Technology has become integral to our lives, be it official or personal. Use of technology has increasingly meant that one has to either share or source data in public domain. Data security is the practice of protecting digital information from unauthorized access, retaining its integrity, or theft, including ability for continued access throughout its entire lifecycle. It is a concept that encompasses every aspect of information security from the physical security of hardware and storage devices to administrative and access controls, as well as the logical security of software applications.
The most vital part in establishing these security measures could be through organizational policies and procedures. Most large firms already suffer from a series of internal difficulty in protecting the customer data. They typically have a Chief Information Officer whose role is to keep data in, collect it, encrypt it, and secure it from hackers. They are embedded in organizations with expansive data collection operations, multiple legacy systems, a complex web of bilateral and multilateral data-sharing agreements and, quite often, an ongoing lack of clarity on how to integrate data into their businesses.
Need & Challenges
Information leakage and data breach are a huge threat that could tear down the reputation of the organisation and result in adverse impact on the brand that could affect the financial figures. For example, Customer details is of great importance, that being comprised could lead to Information leakage whereas data breach could be either accidental i.e., sales team and customer management team altering Client master data which could lead to duplications.
Recently, in September 2022, an attacker successfully breached many of the Uber’s internal networks. It all happened when the attacker spammed an Uber employee with push authentication requests to get through Uber’s multi factor authentication where the employee authorised one of such requests. This made it possible to locate the username and password of system administrator, with these credentials the hacker went on to bypass various employee accounts and it was reported he could have possibly compromised various sensitive data.
This heightens the need for digital security but beyond what is currently being followed. The importance and impact must be instilled in each employee of the organisation because nowadays ransom attacks are replaced by psychological attacks.
Challenges
Organizations that experience a personal and private data breach can expect to face loss of customers, industry trust and credibility, money, competitive advantage, and increased regulatory scrutiny. It happens both due to loopholes in the system created or management overriding it.
For instance, where calls/messages are being made impersonating the bank employee making it more believable by caller ID/SMS spoofing to get hold on to the bank account details, debit and credit card security codes. In a similar way, in case of businesses, it can happen when a third party sends communications from what appears to be a trustworthy source, including impersonating a manager, colleague, or service provider. In India, a fake message got circulated during the late 2022 asking the SBI customers to update their PAN card details in the given link or through phone call. Most of the time, e-mail is used, making it challenging for inexperienced employees to validate the communications that appear to be legitimate. Users click on these seemingly trustworthy sources which helps the attacker to get hold on to the login information. This is known as
Social Engineering. It is meant by using human psychology rather than technical hacking methods to obtain access to systems, buildings, or data, where individuals get tricked to do things they shouldn’t be doing.
Management override is not an inherently bad thing. Circumstances can arise where overriding internal controls might be in the best interests of the company. For example, if corporate policy is never to pay an invoice before onboarding a vendor, but the company urgently needs a critical component before a system failure, then management might decide to skip onboarding for now and pay a vendor immediately for that component.
The issue is management abuse of its override authority. Such overrides can affect any organization and result in, say, financial statement fraud, even if the controls are well-designed and effective. In fact, most major corporate scandals of the past half century resulted from management overriding internal controls and manipulating financial or operating results.
Therefore, the emphasis and reliance could be made on the following:
Having a Strong Password
Choose the right Authentication method
Password authentication is an access control technique being used for ages to access important data by logging in with the right credentials. But with the duplication issues i.e the user using the same password for many of the websites/applications and the password we know is also stored in application database which increases the chance for attacks, companies are shifting towards passwordless or two-factor authentication, where the second one could be text codes, authenticator apps, USB Security keys etc.
- USB security keys is where a chip is presented inside which contains the codes and protocols so the employee after entering their credentials must affix the USB to ensure he/she is the authorised person to use that network/device.
- With passkeys, users can login using biometric sensors (fingerprint or face recognition), PIN or pattern.
Micro-segmented networks
Micro-segmentation refers to classifying networks into smaller units, with separate security protocols, where users are limited to access the resources within those units. It could also be done by classifying digital properties based on how critical they are. Classifying properties based on their criticality is a vital step for any firm which is the responsibility of Managers who has to segregate and monitor as it will not only help you avoid incidents but also encourage team members to exercise greater care in dealing with digital properties.
Each segment should have its own security boundary around it. Because when a threat attempts to move from segment A to segment B, it can be detected by both the protections around segment A as it tries to leave and those around segment B as it tries to enter. For example, a system may isolate highly sensitive database workload that contains the credit card information of thousands of customers. For example, Microsoft Azure implemented network segmentation patterns where software can be segmented with defined perimeters.
Audit trail and User log
Audit trails are a legal requirement for many industries and company types. Audit trails keep a record of a sequence of events and actions in chronological order. Audit trails can be set up on systems and application processes. Audit trails tracks users’ activity whereas User log has users’ details and users’ time in and time out. When both are used in conjunction it reduces the chances of unauthorised users accessing the confidential information.
Let us take a scenario, in Tally, you enter a transaction, say a sale transaction of worth Rs 50,000 from ABC limited, the software will maintain a record of it. Any further edits made to the details, such as a change in the amount or change in the name against which the entry is made, will also be tracked by the software along with the user who made the changes and the time it was changed. Even if some transactions were to be deleted, the software will track that as well and keep the record of everything since the original entry was made. This eliminates the chance of anyone making fraudulent changes.
Conclusion
There has been a statement made by Mcafee that 51% of the Indian users has been trapped into various online scams while booking ticket for travelling that is paying through fraudulent platforms or booking tickets in less secure website. So, there been numerous techniques introduced and been thought of, but which will only help to protect the data from technical aspects but as the creators say the main vulnerability in any new feature is the user themselves, the employees or the individuals has to take the utmost care of the credentials they possess of.
(This article is written by Kajalakshmi R, Articled Assistant at R V K S And Associates)