The pandemic has pushed the corporate workforce to remote locations, which has resulted in increased risk to corporate data. As corporations rise to the challenge of responding to this risk, compliance officers, CISOs, and leaders should look to revamp disjointed and siloed approaches to protecting corporate data. The past few years have seen a notable expansion of trade secret laws resulting from a new federal trade secret act in the U.S., the passage of stricter trade secret regimes in Asia, and the harmonization of trade secret protection in Europe with the EU trade secret directive. With these new laws has come a noticeable uptick in trade secret civil and criminal cases. Like traditional compliance risks, theft or loss of information can lead to loss of valuable R&D, business disruption, loss of competitive advantage, reputational damage, and – if an employee improperly uses a third-party’s trade secrets – costly civil or criminal litigation. While ransomware, hacking, and phishing schemes often get the most news coverage, insider theft represents the vast majority of data loss.

The Importance of a Cross-Functional Team Approach 

In our view, a Chief Information Security Officer cannot – on her own – sufficiently mitigate the risks posed by insider threats. The task of building and maintaining a robust information security system to mitigate against internal theft requires cross-functional input, execution, and maintenance. While the critical work of protecting infrastructure and equipment is led by the Info Security team, IT, Human Resources, Legal, and other functional groups have a role to play in successfully protecting the company’s resources. This is especially true as it relates to insider threats, where a company’s own employees or trusted partners steal, lose, or divulge the company’s information.

For example, Human Resources needs to be involved in the training, education, hiring, on-boarding, and off-boarding procedures. R&D and business leaders need to make crucial decisions about designation and access to confidential information. They should also be integrally involved in the design of information security systems and the execution of processes that build the systems. Legal needs to be involved in the drafting and execution of confidentiality agreements, supplier agreements, NDAs, as well as incident management, investigations, and pursuing potential legal remedies if and when theft occurs.

There also needs to be communication between and amongst these groups. For example, Human Resources may work with IT on credential management to disable access for departing employees or alert Legal if an employee with access to valuable information resigns to work for a competitor. IT can advise if company devices are outstanding so that Legal can trigger an investigation, decide to preserve the employee’s devices, or send a letter to the new employer, alerting them of the employee’s ongoing confidentiality obligations. However, in many companies, these functional groups have not historically worked together to develop a cohesive, strategic, and tailored approach to data security. Instead, each group addresses areas of the problem that fall within its silo, leading to inefficient and sometimes counterproductive outcomes. Additionally, some functional groups outside of Legal — such as Human Resources — are not trained on the critical role they play in data security, such as ensuring the prompt collection of a departing employee’s laptop, leading to data leakage theft.

Companies have started to coalesce these different functional groups under a unified leadership structure. The implementations and reporting structures vary, from task forces to steering committees, to “trade secret leadership.” But the goal is the same: to align the functional groups to one unified and smart approach for protecting company assets and preventing employees from using or uploading confidential information belonging to a former employer. This “reverse threat” of a current employee bringing confidential information from a former employer into the business environment is a real risk. That’s because corporations are typically the “deep pocket” on the wrong side of a trade secret theft lawsuit. A cross-functional, unified approach to protecting corporate information will be viewed as a best practice.

Building an Operational Strategy

Companies spend significant amounts of money developing confidential and proprietary data and must implement security measures to protect the data from theft or loss. While many corporations focus on information security to protect against outside cyberattacks, most data theft occurs from insiders. Because employees need access to corporate data to do their jobs, a company must consider which additional data security measures are necessary to allow employees to work. At the same time, there is an obligation to protect trade secret data, including, for example, tracking if confidential or proprietary data leaves the system. This is not just a best practice; it is required. Trade secret regimes worldwide require a company to demonstrate that it took “reasonable measures” to protect their data before they can claim trade secret protection over its information. While “reasonable measures” is not a well-defined term, courts are looking at the overall robustness of an organization’s approach to data security to determine whether a trade secret right has been established.

To address this threat and ensure that reasonable measures are in place, we recommend a cross-functional team to develop an operational strategy. This high-level operational plan allows the team to identify risk and reach consensus on priorities, strategic response, implementation, responsibilities, and accountability. Building consensus around a well-thought-out approach – including identifying data protection strategies designed to protect data from insider threats and allocating resources – is a key step toward effective trade secret protection.

Further, a company’s ability to respond to data theft and minimize what can be catastrophic and costly consequences – depends on the implementation of measures to detect, investigate, and contain any such theft long before it occurs. The operational plan should address data theft response so that a company is well-positioned to respond swiftly and efficiently.

Focusing on Trade Secret Audits

We counsel clients to be proactive in protecting corporate data by conducting a data security audit to identify and protect confidential and trade secret information. The audit should not just focus on the technical aspects of the systems (though technical audits and strategic roadmaps are integral aspects of most information security programs), but also approach protection from a cross-functional, proactive perspective looking at preventing theft, detecting theft, and responding to suspected theft. By assessing the maturity of technical systems and processes and the human side, companies will be able to determine their risk to information theft more accurately and be well-positioned to mitigate that risk in a coordinated approach.

These audits involve identifying the corporate trade secret information, how the data is handled, and who has access to such data. The audits consider a review of the data security provisions in place to restrict and protect data, and a review of policies, processes, and procedures. Audits also include analyzing the enforceability of the company’s standard confidentiality agreements and assessing information security measures, including interviews with key stakeholders.

While the contours of such an audit vary depending on a company’s size, international presence, industry, type of workforce, nature of its trade secrets, and risk tolerance — all companies need to be addressing this risk from the perspective of cross-functional groups.

Here’s a typical scenario. When a key employee is off-boarded, does HR ask probing questions about confidentiality and the employee’s next move? Does HR notify Info Sec when an employee has given notice so that heightened monitoring may be employed? Does R&D fully utilize logs and data access restrictions for higher prioritized information? Do the Legal and InfoSec teams have a protocol for investigating potential misconduct that maximizes evidentiary value while also preserving legal optionality? Have hiring managers been trained about the risks of soliciting competitive information?

The answers to these types of questions, and many others, have a direct bearing on the success or failure of a data security program but may fall within several groups, besides the purview of the CISO.

Furthermore, systems or protocols to improve how the company answers these questions or address data theft require buy-in and implementation by employees outside of the InfoSec team. A company must take a cross-functional approach to data theft to minimize data theft and maximize its ability to respond to (and mitigate the consequence of) a theft that does occur.

As the workforce changes how employees interact with corporate data, companies should bring together the key stakeholders to develop an operational plan to address information security from insider threats and conduct a trade secret audit to protect its valuable data.

Companies that bring teams together and form an operational strategy are more likely to protect data than the best-intentioned silo approach.

Curtesy: cisomag.eccouncil.org

In the past decade over 50 million Micro, small, medium enterprises (MSMEs) business are formed in India.  These MSME firms fueling the economy and contributing to economic growth. They are also a ripe target for cyber attackers, as most of them are connected to the internet than ever before, yet their cyber security capabilities are more limited than businesses elsewhere.

Many MSMEs lack the technology, knowledge, and expertise required to deal with even relatively modest cyber security threats. One threat that stands out above the rest, which is the Ransomware attacks.  In the recent days, Ransomware attacks are commonly seen and once infected the companies (esp the MSME) are brought down to its knees.   These Ransomware attacks impacts the MSMEs more than larger enterprises, just for the fact that larger enterprise are generally more immune to handle such unforeseen event than the MSMEs.

Who is at risk? The short answer: Everyone with a computer on the internet. Ransomware attackers often target essential and highly sensitive information from a wide range of data-centric businesses and industries including health care, law firms, KPO, BFSI and energy organizations.

Ransomware often infects its victims via the web or email. Web-based attacks tend to use drive-by exploits that target browser, platform or system vulnerabilities, or rely on malicious URLs that may redirect users to sites that host exploit kits. Email-based ransomware is generally used in targeted attacks, and relies on a variety of methods including phishing, spear phishing, malicious attachments, and URLs.

Online virtual currencies such as Bitcoin are the preferred methods of payment because they are not easily traceable. Yet paying the ransom offers no guarantee that the files will be unlocked, leading to loss of both data and money.

Traditional security solutions rely on static analysis and signatures to detect and block known threats. Ransomware attackers can easily bypass those defences. To reduce the chance of a ransomware attack succeeding, organizations need visibility into their internal system security levels and a strong understanding of the attackers’ tools, tactics, and procedures:

  • Email security as first line of defence to block ransomware distributed through email attachments and embedded malicious links.
  • Network security solutions such as advanced endpoint technology can identify an attack in progress and block further damage.
  • Backup strategies should be tested and evaluated regularly to ensure recovery is successful.
  • Copies of backups should be stored offsite in case onsite backups are targeted.

Disruptive attacks have become a legitimate issue and businesses must plan and prepare accordingly. The best way is to prevent the ransomware attack is have the right set of controls in place – Security Awareness Training People, Stringent Security Process and Robust Technical Controls.

In the recent days Internet of Things (IoT) has a pivotal influence on multiple sectors and would lead to the dawn of an unprecedented era of automation when billions of devices would be connected to the internet and would be able to share information. This would undoubtedly provide a boost to technological innovations and foster path-breaking developments. It is estimated that by 2020 over 24 billion devices connected to the internet would be installed.

The supply chain is no exception when every aspect of product development and delivery is being transformed, facilitated, and made more efficient through automation and integrated intelligence.

IoT empowers supply chain and logistics management

IoT Technology has been a major differentiation in the supply chain and logistics. Whether it is warehouse management, fleet management, delivery or shipment, IoT has majorly made its impact on this field.

Today, many firms are extending Internet of Things (IoT) devices into their supply chain to improve productivity and customer service. Sensors, communication devices, analytics engines, and decision-making aids are being employed to improve the efficiency of fleet management services, schedule optimization, routing, and reroutes due to adverse conditions. The IoT provides real-time tracking solutions and instant inventory visibility.

Risks in Supply Chain Management

However, as firms use the IoT to expand their reach into the supply chain, so too does it increase their attack vectors and potential loss of proprietary and sensitive data. Information System stores data and passes it between potentially thousands of devices that may have exploitable vulnerabilities; a poorly designed architecture could provide hackers the ability to disrupt, destroy, or steal vast and valuable stores of corporate and personal data.

The major security risk associated with the IoT comes from interactions with physical processes and its content leakage.  Specific to the supply chain is the issue of data leakage, where content becomes visible to hackers either through malicious or unintended means and with manufacturers making devices to different standards, problems could include a lack of device-interoperability, devices interacting unintentionally and even representing a risk to user safety, devices constructed from cheap or inferior hardware posing a cybersecurity risk by containing malware.

Also, IoT sensors are most susceptible to counterfeiting (fake products embedded with malware or malicious code); data exfiltration (extracting sensitive data from a device via hacking); identity spoofing (an unauthorized source gaining access to a device using the correct credentials); and malicious modification of components (replacement of components with parts modified to generate incorrect results or allow unauthorized access).

Risk Mitigation

Cyber security measures should be considered throughout the lifecycle of an operation—including planning, architecture and design, implementation, testing and migration.

There are several international and national standards documenting cyber security capabilities, policies and practices. Its recommended by experts these three as essential to creating a good foundation in the development of an IoT/cyber security strategy.

  • International Electrotechnical Commission (IEC) 62443: Industrial Automation & Control Systems Security
  • National Institute of Standards and Technology (NIST) 800-82: Guide to Industrial Control Systems (ICS) Security
  • Industrial Organization for Standardization (ISO) 27002: Information Technology—Security Techniques—Code of Practice for Information Security Controls

The India Risk Survey report ranks ‘Information & Cyber Insecurity’ as the biggest risk facing Indian companies. Indian organizations, both public and private, had witnessed over 27,000 incidents of security threat. 

Phishing, scanning/probing, website intrusions and defacements, virus/malicious code, ransomware, Denial of Service attacks, and data breaches are some ways in which hackers attack business websites, which can cause operation.

Let’s look at some must-have cyber security measures for SMEs: 

Back to Basics: It is always best to have the basics right.  It is still the best defense from various viruses, malware and other online threats. Prioritize your assets based on its business criticality and address the risks accordingly.  Ensure that the systems, web browsers and operating systems are updated with the latest security patches. Implement firewall security and run antivirus software after each update. 

Security Policy and Procedure: Define Information Security policies and procedure which would be guiding light for the organization and the employees on the Security Best practices.  The organization shall enforce the implementation of such policies and procedure, with appropriate security controls to safeguard their assets.

Security Awareness: Security awareness plays a very critical role in an organization.  Conduct secure awareness training to employees, contractors and vendors on the organization information security policy and procedure. The organization shall ensure all their employees, contractors and vendor understand and adhere to he security policy and practice of the organization. 

Need for BCP: Ensure regular backup of all critical data – whether stored in-house or on the cloud. Perform Disaster Recovery drill at a regular time interval to test the integrity of the BCP plan.

Cyber insurance: After the WannaCry ransomware incidents, small businesses have learnt the potential harm and legal ramifications of an attack. Consider investing in cyber liability insurance to help cover liabilities arising from theft, loss of data, breach of security and privacy. 

Vendor management: With many of a businesses’ assets either being hosted or managed by external service providers – be it your web hosting service or cloud hosting service – working closely with your vendors on a comprehensive plan for risk mitigation is critical. Take the time to understand the vendors’ security certifications, encryption measures, business continuity plans, emergency contact information, etc., to know exactly the level of risk your business is exposed to.

Continuous Assessment and Improvement: As the organization business evolves, so do the IT systems, network and softwares.  IT should be brought under strategic focus are of the organization and it need to be continuously monitored and assessed against new threats and weaknesses.  Appropriate corrective action should be taken to remediate the weaknesses at the right time.

It is obvious that Cybersecurity is one of the most important feature of E-Commerce. Without proper protocols in place, online retailers put themselves and their customers at risk for payment fraud. Smaller stores face even greater e-commerce security risks due to insufficient internet safety from cybercriminals. Records show one in five small business retailers fall victim to credit card fraud every year, with 60 of those stores being forced to close within six months.

Outside of financial consequences, data breaches damage a brand’s reputation and can cause once loyal customers to avoid putting their information at risk again. However, using the right tools will minimize the threat of fraud and instill trust within your customer base.

Here are some of the best practices that can be followed to reasonably protect the business

1.) Make sure your e-commerce platform has multi-layered security.

The best way to keep your e-commerce business safe from cybercriminal activity is to layer your security. Make sure your platform host has protections in place on an application-level like contact forms, search tools and login fields.

2.) Monitor all transactions.

Ensure you and your hosting provider are monitoring all transactions for suspicious activity. Set up an alert system to flag potential threats like a billing address and shipping address not matching, or multiple orders being placed by a single user with different credit cards.

3.) Deploy regular PCI scans and updates.

Your e-commerce platform should issue frequent updates and PCI scans to field for any potential threats that may be targeting your online store. Automatic updates should also be a standard practice in preventing new vulnerabilities to viruses and malware.

4.) Utilize the Address Verification System.

To facilitate safer credit card processing, use an Address Verification System to compare the billing address a customer has entered to what the credit card issuer has on file. An AVS will automatically separate legitimate transactions from fraudulent attempts.

5.) Require a CVV.

Card Verification Value is the three- or four-digit code on the back of a credit card. Under PCI standards, retailers are not allowed to store this number, even if they record customers’ names, addresses and credit card numbers for future transactions. Additionally, many cybercriminals have a credit card number, but not the physical card. A CVV requirement makes it much more difficult for a fraudulent transaction to be processed.

6.) Require stronger passwords.

Hackers use algorithms that generate customers’ passwords. These programs run through all the possible combinations for a four-digit password, with the ability to find the right alpha-numeric password quickly. Longer passwords with at least one special character and a capitalization are more secure.

7.) Use SSL certificates to facilitate a secure connection.

SSL certificates authenticate the identity of your business and secure the data in transit during checkout. This keeps your company and your customers protected from having financial or important information compromised by hackers.

8.) Choose a hosting provider that is PCI compliant.

In order to be PCI compliant, and e-commerce platform must adhere to a strict set of policies and procedures that guarantee the security of payment via credit or debit card. Some of those measures include encryption, anti-malware software, extensive monitoring, risk analysis and more.

9.) Make sure your platform protects against DoS/DDoS attacks.

Most websites simply don’t have the bandwidth to protect against a DoS/DDoS attack, however, the e-commerce platform you choose should have the security in place to counter this threat.

Gone are the days, where security threat are only related to IT.  With core industries moving rapidly towards IoT and connecting to various networks and sharing data, clearly, security weaknesses in Operational Technology (OT) networks are becoming a mainstream concern.

The Recent study from Kaspersky noted that 77 percent of security professionals in industrial environments believe their organizations are likely to become targets of a cybersecurity incident. At the same time, 48 percent of respondents said they do not have a specific OT/ICS incident response program while 31 percent revealed that their organizations experienced one or more incidents in 2017.

It is evident that security gaps in the industrial environments are the need of the hour.  Here are the top seven security gaps

Malware

WannaCry and Petya, the two biggest malware threats in the past few years, did not specifically target industrial networks but they did reach them. These threats proved that weak security defences in and between IT and OT networks make it inevitable that OT will be attacked.

The prime reason WannaCry was so destructive is it targeted organizations running outdated versions of Windows, as old as Windows XP — which are no longer receiving security updates and patches. Making them completely vulnerable.

Attacks on Popular OT Tools

In May of this year, Tenable Research issued a warning about vulnerabilities in two Schneider Electric applications widely used in the United States for managing industrial processes in oil and gas, and other industries.

The vulnerabilities shone a stark light on the weaknesses of cyber security vendors and internal security teams, both of which have devoted considerable resources to IT while neglecting industrial environments.

Insecure Controllers Are Prevalent 

Today, many organizations with OT networks face a massive challenge to maintain operational efficiency and improve network security at the same time. The challenge stems from the fact that organizations have a mix of vulnerable legacy controllers and newer Internet-based ones.

Legacy controllers are vulnerable because they lack critical security functionality that is common in newer technologies. Organizations often choose not to update or patch older systems, preferring operational efficiency over network security.

Insider Threat

When an accidental or negligent change is made to an OT network, it can have consequences that are just as devastating as an external attack. The source of the change is immaterial. It doesn’t matter whether the change originates from an employee or a third-party contractor.

‘Air Gap’ Myth

Until recently, industrial networks were separated from the rest of the world by air gaps. In theory, an air gap is a great security measure because it separates the industrial network from the business network — and, therefore, protects it. However, in today’s Internet-centric world, air gaps do not exist as IT and OT worlds are increasingly aligned and therefore more vulnerable to attack.

Disgruntled Employees

Whether a disgruntled employee steals code, sabotages a production line, or poisons a recipe, the impact can be catastrophic.  Having real-time visibility into the network will not prevent a disgruntled person from performing malicious activity, but it will rapidly identify threats. Ideally, visibility should include a intrusion-detection system that analyzes network traffic, and active device integrity checks to identify threats.

Waiting for a Reason to Worry

One of the leading CISO concerns today is business risk. To minimize risk, organizations often adopt a top-down approach to securing all technologies as effectively as possible. This solid approach is rarely followed in the OT world because many people believe they should not worry until some event causes them to do so.