Cybersecurity is the integrated system of IT tools, human practices and organizational processes that safeguard an entity’s IT infrastructure (including servers, networks, systems and most importantly data) from the plethora of hazards it faces.
To simplify, Cybersecurity is a protective layer over an entity’s IT framework. It works in a similar fashion to the antivirus you have installed on your computer systems for protection against malicious viruses, just on a much larger scale and while protecting much more valuable assets.
Quoting a real-life example, we all have come across this type of news: “User data of over 1 million users leaked from XYZ Ltd. “
How was this possible? It is a multi-million-dollar company, they should have proper measures in place, right? Well, not really. If you look at spending figures of the world on cybersecurity, it is hard not to notice the disparity between global enterprise incomes with these spending figures. It is necessary to comprehend that although the necessary investment in this ‘relatively new’ foray is rising by the year, but still not sufficient to protect industry-wide IT perils.
Cybersecurity as of today still stands to be one of the overlooked aspects of organizational safety. We see 2 major cases in today’s scenario viz.
- ‘Need’ for cybersecurity structure due to prior investment into technology
- No conception of cybersecurity is despite using IT tools for functioning
The rapid change in the structure of how organizations function irrespective of their nature, size or form has given rise to an astounding need of superior IT infrastructure. This rise may stretch from core activities to the less complex support activities. Cybersecurity presents itself as the need of the hour to tackle any hazard that an organizational IT infrastructure faces.
To name some sectors that face the most risk out of all:
- Government Agencies
- Consumer Devices
- Industrial Equipment
- Finance Industry
Averting such threats may require significant investment in IT resources and Cybersecurity practices. Talking specifically about SMEs, where adoption of IT is a firsthand challenge for the managers due to multiple reasons like cost, adaptation, fear of not catching up etc., the value of cybersecurity increases even more. Let us explain:
Consider an enterprise that has just invested in new technology and now uses sophisticated software to manage its value chain. The management of linkages that gives the enterprise a competitive edge is now managed with the help of IT tools to make it more efficient. Such enterprises tend to rely on, as well as make use of these tools extensively considering the heavy investment it took. Following the heavy usage, there is a breach of the database by an anonymous party due to which all the company secrets relating to linkage management are out. Even if the company is able to identify the party, it would no longer be able to maintain a similar position in the competitive landscape of the industry. The strategic intent of the company would be jeopardized, and it may fail to survive in the longer run.
Now that is the importance of up to the mark cybersecurity systems. To identify a threat, contain and eliminate it is the main task of such systems.
Areas to be plugged by SMEs
Identity Management: It has to do with the identification of the person accessing the data. Identity management involves access rights and authentication techniques to ensure data is secure.
Data Security: The security blanket over consumer data and internal company data should be distinguished and not common. This would prevent malicious attempts from outside to interfere with sensitive data.
Application Security: All software and applications used by the company must be regularly updated as per the latest security compliance of their respective developers.
Network Security: There should be tools in place within the network which prevent unwanted users to access it. This also ensures that there are no intrusions or attacks on the network.
Endpoint Security: Remote access can be very beneficial in times of crisis like COVID-19 but it also leaves a vulnerable trail for data. The company must ensure that proper endpoint security measures are taken for unauthorized remote access to the company’s data.
Cloud Security: Many companies are moving towards cloud-based data storage, this leaves them open to innumerable risks of protection. Organizations must implement strong cybersecurity measures to fight against any possible breach of cloud data.
Compliance while growing
We see that the SMEs are rapidly growing and targeting foreign markets as well. In light of this expansion, it is inevitable to rely on IT frameworks, which in turn translates to investment into cybersecurity measures. Governments all across the globe have expressed concern over the same and some regulations have been passed to ensure that companies doing business with their people/in their territory abide by minimum security requirements.
- General Data Protection Regulation: Although this regulation is primarily for privacy protection diving deeper into it we notice that for the protection of private information the enterprises will have to strengthen their cybersecurity measures as well. The regulation also talks about breaches and what to do in case of a leakage of data. Data protection officers and other personnel are recruited to ensure systems are at par for effective data security.
- Sarbanes-Oxley Compliance: This compliance came in force to ensure investor protection from malicious activities within the accounting system & practices of an enterprise. The basis of SOX involves keeping data secure and free from tampering, tracking attempted security breaches & resolutions, keeping event logs available for auditing, etc.
- EU Cybersecurity Act: The EU Cybersecurity Act aims at providing a European Union-wide certification framework for digital products, services and processes. It ensures that regulations are met while dispensing such products into the market for ensuring data integrity.
- India’s Personal Data Protection (Bill): The Data Protection Bill proposes the justified processing of personal data of individuals by any entity (irrespective of legal form). It aims at providing the individual complete right over his/her personal data and how it may be used by the entity (Data fiduciaries). Certain accountability and transparency measured have been stated in the bill which would regulate personal data protection in India. The industries in India dealing with such personal data are sure to implement measures ensuring strict adherence to the proposed law.
The most important as well as the most difficult factor to consider is that due to the rapid development of technology, there is an equally rapid increase in the threats posed to IT. This ever-developing bane has in the past resulted in organizations opting for the protection of their strategic assets only. Now when we consider that this cybersecurity revolution will sweep across the SME industry, it must be ensured that these threats expand much quicker than any reaction of the enterprise. They hold the capability to take down complete systems and leave organizations on their knees.
That being said, a proactive approach towards tackling these risks is now to be taken due to certain laws in force thus ensuring that organizations are healthily evolving with minimal chances of failing to a cyber-attack.
By CA Nikhil Mahajan (Managing Partner) & Prateek Dobhal (Audit Associate), NSKT Global