As the country has moved into the digital way of doing Business, Governance and conducting personal life, the threats of various kinds arising from the use of computers, mobiles and other devices that work on “Data” have only increased.
Technology persons often pursue their creative goal unmindful of the impact they cause on the society. Hence they often talk of “Disruption”. We as corporate managers and as users of technology therefore often confront the so called “Zero day vulnerabilities” that are exploited by hackers around the world to make money and commit all sorts of offences.
As a result today, we often find it difficult to trust content on the website, message that comes in WhatsApp or Twitter or even an email that lands directly with us. Now a days, if I get a phone call which says I am calling from Bank, instead of listening to it, we are more concerned in ending the call because we donot know if even picking up a call will let some virus in.
The biggest threat that we face today is therefore “Lack of trust” in anything that comes to us as “Data”. So, it may not be “Data which is on the run”. Some times we have to run away from data.
Recently we came to know that “Data” of one big company were attacked by a hacker group who first of all encrypted the data and made it unusable and further threatened to release confidential data to the public. They wanted payment of a big sum of ransom that too to be paid in the currency of the criminals called Bitcoins.
“Phishing” continues to affect us particularly importers and exporters who face impersonated messages such as we have changed our Bank account..please remit the invoice payment instead of the regular account to another account. In one such case a big company in Saudi Arabia paid out rs 190 crores to the fraudsters instead of to ONGC. We are also aware that many times money has been taken out of the Banks through the SWIFT messaging systems.
Every day we also hear about the losses common people face through GPay or other mobile payment systems
These kinds of frauds appear simplistic and not as sophisticated as the Stuxnet attack on the Iranian nuclear system or North Korean attack on Sony corporate network, or DDOS attacks launched from CCTV cameras, robots made to drop material on shop floor to murder workers, Automated Cars being hacked causing accidents or Drones trying to hack into your systems by hovering around your wifi devices.
While we are struggling to tackle such technology related attacks, the advent of a new law in India called Personal Data Protection law is making the life of Corporate manager more complicated because the law is expecting you to take pro-active steps to prevent frauds failing which even when there is no attack, the corporate may be imposed hefty fines.
This new development is coming in the form of “Personal Data” which is a subset of the “Data” and is like the “Hazardous inventory” you may have in your godown. It may look small in quantity but the drums of those explosive chemicals require greater attention than the tonnes of steel which you can leave in the open space without much of a security risk.
The cyber threats like ransomware have moved from “Encryption” to “Threat to release the information” because release of personal information could be more damaging to a company than not being able to decrypt the information that is locked up.
The threats are therefore changing their nature and companies have to ensure that apart from protecting data from being unauthorizedly accessed, modified or denied access, threats such as “Non Availiability of Consent”, “Use of data for purposes other than for which they were collected”, “Retention of personal data beyond the expirty date” etc can become more damaging.
Hence organizations need to change their outlook on defining what is a “Cyber Incident” and how they have to respond to a Cyber incident involving potential personal data loss.
The advent of the new law means also new responsibility centers in the organization along with the conflicts between the senior executives whose area of influence is getting disrupted.
The CEOs therefore have both the challenges of shielding against the known cyber threats but also bring about a transition of the organization to recognize the need to change the focus of security from “Protecting Data” to “Protecting the so called privacy rights of an individual”, which may require a complete overhaul of the business architecture.
The days for business managers is therefore challenging and exciting.