Security Strategies To Curtail Data Breaches

Security is one of the biggest concerns for enterprises considering the evolution of new technologies. In a tête-à-tête with Biztech2.com, Vishal Salvi, CISO, HDFC Bank talks about new age security threats, APTs and how to prevent them.

What are some of the biggest concerns and challenges for CIOs when it comes to data privacy and security? And how can they overcome these challenges?

It is impossible to segregate any single concern. Enterprises need to constantly do an inward check to keep abreast of new security threats and solutions. An enterprise should update itself on all emerging and evolving threat patterns. Refining security strategies should be an ongoing process and engaging stake holders is a must.

What are some of the new age data threats that enterprises need to be beware of? How can enterprises safeguard its data against these threats? What are the different technologies that are available in the market today?

Enterprises need to recognise threats like APTs (Advanced Persistent Threats) which are currently much talked about. It is important to understand the underlying genesis of the attacks. A company has to understand the nature, reason and also learn the vulnerabilities to strengthen itself in such a scenario.

IT consumerisation is a huge task for all enterprises. Employees should be able to connect their devices to the official network but security on external and internal devices should also be enabled. These should not introduce new threats to existing infrastructure.

Cloud computing and virtualisation are two new evolving technologies. Enterprises need to acquire new skills to understand the legal and technical aspects of these technologies and how to respond to them.

What are the new kinds of data breaches and threats to privacy of data that enterprises are now facing?

Phishing attacks that started in 2006 have largely remained flat. We haven’t allowed them to grow and as an industry (BFSI) we have responded well. Lot of targeted phishing such as extracting IP information for financial transactions is gaining momentum. Globally there is a lot of malware being written. Another trend which is on the rise is social networking malware. Enterprises should strengthen awareness and deploy new security kits which can analyse the Internet traffic moving in and out of the office.

What should an enterprise’s data security and privacy strategy entail?

First, deploy a good governance framework across the company. This allows the management to get better visibility and enable constant monitoring. Once the governance framework is in place, a management framework should be installed to ensure efficient management of security programmes.

Companies should have clear policy standards to help employees have a better understanding of which framework to operate on. It takes a lot of time to build the design for these frameworks and ISO 27001, BS 2999, ITIL frameworks help in the same. Once the design in in place, it should be percolated throughly.Strategies should be built to impart knowledge to employees where the translation of the design is tangibly understood.

Another area one needs to look at is technology enforcement. Various tools can be deployed and used in multiple areas but all the controls should have clear processes. This involves a high level strategy but this framework can apply to control areas such as application security, identity and access management, secure monitoring, network security, etc.

Do you think an incomplete understanding of where and what types of sensitive data exist across the enterprise is increasingly becoming a key issue for the CIOs?

Information size is growing exponentially. To have a full visibility on structured and unstructured data and then being able to decide what is critical or not is a daunting task. There are emerging tools but the pace of information growth is so fast that tools cannot fulfil the requirement.

Structured data has always been the focus for information security. But unstructured data constitutes of almost 60 to 70 percent of the bank information. Technologies that help classify and prioritise stored information are being keenly adopted by organisations.