GRC Tuesdays: Cybersecurity & Data Protection – Securing the Digital Economy
Illustration: FortiGuard Labs Threat Map
If the current health crisis that we are living with the spread of COVID-19 wasn’t enough, a recent report by Kaspersky Lab cited by ITWeb found a 10-fold increase in cyber-attacks in some regions with a “sharp spike in network attacks between 15th and 21st of March 2020, with affected devices increasing in number from the 20 000/30 000 average to peak at approximately 310 000 over these few days” in South Africa. Since Cybercriminals don’t limit their attacks within predefined borders, we can safely extrapolate that this applies to other regions as well. A scary perspective if you ask me.
Today’s digital world enabled remote working which is helping many organizations continue delivering products and services to their customers even with confinement declared in many countries. But it also creates the perfect nexus for cybercriminal groups since it increases the number of connections to the organization’s critical IT assets from locations that are not always secure.
As a result, and even more than even before, cybersecurity and data protection have become key focus areas for companies worldwide. Not only due to new regulations such as the General Data Protection Regulation (GDPR) in Europe, the California Privacy Act (CCPA) in the USA or Singapore’s Personal Data Protection Act (PDPA) as well as many others, but more importantly thanks to public attention – where consumers react very rapidly to data breach type incidents and do place a great level of importance on how companies use their data.
It is undeniable that organizations today hold more information about the environment they operate in (customers, partners, employees, etc.) than ever before and stakeholders expect this data to be secured and only used for legitimate purposes… and that it doesn’t fall into the wrong hands!
In two words, they expect Digital Trust which is usually defined as the measure of consumer, partner and employee confidence in an organization’s ability to protect and secure data and the privacy of individuals. Only with Digital Trust will we truly enable and scale-up the digital economy.
The million-dollar question now is: how do we build this Digital Trust with all stakeholders – and how do we deliver on this promise?
I certainly don’t pretend to have all the answers – far from it, but there are solutions that can help companies get on this path and decide where to focus their efforts so as to be able to progress in phased approaches, including:
* Cyber Risk and Governance to identify and manage risks, regulations and polices to minimize potential business impact;
* Application Security to protect the applications that run the business by monitoring business applications for anomalies and attacks, analysing business transactions for fraud and unusual activity and correlating insights from security and business alerts;
* Identity and Access Management to optimize digital identities across the enterprise by managing
system accounts and ensuring the correct authorization assignments;
* Data Protection and Privacy to address data protection and privacy concerns and regulations and protect company reputation and intellectual property;
* Cloud Transparency and Control to create and enforce public-cloud data access, location, movement, and processing policies but also to monitor and report on data access, storage, movement, processing, and location in the public cloud.
Nevertheless, before going on a Big Bang approach that will consume more resources than you will ever have available, and more importantly that may delay other critical business priorities, I would suggest first laying out the expectations of where the organization wants to be at the end of the journey. This will help craft a realistic roadmap that you can feel confident in delivering.
What about you, what cybersecurity elements do you recommend putting in place first? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard