing services catered to customer needs at our cutting-edge data centres located all over the world. To guarantee data security and privacy, we closely adhere to industry standards.
As for our solutions themselves, they synchronise and streamline IT workflows through seamless communication and integration with one another.
● Role of IT decentralization in preventing cyber-attacks: Importance of negating security issues while companies aim towards digitalisation and focus on tech innovations.
Decentralized structures provide organizations with immense agility and help in faster deployment of new technologies. At the same time, with decentralization it becomes hard to ensure decisions are made in a consistent manner and with all the right considerations in mind—which is a real problem when it comes to security. The key is to cultivate a security culture where all employees at every level consider security and understand their specific role in assuring it. When thinking about security becomes a company-wide reflex, people are more likely to seek guidance when in doubt and escalate any violations. Also, it is important that cybersecurity is embedded within each business unit. Organizations should look at decentralized security where "security champions" who advocate for security practices within their business unit are groomed and deployed in each unit.
● Comment on the upcoming Data Protection Bill. How do you think it will benefit the IT segment?
The very fact that India has a data protection act will be hugely beneficial to business. Seamless data flow is important for business. But because of the differing perceptions about privacy, countries are enacting laws that restrict transfers. But many regions also allow free transfer between regions that have an adequate level of data protection. For example, Japan is one of the countries that has been recognized as having adequate data protection under EU GDPR. Thus, India having a data protection act will be a significant point to support business in India. Recently, it has been reported that India is considering a "Data Embassy Policy" as a part of the upcoming Data Protection Bill. This is aimed at permitting countries and corporations to set up "data embassies" within India, which will offer diplomatic immunity from local regulations for national as well as commercial digital data. This will provide immense opportunities for IT businesses to expand the data processing business.
● What initiatives can companies take to increase physical cybersecurity intelligence?
Typically, physical security and cybersecurity used to be entirely separate divisions operating in silos, and such an approach results in a lack of a holistic view of the security threats targeting the business. Surveillance systems are increasingly connected to the internet, physical access control systems and monitoring systems are required to keep digital audit logs, and there is an explosion of IoT devices connected to the enterprise IT infrastructure. With the remote work model, we clearly see the blurring of boundaries where company assets move outside the physicalperimeter of the organization.
Organizations should look into integrating AI and ML technologies in physical security. A few examples are intelligent access control systems that use behavioural analytics to detect anomalies, facial recognition systems, and real-time analysis of video surveillance. An integrated system can detect anomaly cases; for example, if you're doing a badge swipe in Chennai but you're logged in to your business app through a VPN in China, that's a way to detect potentially malicious activity.
● Employee negligence accounts for the majority of cyberattacks in organizations. What can companies do to pre-identify potential threats?
Employees are the front line warriors for the security of the organization's data. So, educating, empowering, and encouraging the right security behaviour is an absolute essential. Providing contextual learning by highlighting the security pitfalls and what can go wrong when an employee chooses a less secure option provides a better result than traditional security training presentations. Simulated security exercises and gamified security challenges can be organized periodically to ensure the message is received and understood by employees. Organizations should deploy ML-based technologies like user and entity behaviour analysis to baseline a user’s typical behaviour and detect and alert on any abnormal activity. Endpoint protection platforms and a Zero Trust strategy to limit any lateral movement are fundamental defence measures organizations should adopt to prevent cybersecurity threats.
● How can C-suite leaders effectively plan and create proactive strategies to mitigate risk?
Effective risk management starts with the tone at the top. The importance of security and privacy in business operations need to be re-emphasized time and again. Business leaders should inculcate a culture of following the rules and regulations of the geography they operate in. They should provide sufficient opportunities for employees to keep them educated on current developments in security and privacy fields. Though there will be a dedicated team under the office of the CISO to oversee the security and privacy program, it is important to develop a distributed team that is embedded within the various business functions that reports to the central security team. Broad basing of security functions and inculcating awareness is a crucial requirement. Instituting a bug bounty program with adequate compensation for bugs reported by the security community will also help a great deal in mitigating the risk. Last but not the least is the training and testing of employees in various business functions.
● A recent report by AWS states that Indian companies can grow revenues by 13.6% by effective data usage. Why is it important for India Inc. to dive deep on data privacy and focus on ethical data usage?
The question is effective data usage for whom. If it is for the customers of the service to improve their own business, data usage is still acceptable provided it does not infringe upon the rights of the data subjects. But if it is effective data usage for the service provider that handles the data on behalf of the customers and that can correlate data from various sources to further its own business, ethical data usage becomes more important. If we expect our personal data to be ethically handled, customers and employees too will have the same expectation.
Times are changing. The privacy landscape is slowly shifting from one that is necessitated by regulations to one of a being a key business differentiator. Some of the principles of privacy, like data minimization, storage limitation, and purpose limitation, help in reducing the collection, processing, and storage of unnecessary data. This can help improve resource utilization and also reduce the cost of securing data. For all these reasons, it is important that India Inc. deep dive into data privacy.
● In a difficult economic environment, when the market sees a need for increased spending on data privacy, how can ManageEngine help companies strategize their consumer-data privacy policies?
With the aid of their IT and privacy teams, organisations must categorise the many types of customer information they acquire. Additionally, they need to decide on and put into practise a strategy for protecting the various data types, which can call for varied storage protocols. Given the rise of advanced machine learning (ML) systems that gather client data, IT teams can reduce risk by carefully monitoring the algorithms.
The preferences of clients for data processing are recognised and respected by ManageEngine. ManageEngine offers data processing services catered to customer needs at our cutting-edge data centres located all over the world. To guarantee data security and privacy, we closely adhere to industry standards.
As for our solutions themselves, they synchronise and streamline IT workflows through seamless communication and integration with one another.
● Role of IT decentralization in preventing cyber-attacks: Importance of negating security issues while companies aim towards digitalisation and focus on tech innovations.
Decentralized structures provide organizations with immense agility and help in faster deployment of new technologies. At the same time, with decentralization it becomes hard to ensure decisions are made in a consistent manner and with all the right considerations in mind—which is a real problem when it comes to security. The key is to cultivate a security culture where all employees at every level consider security and understand their specific role in assuring it. When thinking about security becomes a company-wide reflex, people are more likely to seek guidance when in doubt and escalate any violations. Also, it is important that cybersecurity is embedded within each business unit. Organizations should look at decentralized security where "security champions" who advocate for security practices within their business unit are groomed and deployed in each unit.
● Comment on the upcoming Data Protection Bill. How do you think it will benefit the IT segment?
The very fact that India has a data protection act will be hugely beneficial to business. Seamless data flow is important for business. But because of the differing perceptions about privacy, countries are enacting laws that restrict transfers. But many regions also allow free transfer between regions that have an adequate level of data protection. For example, Japan is one of the countries that has been recognized as having adequate data protection under EU GDPR. Thus, India having a data protection act will be a significant point to support business in India. Recently, it has been reported that India is considering a "Data Embassy Policy" as a part of the upcoming Data Protection Bill. This is aimed at permitting countries and corporations to set up "data embassies" within India, which will offer diplomatic immunity from local regulations for national as well as commercial digital data. This will provide immense opportunities for IT businesses to expand the data processing business.
● What initiatives can companies take to increase physical cybersecurity intelligence?
Typically, physical security and cybersecurity used to be entirely separate divisions operating in silos, and such an approach results in a lack of a holistic view of the security threats targeting the business. Surveillance systems are increasingly connected to the internet, physical access control systems and monitoring systems are required to keep digital audit logs, and there is an explosion of IoT devices connected to the enterprise IT infrastructure. With the remote work model, we clearly see the blurring of boundaries where company assets move outside the physicalperimeter of the organization.
Organizations should look into integrating AI and ML technologies in physical security. A few examples are intelligent access control systems that use behavioural analytics to detect anomalies, facial recognition systems, and real-time analysis of video surveillance. An integrated system can detect anomaly cases; for example, if you're doing a badge swipe in Chennai but you're logged in to your business app through a VPN in China, that's a way to detect potentially malicious activity.
● Employee negligence accounts for the majority of cyberattacks in organizations. What can companies do to pre-identify potential threats?
Employees are the front line warriors for the security of the organization's data. So, educating, empowering, and encouraging the right security behaviour is an absolute essential. Providing contextual learning by highlighting the security pitfalls and what can go wrong when an employee chooses a less secure option provides a better result than traditional security training presentations. Simulated security exercises and gamified security challenges can be organized periodically to ensure the message is received and understood by employees. Organizations should deploy ML-based technologies like user and entity behaviour analysis to baseline a user’s typical behaviour and detect and alert on any abnormal activity. Endpoint protection platforms and a Zero Trust strategy to limit any lateral movement are fundamental defence measures organizations should adopt to prevent cybersecurity threats.
● How can C-suite leaders effectively plan and create proactive strategies to mitigate risk?
Effective risk management starts with the tone at the top. The importance of security and privacy in business operations need to be re-emphasized time and again. Business leaders should inculcate a culture of following the rules and regulations of the geography they operate in. They should provide sufficient opportunities for employees to keep them educated on current developments in security and privacy fields. Though there will be a dedicated team under the office of the CISO to oversee the security and privacy program, it is important to develop a distributed team that is embedded within the various business functions that reports to the central security team. Broad basing of security functions and inculcating awareness is a crucial requirement. Instituting a bug bounty program with adequate compensation for bugs reported by the security community will also help a great deal in mitigating the risk. Last but not the least is the training and testing of employees in various business functions.
.jpg "Engeotech: Innovating Smart Ways to Offer Customized Water Treatment Solutions")
