Privacy paradox is an interesting term. It attempts to describe the contradictory behavior displayed by online users when it comes to data privacy. On one side, users are much concerned about their privacy; namely, how their personal data that is captured, stored or transmitted. On the other hand, their actions don’t reflect those concerns, as they seem to prefer convenience over privacy. The best instance of this paradox can be illustrated by how users opt for passwords for different website logins. Now, we all know that to dissuade hackers, an alphanumeric password of at least 10-12 characters is the optimum one.
Additionally, one should have different passwords for different logins, to ensure that exposure of one login id will not result in the revelation of the rest. More importantly, saving passwords in your browser is a definite no-no. Yet, not many people seem to follow these best-practices. If they are coerced to formulate a secure alphanumeric password, they will tend to use the same for all the logins, and also have no issues in saving these passwords in the web browsers. This happens because people tend to overlook long-term risks in favor of short-term convenience.
The curious thing about the privacy paradox is that it not only afflicts individuals but even enterprises. The essential difference is that the contours of the dilemma faced by the corporate is far more complex and has many dimensions. An enterprise has to continually evaluate the benefits of conveniences with the threat of attacks and formulate a strategy. For instance, to boost employee productivity, they need to seamlessly collaborate over the cloud, using different applications or tools. But then, using third-party solutions can increase the vulnerability of corporate data; hence these applications need to be adequately whetted before being allowed. Thus, restrictions and firewalls are necessary to ensure better security and collaboration.
Hence, every enterprise is keen and relentlessly working towards striking a right balance between security, privacy and convenience. The employees and customer seek convenience, the CISO vouches for security, and compliance pushes for privacy. Harmonizing all these concerns and aligning them to business needs is the only way that enterprises can move forth. Let’s take a look at these issues in a bit more detail.
Understanding the security aspect
Security as a topic and a concern area has undergone much change over the past two decades. Back in the early days, when I started in this sphere, security was treated like an externality. Firewall and anti-virus were the be-all and end-all of enterprise security. Companies that had them in place felt secure and safe. To be fair, the threats to security were not that sophisticated either. In fact, hacking was not always a hated term; there lived a breed of hackers who seemed to live by an ethical code — a sort of omerta. But then, all seemed to change quite dramatically in a short time.
Hacking was no more about sophistication but exhortation. Starting in 2010, a new wave of attack emanated, called ransomware, wherein, a user would need to pay the hacker a certain sum to save files on their compromised system. The most famous instance of this ransomware was the WannaCry, which spread across the world in 2017. The attack infected more than 2 lakh computers in over 150 countries, making it the biggest ever. But that was just the beginning. In the same year, came the NotPetya attack targeting some of the biggest businesses. The total damages related to NotPetya are believed to be around USD 10 Billion. Enterprises were jolted out of their trance by these attacks. Suddenly, security was not an externality; it became the core.
Companies across the board started to invest in technologies and systems that safeguarded the corporate crown jewels, namely the data center. The board got involved, the management was keen, experts were brought in, and the regulatory framework was strengthened. All of this contributed to making companies resilient to cyber threats.
This is the very reason why most organizations have been able to do transition in the new scenario created by Coronavirus pandemic. The security systems and protocols have been in place for quite a few years. For the BFSI sector, compliance has been another important factor for putting in the control mechanisms. In my opinion, the Gopalakrishna Committee Report on IT by the Reserve Bank of India (RBI) was a landmark shift. This report in 2011, gave recommendations on information security, electronic banking, technology risk management and cyber frauds. The next big event occurred in 2016; when the RBI came out with the Cyber Security Framework. As per the guidelines, banks would need to put a cyber security policy, separate from their IT policy, and get it approved by the board. Banks were also required to appraise the RBI, of the measures undertaken. There were in total, 24 baseline controls, which were listed as critical aspects for enterprise security. I had the good fortune to work indirectly in the formulation of these baseline controls.
Thus, compliance in many ways can be an excellent catalyst for the implementation of security controls and has been so in the banking sector.
Think like an airport
One of the questions that get often asked is how secure is secure enough? The simple answer to that one is that one can never be secure enough. Security is an evolving landscape. The threat vectors are continually evolving, and the attacks are getting sophisticated. This means that as an enterprise, it should not only look to forestall any attacks but also create capabilities wherein any attack could be confined or isolated. One needs to have levels of security, quite like the seven layers of the OSI model.
And this is where I would like to draw the reference to a traditional airport. Let me illustrate the analogy; imagine an airport as an enterprise. There are multiple entry points and multiple exit points at the airport. The outer perimeter is guarded strongly, with barricades, bollards and armed guards. Then you have the entry gate that only allows you inside based on identity authentication. Even when you are inside, there are still more levels of security; the security gate, the boarding area, and even the aerobridge. Thus, even if one level is compromised, the management can isolate and deal with it. Similarly, enterprise security also must be designed on different levels to ensure that there are multiple check-points.
Just like the airport, which has a no-trust policy, similarly, enterprises should also adopt a zero-trust approach.
Another aspect that needs to be kept in mind is that rather than going in for a single solution from a single vendor, it is better to have multiple partners collaborate to create a robust mesh. Each security provider has one or two specialties; companies should tap these specialties. Remember, security cannot be a one fit all exercise; it needs to be crafted as an intricate circuit, that is at the very heart.
The person is the key
Recently, the SANS Institute, world’s premier provider of cyber security training and certification services, was hacked and lost approximately 28,000 items of personally identifiable information (PII) in the data breach. Can you guess how the breach happened? Due to a single staff member of the Institute falling victim to a phishing attack. And forget SANS Institute, even Twitter hack was because of vulnerability on the employee side. Digital security is great, the tools might all be in place, but usually, the critical vulnerability is the human-error. I remember reading an analyst report, which suggested that almost 70% of attacks on enterprise systems take place due to laxity on the employee side. It could be an unpatched machine, or a phishing click-bait, or even a social-engineering attack; there are plethoras of ways in which attackers can enter into the systems.
Hence, it is essential to educate and sensitize the employee. They must be apprised of the latest trends that taking shape around the world. Frequent mystery audits must be carried out as part of sensitization exercises. This is all the more relevant in our current times when Work From Home is the norm, not the exception. With people accessing corporate systems from their home laptops or over shared Wi-Fi, the vulnerabilities have increased manifold. In such a scenario, the onus is on the security department to not only ensure a safe environment for seamless WFH but also to appraise the remote-worker against threats that might harm his/her systems.
In the end, balancing security, privacy and employee/customer convenience is not all that difficult, if approached in the right manner. Yes, there are challenges like the privacy paradox, but then we also have high-end technologies to deal with such scenarios like Artificial Intelligence, Machine Learning or even Blockchains. These all solutions are helping companies face the challenges upfront. My advice to all CISOs and enterprises is pretty simple; stick to the basics, and ensure no slip-ups. All the rest will fall in place.
The author is CISO at Airtel Payments Bank