Hello everyone, I am Deepak Kambam, and you are listening to Secure Insights – A Series of conversations with industry experts, influencers, and leaders in the IT Security space. In this podcast I have with me Satyavathi Divadari, Director Cyber Security at News Technology. Her earlier assignments has been with Cognizant, Wells Fargo, Capgemini, IBM and Tata Communications Ltd. Satya is an information security leader with more than 21 years of experience in Banking, Telecom and IT/ITES industries. Below is the edited excerpts from the conversation.
Data breaches are happening very often, more or less we see news splashed all over where data breach happens every quarter virtually. What is your advice on how this can be prevented?
Yes Deepak, that’s the trend now. So according to the recent data breach weekly report more than nineteen hundred breaches were reported in the first quarter of 2019 exposing approximately 1.9 billion data compared to the last year. That means first quarter of 2018 the number of reported data breaches increased around 56.4 percent. That means around the number of exposed records were up by 28.9 percent and I think that’s a huge number right. And the segments which it effect are mostly banking, health and government followed by other sectors. So, this is a trend which we are observing and that’s something which is the pain point.
Some simple rules to entrust it can be put down in simple steps – the first one I think we all need to remember data owner is accountable and responsible irrespective of where that data is residing or whoever is managing . Whether the third party is managing it or whether it is hosted in the cloud or it is hosted by internal premise, wherever it is, end of the day data owner is accountable and responsible. The second part is if you know if you are in the security industry for quite long then you understand that security was always an afterthought . Check mark or Check box you are signing off, you validate it approve it or sign off . The third rule what am suggesting is the major portion of the breaches, you should observe the trends and see and validate. The fourth rule, what I consider is follow the basics. Why Basics ? If you see majority or most of the incidents on data breaches are occurring because of simple things like passwords . There are incidents where multi factor authentication is not done on a mailbox.
Basically if you see artificial intelligence and machine learning is the most happening thing now . And do you see this automation addressing many challenges, and how it will answer in the cybersecurity world .
Yeah, I agree with you those cyber-attacks are becoming highly sophisticated as I just mentioned earlier.
So, we are moving to the era where cyber criminals can reach their target at any part of the world . They can target a particular individual or an organization or a Government body . By utilizing AI and ML we can prevent or deter such kind of phishing attacks. Configuring machine learning appropriately . We can actually detect and track more than 10000 active phishing sources react and retaliate quicker than humans can do . Identify fake website quicker than others. By doing so we are actually eliminating a significant chunk of the fake websites that we can actually reduce the false positives towards us to ninety nine percent or 97 percent by working on AI and ML.
Nowadays, GDPR, HIPPA, CCPA is forcing organizations to take IT security more seriously, ideally what type of security tools will be a minimum requirement to meet such regulations.
That’s a really interesting question and a very good question . The highest penalty in the history was paid by Facebook recently which is around $ 4 billion because of the misuse of user’s personal information which we all are aware of . So that actually gives us an indication that people or organizations have to be careful in handling the personal data and they have to create policies and then controls around it . It is critical to understand the data and the databases, and see where all the data is residing, and actually classify the data accordingly, and oversee where is this data moving. GDPR and such regulations are forcing organizations to do the exercise of identification and classification of data specifically personal and sensitive personal data.