Shifting Security Strategy From Breach 'Prevention' To 'Acceptance'

by Sohini Bagchi    Aug 04, 2017


Cybercrime is not a new phenomenon in India, but it has gained momentum in recent years leading to an increased number of cyber-attacks on banks, businesses, government establishments and other entities. A shift towards digitalization, particularly the increased adoption of cloud, mobile, social media and phenomenon such as big data and IoT, is changing the way organizations look at cyber security. In an exclusive interaction with CXOToday, Rana Gupta, Vice President, APAC Sales – Identity & Data Protection, Gemalto, explains the current cyber security trends and challenges in the Indian market and how India can move towards a cashless and a digital economy, with the help of the right security solutions.

CXOToday: Can you throw some light on the current digital security landscape in India?

Rana Gupta: Essentially, cyber criminals have known to make attempts to infiltrate the systems of organisations across industries since the early 1980s. But it has gained momentum in recent years leading to increasing number of cyber-attacks on banks, businesses, government establishments and other entities, bringing the trend and its impact to the front page focus.

Out of the all the sectors, banking and financial data have been the most sought after segment for cyber-hackers and looters to get the most out of the process and disrupt the economic chain of the country. The advancement in digital technologies and increasing flow of money and data in digital format for various activities have led to the increase in cyber-attacks making cyber security a business imperative and not just an IT challenge. Important digital assets are being targeted at an unprecedented rate and the potential impact on business has never been greater. The situation thus have become more worrisome and raises concerns on security and safety aspects for initiatives like ‘Digital India’ that aim at transforming India into a digitally empowered society. Additionally, the lack of awareness among consumers and the evolving digital payment ecosystem have amplified the chances of exposure to cybersecurity risks such as online fraud, information theft, and malware or the recent ‘WannaCry’ or ‘Petya’ ransomware attacks.

As India picks up the pace on its move towards a cashless and a digital economy, businesses in sync with the government organizations should work towards ensuring a robust regulatory framework, an effective customer redressal framework and fool proof security measures to enable data security confidence for larger participation and continued benefits for the economy overall.

CXOToday: Following your recent Breach Level Index report, can you highlight a few key trends that decision makers should be aware of?

Rana Gupta: The Breach Level Index highlighted major cybercriminal trends over the past year. With the frequency of 44 data records being stolen or lost every second, hackers are increasingly targeting easily-attainable account and identity information. Globally, more than 7 billion data records have been exposed since 2013. Cyber criminals are also getting smarter by expanding their target sector from financial organizations to infiltrating large data bases such as entertainment, e-commerce and social media sites. However, identity theft and unauthorized access to financial data were the leading type of data breaches India in 2016, accounting for 73% of all data breaches in India more than the global average.The few of the global trends from the report are:

Data Breaches by Type: In 2016, identity theft was the leading type of data breach and account access based breaches was the second most prevalent type of breach in 2016. While the incidence of this type of data breach decreased by 3%, it made up 54 % of all breached records, which is an increase of 336% from the previous year. This highlights the cybercriminal trend from financial information attacks to bigger databases with large volumes of personally identifiable information.

Data Breaches by Source: Malicious outsiders were the leading source of data breaches. Cyber activist data breaches also increased in 2016 by 31 with the focus to highlight the vulnerabilities of different organizations.

Data Breaches by Industry: In 2016, the technology sector witnessed the largest increase in data breaches by 55%. Almost 80% of the breaches in this sector were account access and identity theft related.

CXOToday: Please highlight some of the challenges in the enterprise security space with reference to the cyber security regulations?

Rana Gupta: Digitalization has changed the way enterprises look at cyber security. According to a recent PwC’s ‘Information and security survey 2017’, more than 59% of CIOs and CSO have agreed that digitization of business ecosystem has impacted security spending. Though the current trends highlight a different picture in terms of understanding the importance of security and what to secure.

As per our recent Data Security confidence Index, despite the increasing number of data breaches (36.6 million data records being lost or stolen in India in 2016), the vast majority of IT professionals still only believe in perimeter security majorly perimeter security is the focus, but understanding of technology and data security is lacking with Indian enterprises

According to the research findings, 93% of Indian respondents highlight the overall focus on security with increasing investment in perimeter security technologies such as firewalls, IDPS, antivirus, content filtering and anomaly detection to protect against external attackers. However, despite this investment, two thirds (66%) believe that unauthorized users could access their network, rendering their perimeter security ineffective

Additionally, by believing that their data is already secure, businesses are failing to prioritize the measures necessary to protect the data they hold and instead focusing on perimeter security that alone is not sufficient to protect critical data.

The major challenge faced by the businesses today is recognition of the fact that hackers are after a company’s most valuable asset – data. It’s important to focus on protecting this resource, otherwise reality will inevitably bite those that fail to do so. Another important thing to consider here is that businesses (over 31%) do not have any policies in place to adequately secure the most vulnerable and crucial data they hold, or even understand where it is stored.

CXOToday: With increased digitization and risks, how can organizations implement the right security practices?

Rana Gupta: In today’s ever increasingly interconnected world, there are now numerous potential entrances for cyber criminals to reach the core of any business. Though, the connectivity to customers, suppliers, and employees over the internet helps in the overall better productivity and service, it has also made the businesses vulnerable. Also, anyone who is connected with the business or will be using the services, is a potential target for cyber criminals.

Hence, it is important for businesses to understand and accept that breaches are inevitable and their company could be a target. The most important step for them is to shift their security strategy from ‘breach prevention’ to ‘breach acceptance’ and develop an end-to-end security strategy for the protection of data. Three step Secure-the-Breach is one such strategy entailing encryption of sensitive data, secure management of cryptographic keys, and secure authentication of authorized users, that the companies shall consider building into their overall security blueprint.

CXOToday: Can you tell us something on Gemalto’s approach to data security, which the company touts as “secure the Breach” strategy?

Rana Gupta: Today’s increasing use of the cloud and mobile devices have rewritten the rules of data security. However, many companies continue to rely on breach prevention as the foundation of their security strategies. If one thing that is has been re-emphasized regularly in recent years is that data breaches are inevitable. Hence, rather than trying to keep denying that the breaches can ever happen to them, and hence focusing on securing the parameters only, the organizations can take the first step of ‘’accepting’’ the reality that breaches do will happen and for all that one may not be aware of, a breach might have already have happened and they may not be aware of the same. Once that first step to accepting the bitter reality of inevitability of breach having to happen has been taken then once needs to start thinking about how to secure the organization in the event of a breach taking place. This is essentially what is called as ’secure the breach’.

Our Secure the Breach approach takes into account, where your data resides, how you store and manage that data and who has access to it. The process includes three important steps to ensure data protection –

- Encrypting all sensitive data at rest and in motion,

- Securely managing the cryptographic keys throughout their lifecycle, and

- Secure authentication of users

The three step process allows us to see through cybersecurity’s reality distortion field and transition from an approach optimized for “reality as it was”—breach prevention—to a strategy optimized for “reality as it is”—the secure breach strategy.

Gemalto works with some of the world’s leading enterprises, banks and telcos to enable them in deploying easy to use technology solutions for securing access, payments, banking and other services. As you are aware our solutions range from the development of software applications starting with the design and production of secure personal devices such as smart cards, SIMs, e-passports and biometric authentication solutions. At present we have 30 research and software development centers located in 48 countries.

CXOToday: Gemalto’s has a specific focus on the banking and financial segment? How do you support the these institutions to counter the security challenges and subsequently improve security at various levels?

Rana Gupta: We have been in India for over two decades. We have multiple solutions for secure banking and contactless payments, which include solutions to secure transactions via OTP, multi-factor authentications, EMV deployment and PKI tokens besides servers and biometric devices for authentication. In India, we work with several leading public and private sector banks including one of the biggest private sector banks, where a Gemalto authentication server provides secure access for bank’s customers.

Gemlato has also been involved in significant government projects including the Jan Dhan Yojna for the unbanked with National Payments Corporation of India by enabling security modules for safety of people’s data and monetary transactions. Additionally, our Hardware Security Module (HSM) technology is a mandate by the Reverse Bank of India (RBI) for banks to enable secure inter-bank RTGS (Real Time Gross Settlement) transactions.

Additionally, we work with companies offering financial and retail services, who remain under increasing pressure to ensure the integrity and security of sensitive data, payments, online purchases and transactions. Our data encryption and protection helps them secure sensitive financial information across the entire payment ecosystem, from point-of-sale to bank. Our encryption and key management solutions provide transaction validation and signing, key storage and secure communication for over 80% of the world’s fund transfers with a value of more than $1 trillion every day.