Data security has become the talk of the town and is being discussed over a cup of coffee to a beer in hand, and from board rooms to pool tables. Even world-renowned leaders and dignitaries like the Democratic nominee for President, Joe Biden, and the Hon. Prime Minister of India, Narendra Modi, are taking note of these trends and levelling up their game to match the sophistication of the threats at bay. So, we decided to take the discussion forward with a veteran in this field and get a deeper insight into what exactly is this fuss around data security all about.
In an exclusive interview with Mihir Bagwe, Tech Writer at CISO MAG, Nikhil Korgaonkar, Regional Director, Arcserve India & SAARC, tells us how data security has continued to evolve even in times of the COVID-19 pandemic and the threats that organizations are facing. Additionally, he also sheds some light on the data security and privacy policies that organizations of different sizes are abiding by around the world for the greater good of the people.
Korgaonkar comes with 20+ years of experience in this field and has worked with Dell India, Symantec – Veritas, DHL, Wockhardt, and is currently serving at Arcserve. As the Regional Sales Director with Arcserve, he manages the India and SAARC P&L. He is extensively involved in internal and customer policymaking.
Let’s take a look at the edited excerpts of the Q&A below:
1Worth of Data
A. Businesses are doing a lot to protect their online systems, but not nearly enough to protect the data that enables them to keep operations running in the event of a disaster or cyberattack. One of the more challenging aspects is that there is often a disconnect between their cybersecurity and data protection stances, and the two are often found functioning in silos within organizations, with separate budgets, solutions, and processes. What we need instead is a comprehensive strategy to ensure the security of both systems and data, as well as a Disaster Recovery and Business Continuity Plan that is well-tested and implemented. By implementing an integrated strategy and solution, organizations have a first and last line of defense against cyber threats and data loss.
2The Need for a Universal Data Regulatory Body
A. Businesses are reeling under the challenge of what we call compliance fatigue. GDPR in Europe; HIPAA, SOX, and FACTA in the U.S.; the California Consumer Protection Act, which came into force earlier this year; LGPD in Brazil; there is a multitude of compliance regulations that businesses face today. According to an estimate, CISOs spend 30% of their time dealing with compliance issues, an indication of how much productive mind space is being consumed by the fragmented regulatory landscape. There is certainly a need for a universal regulatory body and policy relating to data protection and privacy.
For that to happen, however, all the countries will need to come up with the same level of data security preparedness and understanding. It will have to be a symphony where each player plays their part to bring out a well-coordinated piece, which is music to everyone’s ears.
Meanwhile, we have every country drafting their version of a cybersecurity policy, which is a welcome move as it shows the seriousness of intent about data protection. In India too, the Prime Minister recently announced the government’s intent to formulate a National Cybersecurity Policy, which is a welcome move. This initiative will boost the adoption of data protection measures and stronger policies that shall protect the privacy and interests of customers, businesses, and the public of the country. Formulation and adoption of policies might still take time, but this is a clarion call to the Indian internet users to pay attention to such attacks, create robust ‘firewalls,’ and conduct regular cybersecurity and data protection audits.
3Guarding the Remote Workforce
A. A remote and fragmented workforce poses several security risks since remote workers are outside the secure periphery of the organization. With more employees working from home, cybercriminals have more access points to exploit networks. A comprehensive security infrastructure is therefore critical to securing remote access and ensuring the organization can back up the data their employees are producing on their laptops to reduce the risk of data loss. This infrastructure must include centrally managed, cloud-driven cybersecurity, and data protection solutions with enhanced detection and response, ransomware protection, and firewalls, among other things. Lack of data back-up is one of the weak links in the remote access security chain. Many users assume that cloud-based SaaS apps like O365 are automatically backed up. That is simply not the case.
Making investments in third-party remote backup tools is essential to mitigate the risk of data loss when the company starts working from home (or even when it does not!). Centrally managed cloud-to-cloud backup and DR solutions are ideal for remote work situations, which is especially important since most remote workers are not likely to have proper security and data protection measures at home.
Last but not the least, educating employees on cyber hygiene and regular testing of apps is key to ensuring a well-synchronized approach to secure remote access.
4Impact of “EU-U.S. Privacy Shield” Invalidation
A. The European Court of Justice (ECJ) annulled the “EU-U.S. Privacy Shield” framework, citing gaps in the data security measures of the U.S. Surveillance Law. It regards them as inadequate to protect the data privacy rights of the EU citizens as defined under the General Data Protection Regulation (GDPR). Europe is known to be very proactive and sensitive to the issue of data privacy and their concern is understandable. On the flip side, this is likely to hit hard, the small and medium enterprises doing business with Europe. The alternative for them is to sign the Standard Contractual Clauses, which is not an easy process. There is a clause within GDPR that will still enable necessary data transfer, but the exact contours of what is deemed necessary and whatnot, are yet to become clear. This looks like a major setback to transatlantic trade, but businesses must work together with their security partners to understand how best they can navigate the situation and ensure business continuity.
5COVID-19 and Data Security
A. The COVID-19 pandemic is a humanitarian crisis, but it is also emerging as a data security challenge. Cybercriminals are rampant during this crisis and are increasingly targeting businesses due to the remote and fragmented nature of the workforce currently. According to an IBM estimate, there has been a 4300% increase in the Coronavirus-themed spams. As early as March 28, 2020, just a few days into the COVID-19 lockdown in India, CERT-In stated that cyberattacks on personal computer networks and routers had increased exponentially. They stressed on the importance of deploying VPNs to better protect sensitive data.
6Bridging the Cloud
A. Cloud providers strive to provide the best security standards, but security breaches do happen. It is important for businesses to assess the security levels of their cloud providers. Datacenter security certifications, physical security standards, security audit reports, encryption policies for in-flight, and at-rest data are some of the key parameters you should look for before deciding upon a cloud provider. Cloud backups are crucial to ensure business continuity in case of an inevitable attack. On-premises back-ups can be compromised too, and offline data stored in physical storage devices may not be up to date, besides being slow to retrieve. A secure cloud backup integrated with proven cybersecurity technology provides the best of both worlds in terms of business continuity, but businesses must ensure they do their due diligence before choosing their cloud partner.
A. Enterprise-grade cloud services offer elevated levels of security, but data breaches can happen when data is in transit or is in interaction with other systems. We see more cyberattacks aimed at the backups themselves. It is therefore important to check the encryption standards for in-flight and at-rest data. Multi-tier encryption is key to ensuring that in-flight data remains secure, while AES encryption is key to at-rest data. Compliance is another area where businesses need to be extremely vigilant because as owners of data, they will be ultimately responsible for any compliance breaches. There are multiple compliance regulations to take care of today, including GDPR, HIPAA and OHSAS, FINRA, FERPA, and other regional regulations. A cloud provider needs to demonstrate the expertise to navigate this complex regulatory landscape and offer security and privacy standards that are compliant with all these regulations.
8The Risks of the Third-Party
A. Outsourcing non-core business processes, customer and proprietary data, and partnering with vendors in infrastructure, security and other support services is intrinsic to the business models of most companies today. This makes them vulnerable to unauthorized data access, security breaches, malicious use by insiders, and other threats that are beyond the business’ control.
Businesses must therefore ensure that they do their due diligence before trusting an external vendor or parting with their data. This involves assessing all the standard processes such as datacenter certifications, security protocols, compliance standards, and policies relating to the handling of data in transit. Businesses must also ensure that they safeguard all the rights to their own data stored with a third party, including the right to deny certain kinds of processing, right to rectify or forget certain data, right to transfer it to another partner, and so on. Most importantly, businesses should ask for copies of their data being handled by third party vendors and ensure they back-up these copies regularly
A. Cybercriminals are intent on staying one step ahead and are constantly evolving their methods to gain access and hold data hostage. For example, one of the trends we are seeing is ransomware focused on the backups themselves – which are critical for organizations to have available in the event they become infected and data encrypted. If an organization does not have access to current backups, whether on-premises or in the cloud, they are really at the mercy of the cybercriminals. Moreover, organizations in industries such as manufacturing must be aware that more cybercriminals are now aiming at their production facilities, going beyond holding data hostage. Stealing data is one thing, but shutting an organization or its production systems down is another new and highly concerning threat.
10Suggestions for Businesses
A. With larger attack surfaces driven by telecommuting and exponential data growth, and cybercriminals set to prey on new vulnerabilities, organizations must have a proactive approach that combines cybersecurity and data protection. Protecting an infrastructure from security threats, data loss, and downtime is tough enough. But juggling multiple strategies, processes, vendors, SLAs, and support teams only adds complexity and leaves organizations open to security gaps and data erosion.
The only way to become truly cyber ready is to deconstruct their siloed operations with technology that works together to securely back up mixed workloads, detect and prevent attacks, respond and prevent threats, and instantly restore data if needed. This brings organizations a first and last line of defense against cyberattacks and data loss while removing complexity and improving SLAs.
About the Interviewer
Mihir Bagwe is a Tech Writer and part of the editorial team at CISO MAG. He writes news features, technical blogs, and conducts interviews on latest cybersecurity technologies and trends.