Going Digital is no longer the world of the rich and the famous and the Fortune 500 ones! Going Digital is the mantra for the future scale. Digital means many things, and among the more common ones is about getting information into the electronic age. This requires transformation. For a bank, this means instead of filling forms; have a kiosk where customers can scan their credentials and auto-fill. For Manufacturing industry, it will mean the supervisor on the production floor will not write the output on paper and will instead use a smartphone/ tablet to record the data and transmit them to a databank which will further analyse and show trends to the stakeholders. Digital transformation is about Social Media, Cloud, Mobile, Analytics and raises significant warning bells because of the ease at which information can be accessed
Some of the very basic dangers
- Our smartphone / tablet/ laptop is configured for auto logon to the various information available and one of two scenarios happen.
– We lose this during our travel OR
– Someone steals this during our travel. In both scenarios, the information can be accessed and manipulated/ stolen.
- Information to be sent privately inadvertently gets tweeted OR sent to the wrong person
- An employee with legitimate access leaks insider data
Some sophisticated dangers (oh yeah, these require some serious skills to pull off ???? )
- Your network is brought down by a Denial of Service attack. During a Denial of Service attack, the users are not able to reach their email, application, send data etc. In short, their legitimate access to the various IT services required are denied.
- Network and Application is breached by hackers and your web site is defaced with slogans supporting their favourite terrorist OR chant OR mantra
- Network and Application is breached by hackers and your data is changed such that you now do not know the legitimate from the illegitimate transactions
- Network and Application is breached by hackers and your data is stolen
- Your data is stolen by your employees with legitimate access to the data. They could do this because they can now download all the data into their favourite excel, put this in a usb drive OR email via one of the free ones, and send out to whoever they feel like. In an investigation into a similar incident of information leakage, we found that the user had sent the data out through the official email of the company. Such confidence in company not being able to monitor/ track this is stunning.
And actually, very true as well.
While going Digital is great, so is the requirement to be vigilant and sensitive to the newer type of dangers lurking. And in the SMB scenario, there is only so much we can do. So, what could we really do?
We could follow the steps as laid out (this is one of the approach, however, i have found fair amount of success and some solid foundation using this approach)
Step 1 – Define the Policy (for both Digital and Cyber/ Information Security)
Step 2 – Create the Security Architecture on the basis of the Policies we defined.
Step 3 – Do a Risk Assessment and Identify risks
Step 4 – Rollout of policies, procedures, awareness for users
Step 5 – Review of implementations like Log Review, Incident Review, SIEM, Monitoring of the various access, set up a helpdesk etc. All of these can be implemented via Open Source solutions.
Step 6 – Configure systems for alerts
Step 7 – Create a Security dashboard
Step 8 – Keep performing role of CISO looking for Incidents, New vulnerabilities, Cloud Security, Wifi, Social Media, Mobile, New Applications/ Changes in Applications
Next article, we will explore Step 1. How to go about defining the policies and what to look for.
Till then, stay safe and if you need emergency response/ help, shout out to