Governance, Risk, and Compliance (GRC) plays a pivotal role in organizational success by providing a structured and integrated approach to managing an organization's overall performance, addressing risks, and adhering to
The Reserve Bank of India (RBI) announced the launch of the first pilot for retail digital Rupee (e₹-R) on December 01, 2022. It has commenced the pilot in the wholesale segment from November 2022.
The Central Bank Digital Currency (CBDC) can be defined as the legal tender issued by the Reserve Bank of India, according to the RBI. Touted as Digital Rupee or e-Rupee, RBI's CBDC is the same as a sovereign currency and is exchangeable one-to-one at par with the fiat currency, the regulator mentioned
As we learn more on how the digital wallet application will function in the retail segment, how users can load/redeem digital rupee and how a transaction b/w two devices happen, it looks like this will play parallel to UPI and Wallets.
However, I wouldn’t be surprised if the e₹ digital wallet kill UPI and PPI Wallets in the longer run. Not sure about UPI but definitely it’s going to impact the Wallet instruments like PPI in the long run. Question is ‘Will wallet companies start providing digital wallet using CBDC’ or ‘Why should someone use a wallet when Digital Wallet with e₹ and UPI exist.
Not sure if offline payments can happen directly b/w mobile phones for e-rupee transaction. Logically looks like it’s viable. NFC/Bluetooth communication between two devices should work.
Few questions that arise for the future:
1. Banks have been burning cash for building UPI services and not getting much in returns. Will e₹ application change the scene?
2. Can pre-paid wallets continue to have relevance over the digital e₹ wallet.
3. Privacy concerns have already been raised. Will transactions be private and the role of tech here?
4. The multiple and most futuristic use cases that can be developed and operated with CBDC?
As an IS auditor for financial institutions, will research and post on regulatory requirements, how the application works to controls that matter the most in having this implemented and integrated in the system, and risk factors to keep mind for CBDC in Digital Payment Security.
Overall, Digitalization in payments and banking is continuing to reach new heights and India is setting an example to the world!
We are a CERT-IN Empanelled cyber security company based out of Bangalore. Reach out to us to gain more insights into the Digital Payment Security Domain and for a free consultation!!!
An Account Aggregator (AA) is a Non-Banking Financial Company. These non-banking entities are regulated by the Reserve Bank of India (RBI). In order to perform the job of an account aggregator, these entities should obtain a license from the regulating body i.e., RBI. Such entities act as a bridge or a medium for transmitting the financial data between the data-requesting institution and data-providing institution also known as Financial Information User (FIU) and Financial Information Provider (FIP) respectively. This process of sharing the user data from FIPs to FIUs will only be carried out after explicit consent from the user. The AAs will never facilitate any kind of transaction involving money made by users or customers. The AAs will not be undertaking any other business other than the business of an account aggregator.
The RBI, being the regulatory body, has prescribed a Master Directive for AA (RBI/DNBR/2016-17/46 Master Direction DNBR.PD.009/03.10.119/2016-17), as AAs are involved in the transmission of users' financial data. It is necessary for all the entities carrying out the business of Account aggregators to be compliant with the Master Direction document which is considered a regulatory requirement.
As per the Master Directions defined by RBI, an Account Aggregator shall transmit the financial data about or of the user only after receiving formal consent from the user. The consent from the users can be obtained in electronic format by the AAs. AAs should store the consent obtained by the users for transmitting the financial data to the FIUs. The AAs shouldn’t store any other financial data other than the data for which the consent is received by the user.
The consent received by the AAs should include the Identity of the customer and optional contact information, the nature of the financial information requested, the purpose of collecting such information, if necessary the identity of the recipients of the information, URL or other address to which notification needs to be sent every time the consent artifact is used to access information, consent creation date, expiry date, identity, and signature/digital signature of the Account Aggregator and any other attribute as may be prescribed by the Bank at any point of time.
The latter-mentioned attributes should be displayed to the user at the time of receiving the consent form the user. The AAs Shall(Shall not), not request/access/store the user credentials of the users which may be manipulated/utilized for authenticating the customers to the FIP(s). The AAs should allow the customers/users to access the consents given by them and should be bestowed with the ability to revoke the consents provided by them for FIU(s) to access their financial information or parts of such information. Once the consent is revoked, a fresh consent artifact shall be shared with the FIP(s). An AA should have the request(s) and response(s) logs maintained by the FIP(s) recorded at the time of transmitting the data.
It is necessary for the AAs must enable secure data transfers of the requested data from the FIP(s) to its own systems and then to the FIU(s), to achieve such secure data transfer AAs shall employ the necessary IT framework and interfaces(s). The technology adopted by the AAs should be scalable to cover any other financial information or financial information provider as may be specified by the Bank in the future. An Account Aggregator is mandated to ensure adequate safety is built into its IT systems to protect against unauthorized access, data alteration/tampering, destruction, disclosure, or dissemination of records and data. An AA should adopt appropriate measures/controls for Disaster Risk Management and Business Continuity in order to provide a prolonged service to the customers/users without any disruptions. Information System Audit of the internal systems and processes shall be in place and shall be conducted at least once in two years.
An AA should constitute various internal mechanisms for reviewing, monitoring, and evaluating its controls, systems, procedures, and safeguards. The integrity of the IT systems should be maintained at all costs, and all necessary precautions should be taken to ensure that the records of the consents explicitly received by the users are not lost, destroyed, or tampered with. The account aggregator should establish a well-documented risk management framework which shall include a sound and robust technology risk management framework, strengthening system security, reliability, resiliency, and recoverability and deploying strong authentication to protect access to customer data and systems. AAs should formulate a Risk Management Committee consisting of not less than three members of its Board of Directors. AAs shall conduct a self-assessment of their existing outsourcing arrangements to validate the risk inherited from the outsourced vendor.
An Account Aggregator should not outsource any core management functions including Internal Audit, Strategic and Compliance functions, and decision-making functions such as determining compliance with KYC norms for opening deposit accounts, according to sanction for loans (including retail loans) and management of investment portfolio. The AAs are not permitted to outsource the service of an account aggregator from any vendor.
As prescribed by RBI, all AAs should comply with the master directions as prescribed by the regulatory body and the report must be submitted to the bank to obtain the license to perform the business of an account aggregator in India. This would call out the need for Subject matter expertise in Information Security to align the business controls to be in adherence with the regulatory requirements. Such firms/entities are assisted by CyRAACS (Cyber Risk Advisory and Consulting Service) in achieving information security compliance with the necessary documents as regulated by RBI.
CyRAACS will assist an AA in fulfilling the requirements set by the regulator by ensuring compliance readiness. CyRAACS provides internal audit services to AAs, supported by a team of trained professionals in providing an unbiased observation to the AAs by assessing their IT systems, applications, or processes in scope and ensuring adherence to the regulatory and statutory requirements. CyRAACS also assists an AA in assessing the security of their applications and web applications through vulnerability assessment and penetration testing, which provides the AA with an overview of the risks and vulnerabilities that need to be rectified in the application's development phase. CyRAACS will also offer a source code review of the applications in scope to ensure application quality assurance from the source code perspective.
The Process flow of an AA is exhibited below the Flow chart.
Step 1: The user registers with an Account Aggregator application providing his details.
Step 2: The user registers with a Financial Information User (FIU) to receive a particular service.
Step 3: The user links his Account Aggregator with the FIU application.
Step 4: The Account Aggregator authenticates the linking via OTP.
Step 5: Once the Account Aggregator is linked to the FIU application, The list of linked Bank accounts i.e., the Financial Information Provider (FIP) of the respective user is fetched by the Account Aggregator.
Step 6: The user Selects the specific FIP from the list of FIP fetched.
Step 7: An Authentication is done by the FIP via OTP to verify the user prior to sharing data.
Step 8: The User Review the Type of Financial Information to be shared, the purpose of sharing, and the duration of data being shared by the FIP to the FIU.
Step 9: Once the user accepts and proceeds, the requested financial data is shared by the FIP in an encrypted form to the aggregator which in turn is shared with the FIU.
The below picture depicts the AA ecosystems as of August 2021.
Keep Your Data Secure with CyRAACS Cyber Security Solutions. Our experts offer tailored solutions for businesses of all sizes. Contact us today!
APIs are the backbone of the internet, powering the applications and services that we use every day. With the rise of the API economy, there are now more APIs than ever before, and they are handling sensitive data. This makes API security more important than ever.
API is an acronym for “Application Programming Interface”. An API is an interface that allows two pieces of software to communicate with each other. It is a set of subroutine definitions, communication protocols, and tools for building software.
API security is the process of securing APIs from unauthorized access, use, or modification. It includes both the security of the data and code that make up the API, as well as the security of the API itself. APIs are increasingly being used by businesses to allow third-party access to their data and functionality. This can be done for a variety of reasons, such as allowing partners to integrate their systems with yours or allowing developers to build applications on top of your data.
However, this also opens the possibility for security breaches, if the APIs are not properly secured, then malicious actors can get access to sensitive and personal data. API security is important because it helps to protect sensitive and personal data.
The Importance of API Security
As per the Gartner Report – Predicts 2022, by 2025, less than 50% of enterprise APIs will be managed, as explosive growth in APIs surpasses the capabilities of API management tools. The report also states to further improve API security posture by developing a security strategy for threat protection, API security testing, and API access control that leverages newer approaches and vendor solutions.
9 Most Common API Security Threats and Vulnerabilities are:
While a breach of an API can lead to data loss, downtime, and loss of customers, the right API security solution will help you secure your APIs and prevent breaches. As per multiple industry surveys, for about 83% of companies, the question is not if a data breach will happen, but when. Usually more than once. When detecting, responding to and recovering from threats, faster is better. Organizations using AI and automation had a 74-day shorter breach lifecycle and saved an average of USD 3 million more than those without.
Not only are these breaches costly, but they're also becoming more sophisticated. API security is important because APIs are increasingly how businesses share data and connect with customers, partners, and employees. A breach of an API can lead to data loss, downtime, and loss of customers. That's why it's important to adopt best practices for API Security.
Here are some of the best practices for API security:
In this day and age, data is everything. Businesses rely on data to make decisions, large and small. This data is often stored in databases, which can be accessed by applications through an API.
An API can be used to access sensitive data; when you have an API, you are essentially sharing your data with the world. This means that you need to be sure that your data is safe and secure. Otherwise, a malicious actor could gain access to it and use it for nefarious purposes.
Keep Your Data Secure with CyRAACS Cyber Security Solutions. Our experts offer tailored solutions for businesses of all sizes. Contact us today!
Cybersecurity is at the forefront of technological colloquy, as information is the nucleus of the technological revolution, and the one who possesses information reigns supreme over the others. This information can be accessed and utilized against the owner of the said information by miscreants who would most likely profit from such actions. Although there are sundries of laws that prosecute such miscreants, it is the age-old saying that comes to mind that proves preventing a possible threat facilitated by a vulnerability in the system is better than mitigating its after-effects- “Prevention is better than cure”.
It is imperative to understand the distinction between a cyber-attack and a cybersecurity threat. A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, or personal computer devices. Whereas a Cybersecurity threat is a potential negative action or event facilitated by a vulnerability that results in an undesirable impact on a computer system or application.
There are millions of cybersecurity threats that people encounter on a daily basis whilst going about their day, it is estimated by a Clark School study at the University of Maryland that there are 158,727 attacks per hour, 2,645 attacks per minute, and 44 attacks every second of every day on average across the global spectrum. In fact, there would have been 189 attacks across the world by the time you read this sentence. These attacks are caused by exploiting vulnerabilities in the system and these weaknesses are termed threats. By the end of this article, you will have an introductory ode to the world of Cybersecurity threats, their inhibition, and mitigation.
The following are the main cybersecurity threats faced by individuals and organizations:
Malware is an all-encompassing term for a variety of cyber-attacks including Trojans, viruses, and worms. Malware is simply defined as code with malicious intent that steals data or destroys something on the system it is hosted on. The purpose of malware is to intrude on a machine for a variety of reasons. From the theft of financial details to sensitive corporate or personal information, malware is best avoided, for even if it has no malicious purpose at present, it could well have so at some point in the future. Downloading infected files as email attachments, from websites, or through filesharing activities and OS vulnerabilities. Clicking on links to malicious websites in emails, messaging apps, or social network posts are popular proliferation method.
Steps for mitigation of malware once the system is affected as stated by ncsc.gov.uk :
Phishing is when attackers send malicious emails, communications, or messages designed to trick people into falling for a scam. Typically, the intent is to get users to reveal financial information, system credentials, or other sensitive data.
Types of phishing attacks:
A password attack refers to any of the various methods used to maliciously authenticate into password-protected accounts. These attacks are typically facilitated through the use of software that expedites cracking or guessing passwords.
There are three common methods employed to authenticate passwords:
DDoS Attack, also known as a "Distributed Denial-of-Service (DDoS) Attack," is a type of cybercrime where the perpetrator overwhelms a server with internet traffic in an effort to prohibit users from accessing linked websites and online services. This attack preliminarily focuses on disrupting the service of a network, and usually involves sending a high volume of data through the network until it gets overloaded and no longer functions.
An attack in which an attacker is positioned between two communicating parties in order to intercept and/or alter data traveling between them. One major occurrence of Man in the Middle attacks is active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.
Methods involved in Man in middle attacks:
A drive-by download is when malicious code is unintentionally downloaded into a computer or mobile device, exposing users to various hazards. The malicious code is designed to download malicious files onto the victim’s PC without the user being aware that anything untoward has happened. A drive-by download abuses insecure, vulnerable, or outdated apps, browsers, or even operating systems.
Website owners can prevent drive-by downloads by doing the following:
Endpoint users can prevent drive-by downloads by doing the following:
Malvertising, often known as malicious advertising, is a relatively recent cyberattack method that involves embedding malicious code in online advertisements. These infected ads are typically delivered to customers through reliable advertising networks, making them difficult for both internet users and publishers to detect.
In a malvertising attack, harmful code is injected into networks of trustworthy internet advertising. Users are often redirected to fraudulent websites using the code.
Malvertising is typically confused with ad malware or adware—another form of malware affecting online advertisements.
How can end-users help mitigate malvertising?
How can publishers help mitigate malvertising
Rogue security software is a type of malicious software and online fraud that tricks consumers into thinking their computer has a virus and tries to persuade them to pay for a phony malware removal program that in fact installs malware on their computer. Mobile applications known as "rogue apps" are created to spoof well-known businesses in order to obtain illegal access to data that may be used to carry out fraudulent operations.
Practice online skepticism. Be aware that rogue security software does exist on the Web, and be vigilant about avoiding it. These programs are designed to appear genuine – meaning they may mimic legitimate programs, use false awards and reviews to rope you in, or employ other deceptive tactics. It’s also a good idea to familiarize yourself with common phishing scams and to be cautious of links in e-mail messages and on social networking sites.
The banking sector has been at the heart of the Indian economy contributing to more than 40% of the GDP and lending or credit is what fuels the Indian economy contributing more than 60% of the GDP. Digital lending is the new buzzword in banking, where people mean different things. So let us understand what RBI has mandated in its guidelines on Digital Lending.
Before we understand what digital lending is, let us understand what lending is. Simply put, lending is when a lender provides funds to someone who wants to borrow it (usually at a fixed interest rate) and the borrower agrees to pay back the borrowed amount with interest. It's essentially trading future income for current access to money.
Banks are in the business of collecting our deposits and lending them to those who want to borrow. However, there are many who find it difficult to access loans from banks for various reasons. Maybe they don't have an established credit history, maybe they don't live in regions where the bank operates, or the bank deems the interest too high to provide a loan, etc. So, there is a gap that banks cannot reach and as a result, many digital lending platforms have emerged to serve this segment.
What does the Reserve Bank of India (RBI) think of these digital lending platforms? That's an important question for a startup. Any guidance from RBI on matters such as these is valuable since we will have to first understand it and then live with the regulations at the time of scaling the business.
So, let us see what RBI has to say on digital lending in the guidelines on Digital Lending issued on 2nd September 2022.
The purpose of the guideline ( Number CRDIR/DGL-19/02.01.002) is to inform applicants proposing to set up non-bank digital lending platforms about the criteria the Reserve Bank would use to assess their proposals.
The guideline is interesting as it shows the thinking perspective of RBI to explain its views and concerns. Let us try to summarize the key pointers from the guideline.
On June 20th, RBI issued a direction disallowing non-banking Prepaid Payment Instruments (PPI) from loading credit lines on the PPI. This bans PPI wallets from being loaded with credit lines/credit cards.
BNPL is short-term financing for consumers who can buy products and get short-term credit and pay later for the credit taken. Well, isn’t that what credit cards are used for as well? The concept of BNPL is similar to that of credit cards wherein a consumer makes a purchase through a credit line and the payment is done later- quite literally “Buy Now, Pay Later”. The BNPL market has grown a massive 539% in 2020 and 637% in 2021.
Credit Cards are given to individuals with a minimum average income of INR 1-3 lakh per annum. Eligibility for a credit card is based on multiple parameters age, salary (ability to repay), type of employment, and credit score. RBI has definite directions for the issuance and operations of credit cards.
There aren’t instruments to finance instant loans without an elaborate process. This is where BNPL comes in. Unlike for credit cards, BNPL issuers do not require credit score and other stringent checks prior to onboarding. This makes credit more accessible. While cursory checks are being done on the spending pattern of customers, it taps on the customer’s ability of immediate spending.
Another difference is that credit cards require a joining and/or an annual fee, while BNPL cards do not levy any such charges/hidden charges on the consumers. That means that all is great if consumers pay their bills on time, however, failing so, the issuer will charge a delay fee. Additionally, the BNPL service is fast and easy to set up as the approvals are almost instant and offer easy repayment options with EMI.
In the past month, the number of credit cards issued was recorded as 15 Lakh, while 20 Lakh BNPL accounts have been opened. This jump seen in the BNPL market made the traditional credit card issuers jittery. The credit card market is currently operated by major banks in the country.
While all seemed to be a fairy tale and a bed of roses for consumers and BNPL entities with heavy investments flowing into the market, the Reserve Bank of India (RBI) threw a bombshell that may have put BNPL entities in the backfoot. The RBI notification restricts non-banking Prepaid Payment Instruments (PPI) from loading credit lines on the PPI. This bans PPI wallets from being loaded with credit lines/credit cards through financing done by NBFCs.
Most popular BNPL players operate using banks’ license/banks’ NBFC license. Alternatively, banks hold PPI license. On the PPI wallet, a credit line was given which was not in line with the PPI directions from RBI.
The main concern that RBI has raised is the lack of clear guidelines/regulations around BNPL. The main focus with which RBI has been operating in the protection of consumers. While consumers seem to be enjoying it, BNPL as a business does not seem viable unless properly regulated over and above the credit card market.
Unlike concerns raised by some on RBI’s stand, the regulatory body has indeed mentioned BNPL in their
“Payment Vision 2025” was released in June 2022. As per the vision document,
BNPL should be:
The Current Market: Its Ups and Downs
Quite a positive right?
But here’s the catch! BNPL is risky lending and there has been a rising trend of defaults accounting for about 18-19% of delinquencies. One main reason that can be attributed to this trend is the provisioning of BNPL cards to Millennials and GenZ as several of them are unemployed, are studying, or are employed but do not have the ability to repay (as per stats in the US BNPL market). This in turn creates a debt trap for consumers as they tend to pay back the existing loans with further credit lines, while the expenses continue to pile up. India is a savings-based economy, contrary to other countries such as the USA, which is credit based.
On the contrary, below are the downsides of BNPL:
The business model is quite ambiguous for BNPL players. Also, as mentioned above, there isn’t a mechanism in place currently to link BNPL defaults to the credit score. Above this, BNPLs adopting AML and Fraud Risk mechanisms within their system is not transparent.
BNPL Stats across the Globe
Recently, OpenPay, a BNPL company in Australia paused operations in the USA due to defaults and rising interest rates. Klarna, another fintech in BNPL has lost its valuation from $45 Billion to $6.5 Billion in the last round of funding and another Australian BNPL firm has lost its valuation to $300 Million from $9 Billion.
Fintechs and BNPLs shouldn’t worry yet as it’s a wait-a-watch game with RBI. The aura in the market is that the central bank will issue new guidelines for the BNPL segment that will not only regulate the sector but also reshape it all together with a focus on consumer protection, risk management, and overall security.
The Indian Fintech and BNPL spaces are nascent and not very mature. The regulator has put in some basic controls at this point in time to ensure that the consumer is not affected by a debt trap, at the same time realizing that for having a spending economy, these kinds of instruments are necessary. The balance may tilt from one side to another every now and then, but at this point, we are poised for some more interesting creative fintech instruments coming in with the regulator constantly on the catching-up game.
The cyber security threat landscape is rapidly evolving. Increasingly sophisticated attacks, multiple threat actors, strict regulations on security and privacy, and new-age trends on BYOD, remote working and growing adoption of cloud, and digital transformation initiatives are just some of the varied challenges that Information Security teams face. And the lack of adequate skilled resources compounds these challenges to manage various security responsibilities.
As news comes in every week of more cyber-attacks, Chief Information Security Officers (CISO) are searching for solutions and measures to improve their organization’s cyber security posture. Often, solution providers pitch various solutions/technologies to solve these challenges. Information Security teams assure that these solutions, with built-in next-gen features, can flag attempts to disrupt business, prevent attacks and minimize impact.
But multiple studies and industry surveys over the years have shown that procuring and implementing a solution does not mitigate the threat on its own. Often these implementations face challenges like high costs, lack of skilled resources to manage the solutions, poor or inadequate configuration of policies, absence of integration with other solutions, insufficient supporting workflows, and processes, and so on.
So, if just buying a solution and implementing is not enough, where does one start? The answer is Security Architecture Review — an activity that can help organizations understand their security threats and identify which solutions can mitigate these risks. The complex nature of the IT infrastructure of organizations today means that a thorough review is needed to identify the critical security risks and the solutions to address them.
Security Architecture Review is a holistic review of security that covers networks, Data, Applications, Endpoint, Cloud, etc. It identifies gaps in your Architecture, Policies, and Controls that may put your critical assets at risk from attackers.
So, what does a Security Architecture Review involve?
Security Architecture Review begins with a study of the Business and IT environment of an organization and the key security and privacy requirements that are mandated by clients and regulations like GDPR, CCPA, PCI DSS, etc. Organizations wanting to adopt best practices can look at information security and data privacy standards and frameworks like NIST 800-53, ISO 27001, CSA STAR, etc.
Identifying security and privacy risks is the next critical step as Information Security teams need to know what assets, applications, and processes need stringent controls and monitoring.
The next step is to study the existing architecture for network and security, understand cloud adoption, study existing solutions for security for design and implementation effectiveness, and identify gaps. We also recommend assessing the configuration of key solutions to understand the implementation effectiveness and identify any gaps.
After studying architecture, it is important to assess the current solutions implemented and their design effectiveness as per the security domains such as Access, Patch, Monitoring, etc. This helps in identifying the solutions that address various security and privacy risks.
After identifying the gaps, it is important to identify the right solutions to mitigate the gaps and address critical risks. Again, the solutions must address a few key criteria–risk mitigation, compliance management, integration with other solutions and interoperability, monitoring capabilities, and the ability to provide detailed reports as per organizational policies.
While identifying solutions, one must also consider the state of the infrastructure–On-prem, cloud or hybrid. One must also look at security components that are provided by Cloud Service Providers.
The end-state architecture must comprise solutions that offer protection from critical risks, integrate with other solutions deployed to provide relevant alerts and minimize the impact of any attack. Finally, one must also fortify the Information Security team with Subject Matter Experts (SMEs) who will manage the solutions.
No matter how secure your organization’s cyber defenses maybe, a Security Architecture Review (SAR) can identify potential vulnerabilities and recommend countermeasures. The process begins with an assessment of your current state of security, followed by the development of a roadmap for improvement.
A SAR is especially important in the current environment, where cloud security services are becoming more popular. By definition, the cloud is a distributed system that spans multiple data centers and devices. This makes it more difficult to secure and increases the risk of data breaches.
Fortunately, many Cyber Security Companies in Bangalore offer SAR services. They can help you identify and mitigate vulnerabilities in your systems. Reach us for more information at [email protected]
Fifteen years ago, cloud infrastructure was a new and untested concept. Today it is the dominant form of data storage and computing services. With this shift, cybercriminals have also found ways to make their attacks more effective for smaller organizations. To prepare for the coming year, we have compiled 5 benefits of cloud infrastructure security in 2022.
It is important for all internet-connected devices to be secured by the most advanced cybersecurity solutions. The rise in smart home IoT devices has created more potential points of vulnerability for security breaches. The cloud moves changes data from a centralized data center to a decentralized storage service, which is considered a key differentiator when it comes to network security. Cloud infrastructure security providers must have the ability to not only protect corporate networks but individual users as well, with a focus on privacy and control.
Companies are realizing the benefits of cloud infrastructure. They are quicker to scale, cheaper to maintain, and more flexible. Many organizations are considering adoption due to these reasons. One thing to keep in mind is that all companies face new security threats as they move their operations into the cloud. If you don't already have a robust cybersecurity strategy in place, now's the time to make sure you're covered before jumping ship.
Cloud Infrastructure Security 2022 may be the best option for companies looking to cut costs while simultaneously improving their existing security measures. Public cloud computing has become an increasingly popular alternative to on-premises private cloud deployments. Public cloud deployments offer several benefits over on-premises deployments, including lower upfront costs, elastic scalability, and the ability to scale up and down as needed.
Disaster recovery processes have improved dramatically in recent years with the advent of cloud infrastructure security services. These services are cost-effective for businesses that are looking to grow, improve their customer retention rates, or want to reduce their capital expenses. These services affect all levels of the cloud infrastructure from firewalls and network security to data storage and encryption. In particular, the availability and affordability of cloud infrastructure security services have allowed companies to focus on their core business.
Economic growth has seen many benefits since the introduction of cloud infrastructure. One of the most prominent advantages is that it has helped to create jobs in the technology sector, which in turn has created more competition in an industry with high barriers to entry. Cloud data storage has allowed organizations to save money on hardware and operating expenses, while also allowing them to access their information anywhere they need it.
Cloud infrastructure security is a complex and diverse field. The number of IT professionals who specialize in cloud infrastructure security is growing at an exponential rate, but the demand for qualified talent outpaces supply. It's important for organizations to make sure they have a comprehensive understanding of what cloud infrastructure security entails and how it can add value to their company.
Cloud security services are very important for businesses that want to keep their data safe. There are many cloud security companies in Bangalore that can help you with this. Cloud computing allows you to store your data in the cloud and access it from anywhere. This is very convenient, but it also comes with some risks. It’s important to make sure that you choose a reputable cloud security company that will keep your data safe.
Executive leaders of organizations and board members are ultimately responsible for ensuring the long-term security of their organization, and it helps in mitigating cyber risks. As board members realize how critical risk and security management is, they ask leaders more nuanced and complex questions. Interest in security and risk management (SRM) is all-time high at the board level. In 2019, Gartner conducted the security and risk survey and realized that four out of five respondents noted that security risk influences decisions at the board level.
The Gartner research helps security and risk management leaders analyze five categories of questions that should be prepared to answer at any executive or board-level meetings. Here are those questions.
Let’s discuss each of these in detail.
The Trade-Off Question - Are we 100% Secure?
The trade-off question is that the security and management risk leaders struggle a lot. The question "Are we secure?" needs improvising and is generally asked by the board members who are uneducated and unaware of the impact of security risks on the business. In this scenario, it is impossible to prohibit 100% of the incidents. The CISO's responsibility is to help identify and evaluate the potential risks for an organization and allocate resources to manage them.
According to Gartner's report, a security and risk management leader in response to this question might say,
"It is impossible to remove all resources of the information risk considering the evolving nature of the cyber threat landscape. My responsibility is to work with other aspects of the business to execute controls for managing security risks that can prevent us from improving operational efficiency and brand image. There is no such thing as 'perfect protection' in security. We have to reassess continually how much risk is appropriate as the business grows. We aim to develop a sustainable program to balance the requirements to protect against the needs to run a business”.
The Landscape Question - How bad is it out there?
Most of the board members want to know their security compared to peer organizations. They read threat reports and blogs, listen to the broadcast, and even are forced by the regulation to understand such things. Gartner recognizes the need to discuss this landscape. Leaders need to avoid trying to quantify risks to possible extent and attaching certain budget figures to the mitigation cost depending on something external. Moreover, when benchmarks give some material for conversation, they must be a negligible factor in the decision-making process.
Here are some responses that security and risk management leaders can give while discussing the wider security landscape.
External Events | Responses |
Our primary competitor experienced a public, successful attack. | We have a similar vulnerability that can facilitate the attack, and we are addressing that weakness. Enhanced monitoring abilities have been implemented. |
There is an increased number of attacks against the electricity grids in three of the national presence points. | We don't expect to become a direct target. Business continuity plans are being tested and updated to overcome the prolonged outage. |
We fall under the scope of the new EU General Data Protection requirements. | We have conservative and cautious privacy practices in place. |
The Risk Question - Do we know what our risks are?
A risk outside the tolerance needs an antidote to bring it within tolerance. It does not require dramatic changes in a short time, so beware of overreacting. In the Gartner report, they present a way to defend the risk management decision, and you can change it according to your organization's risk tolerance.
One of the most common issues encountered in the report is that the evaluations are subjective and depend on flawed methodology. Security leaders must have evidence to support the evaluation, even when they are not called to present it. Another aspect that needs to be considered is whether to depict the typical outcome or the worst. For instance, most incidents in mild outcomes are within the ability of most companies to absorb. However, there is an infrequent incident that can result in a catastrophic outcome.
The Performance Question - Are we appropriately allocating resources?
Security is always a moving target. The security team needs to demonstrate their behavior to ensure the organization stays safe. It is particularly important to figure out if the resources are allocated appropriately and where the money is spent. The original strategy proposal should have margins for errors concerning the deadline and the budget. As far as there are overruns within these margins, they must be noncontroversial.
There may be valid reasons even if the overruns are outside the margins. The balanced scorecard approach is a way to understand how security contributes to business performance. In this approach, the top layer defines the business aspiration, and organization performance against those aspirations is expressed using a traffic light mechanism. However, it's not the only way. Some organizations have different types of dashboards to discuss business performance.
The Incident Question - How did this happen?
An incident is unavoidable, and treatment is a blessing in disguise. Security and risk management leaders should be aware that in some scenarios, incident details may have been tightly controlled (such as sensitivities associated with the incident). Using the fact-based approach and explaining your knowledge will eliminate the mystery and give confidence that you have control over the incident. Acknowledging the incident provides details on the business impact, outlines the flaws or gaps needed to work out, and offers a mitigation plan.
Decipher Complex Board Question
There are usually no deterministic answers to the board question, and responses are generally more about showing options for sponsorship instead of a definitive course of action. The options can vary based on the context of the discussion, the maturity of the board, the communication skills of the SRM leader, and the frequency of reporting. However, understanding and answering board questions require everyone to understand their roles. Therefore, the SRM leader should know that the board is interested in facilitating the business goal. Any query that may seem immature, ignorant, or complicated has a purpose behind it.
Wish you all a very happy 2021 and be a year filled with success, good health, and happiness to you and all your loved ones. With the year 2020 and the pandemic overwhelming us, we must be conscious of the increase in cyber security threats that are looming in front of us. Here are a few thoughts and considerations for the unenviable role of the CISO for a great start to 2021!
Make the management part of your problem
Senior management does not know the technicalities of how the breach occurs, nor they should need to know. However, they should be clearly aware of the risks thereof. Ensure that the senior management/ board is completely up-to-date of all risks. Increase your frequency of meetings and provide a crisp update of the open risks and how you are working to mitigate them with clear established timeline and dependencies. Costs and budget overruns should be highlighted ahead of time. Bring in business-friendly and business-relevant cyber security metrics and report them periodically. This way the management is more forthcoming in providing the necessary authority and help prioritize your initiatives.
Get the Appropriate Budget
Budget definition and allocation on a percentage of IT spend, a percentage of cost of breach, a percentage of business growth YOY – various models exists. While each has its benefits and pitfalls, the budget should be commensurate with your risk appetite. Continuing from the point above on having the management ‘onboard’ on cyber security initiatives will pave a long way in ensuring that an appropriate budget is allocated. Let us understand one thing clear. The world expects ‘more’ with ‘less’
Clearly Identify your Security Partners
One of the top fields where the skills available and the market-needs gap is widening. It is expected that with the CAGR of 17% in cyber security (products and services), this area can become the CISO’s nightmare quickly. Relying on experts to do the job is also essential. This can be problem-solved by engaging the right eco-system partners to do your job. Security technologies, security governance, security operations are niche areas and picking the right partner will ensure that they stay with you and provide you the much-needed assurance and help address your problem by bringing in the right skills. Remember, it is not required to boil the ocean.
Evolve Your Security to Protect Your Remote Infrastructure
Secure your remote workforce by proactively protecting against zero-day malware and phishing, consider human and technological factors to avoid falling victim to phishing attacks. In response to the coronavirus pandemic, Gartner analysts observed a more than 400% increase in client inquiries related to remote access technologies for the months of March, April, and May in 2020, compared to the previous three months. Furthermore, a recent Gartner survey reveals that 41% of employees are likely to work remotely post coronavirus pandemic.
Continuous Monitoring for all Critical Assets
90% of breaches in cloud-based infrastructure were due to configuration-related issues. Periodic assessment ( like once a year, once a quarter) may not be sufficient in today’s scenario. The new buzzword is continuous monitoring. Continuous monitoring of critical assets would be an aid to enable rapid detection of compliance issues and security risks within the IT infrastructure that could lead to compliance violations. This would help understand real-time changes to the infrastructure and with a good threat intelligence feed it is possible to address zero-day attacks with much robustness with effective continuous monitoring.
Please reach out to us to know more about this to [email protected] or personally to me at [email protected].
Governance, Risk, and Compliance (GRC) plays a pivotal role in organizational success by providing a structured and integrated approach to managing an organization's overall performance, addressing risks, and adhering to
Compliance with government laws, regulations, and rules is essential for all organizations. A regulatory requirement is a directive imposed by a government entity on an organization.
In today's dynamic business landscape, organizations face an ever-increasing array of challenges, from regulatory compliance and cybersecurity threats to operational risks and data privacy concerns. To navigate
Information security is a critical concern for organizations in the digital age, as the proliferation of data and technology brings new vulnerabilities and threats. To safeguard sensitive information, organizations must conduct information security risk assessments. This comprehensive guide will walk you through the key steps and best practices involved in
Purchasing ISO 27001 document – Your organization must purchase the ISO 27001 document and understand how to implement a structed ISMS for your organization. This will help your organization to understand why the controls are necessary and how they can be implemented to mitigate risks.
In the age of digitalization, where personal data has become a valuable commodity, the need for robust data protection laws has become increasingly crucial. Recognizing this need, India has enacted the Digital Personal Data Protection Act, 2023 (DPDPA), marking a significant milestone in the country's data
The General Data Protection Regulation is a law that was enacted in 2018, it has transformed the way businesses worldwide handle and protect personal data. With stringent requirements for data privacy and security, GDPR compliance is essential for organizations that collect, process, or store
In today’s ever-evolving cyber and risk landscape, information security has come to the forefront to combat the sophistication of cyberattacks and the constantly changing technology framework. Two widely recognized information security standards stand out in this arena: ISO 27001
Embarking on the journey of Governance, Risk Management, and Compliance (GRC) is a significant step for any organization in today's complex and highly regulated business environment. To thrive and ensure sustainable growth, businesses must proactively address governance issues, manage risks, and meet compliance requirements. In this article, we will guide you through the crucial steps […]
In the ever-evolving realm of cybersecurity, organizations face an unceasing challenge to secure their digital fortresses. A mid-sized financial services firm prides itself on its commitment to safeguarding customer data and financial assets. However, recent cyber threats have escalated, and the firm is keen to ensure that its cybersecurity defences remain
In today's digital age, where data is the lifeblood of business operations, protecting sensitive financial information has never been more critical. The Payment Card Industry Data Security Standard (PCI DSS) was established to ensure the secure handling of card data, and compliance with this standard is mandatory for any organization that processes cardholder information. Achieving […]
In today's dynamic business landscape, internal audit plays an even more critical role due to the complexities and the increased emphasis on
Application Programming Interface or API serves as a data connection that facilitates the sharing of data with other applications. In today's rapidly evolving digital landscape,
Lok Sabha passed the Digital Personal Data Protection Act – India (DPDP Act) - August 2023 , India’s 2nd attempt in framing a privacy legislation.Aug 2017: Privacy as a fundamental right reaffirmed in Justice KS Puttaswamy vs Union of India by SC Justice Srikrishna Committee constituted to examine data
The Reserve Bank of India (RBI) has introduced a draft master direction that covers various domains of cyber resilience and digital payment security.
Passkeys are a significant improvement over passwords. They are faster, more secure, and more convenient. Many brands will follow in supporting passkeys. I expect passkeys to become the standard for login security in the near future like how 2FA was adopted in the past.
The cybersecurity landscape is constantly evolving, and CISOs need to be prepared to defend against increasingly sophisticated attacks.
Regulated Entities (Res) outsource a substantial portion of their IT activities to third parties, which exposes them to various risks. RBI released a finalized version of Master Direction on Outsourcing of Information Technology Services on April 10, 2023.
Portfolio managers work closely with their clients to understand their financial goals, risk tolerance, and investment preferences.
The GISEC 2023 event is scheduled to be held in Dubai World Trade Center, United Arab Emirates, on 14, 2023 to March 16, 2023.
The RBI announced the launch of the first pilot for retail digital Rupee (e₹-R) on December 01, 2022. It has commenced the pilot in the wholesale segment from November 2022.
An Account Aggregator shall transmit the financial data pertaining to the user only after receiving formal consent from the user
APIs are the backbone of the internet, powering the applications and services that we use every day
In order to protect your business from common cybersecurity threats, it is important to be aware of the different types of attacks that exist and how to prevent them
Read what RBI has to say on digital lending in the Guideline on Digital Lending issued on 2nd September 2022
The concept of BNPL is similar to that of credit cards wherein a consumer makes a purchase through a credit line and the payment is done later
Security Architecture Review is a holistic review of security that covers networks, Data, Applications, Endpoint, Cloud, etc.
Companies are realizing the benefits of cloud infrastructure. They are quicker to scale, cheaper to maintain, and more flexible.
Executive leaders of organizations and board members are ultimately responsible for ensuring the long-term security
With the year 2020 and the pandemic overwhelming us, we must be conscious of the increase in cyber security threats that are looming in front of us. Here are a few thoughts
Global situations relating to the COVID-19 pandemic have impacted the business and has also impacted the work of auditors. The current situations challenge the conventional
According to the statistics 73.2% of the most popular WordPress installations are vulnerable till date. These can be identified using automated tools and can be exploited.
Blockchain is an emerging technology that is quite popular nowadays due to the popularity of cryptocurrency. The blockchain contains a list of records or blocks which are linked using
Malvertisements are a malicious advertisement distributed in the same was as a legitimate online advertisement. It is one of the common practices to use spread malware.
CyRAACS is a great place to work because every day provides an opportunity to learn something new, to mentor and to be mentored to achieve our client’s goals.