The COVID-19 pandemic has led to a surge in cybercrime, with cybercriminals developing and enhancing their attacks at an alarming pace as they aim to exploit the fear and uncertainty caused by the unstable social and economic situation. In times of crisis, good security practices are often the first thing to go. As employees across the globe are being asked to Work From Home (WFH); Banking, Finance Services and Insurance (BFSI) institutions, businesses and government organisations are being forced to implement new remote working policies such as the zero-trust approach.
This shift in the way we work and do business has resulted in organisations losing visibility of what is happening in their corporate and their employees’ personal networks, devices and applications. This shift has also seen several cybercriminals and sophisticated hacking groups rapidly adjusting their techniques and tactics to take advantage of the situation.
The BFSI sector is one of the most vulnerable to cyberattacks, even in a “normal” business environment. However, the pandemic has placed addition pressure on this industry, as organisations not only have to deal with a large percentage of users WFH, but also with evolving risks and ensuring compliance with regulatory requirements. At the same time, the sector also has to protect both its customers and staff while encouraging the adoption of remote transacting and access.
Protecting the fundamentals
Organisations within critical business sectors such as BFSI, Manufacturing, Healthcare and Fuel and Energy must protect three fundamental things: data, devices and applications, as well as the network itself. Traditional perimeter-based network security architecture is allowing trusted users to access resources on the network infrastructure and kept unauthorised users out. Yet, as companies become increasingly distributed and their workforces operate outside the corporate network, this methodology no longer works effectively and poses a significant security risk.
Instead of relying on traditional perimeter-based security architecture, organisations should adopt a zero-trust security architecture that always verifies users, irrespective of their role, locality, or managed or unmanaged device – even those already inside of the network perimeter. In a zero-trust security framework, each user, device, and application is verified and authenticated with contextually aware tools. Zero-trust security architecture enables users to securely access applications and sensitive data from anywhere, using any device. This allows organisations to achieve agility, improved efficiency and to reduce IT costs, without losing control over their data, devices, users and networks.
The best starting point for this journey is to replace the traditional perimeter-centric view of security with an identity-centric approach that confirms secure access for various user types, irrespective of their location, device, or network. Any specific solitary solution can’t solve for all aspects of zero-trust security, so it is critical to leverage identity to optimise mitigation across the security stack.
PoPI Act compliance
Organisations must also keep in mind that the Protection of Personal Information (PoPI) Act will officially come into effect on the 1st of July this year and will be mandatory for all companies. The Act is especially important for those operating with the BFSI sector, as they process clients’ personal information. It requires the implementation of technical and organisational measures to secure the integrity of personal information, and to guard against the risk of loss, damage, or destruction to or of such personal information.
The best way to achieve compliance with this legislation is to update or create an organisational security policy that refers to clear, comprehensive, and well-defined plans, as well as compliance, rules and practices that regulate access to an organisation’s systems and information.
Implementing a zero-trust architecture will also assist with PoPI Act compliance, as this makes up for any lack of visibility by allowing for discovery of data flow at every access point within and across networks and platforms by requiring that all communication be verified across every channel.
By adopting a zero-trust posture, companies are able to automatically discover and inventory all assets, including applications and databases and incorporate asset management into their security plan. This has the effect of reducing the attack surface, providing accountability and transparency, and showing that organisations and their clients are taking data privacy and security seriously. Providing this type of proof is one of the requirements of the PoPI Act.
By Avinash Gupta, General Manager at AlphaCodes