COVID pandemic-induced the digital revolution that is setting in has also opened doors to a more vulnerable dimension where all the data is susceptible to cyberattacks. Shedding light on this, Arpit Gupta and Adarsh Som of Elets News Network (ENN) interacted with Adam Palmer, Chief Cyber Security Strategist at Tenable in an exclusive interview.
1. With e-governance being a major tool for the government’s functioning in the times to come, how safe will be the essential data on the government portals and websites?
For an initiative as massive as the National e-Governance Plan, the underlying infrastructure to ensure that government services are available to citizens of India contains a complex mix of digital computing platforms and assets. Increased activity in a digitally-connected environment also increases the potential of cyberattacks. To ensure the integrity and security of the initiative, security teams need to have holistic visibility of all their assets and associated vulnerabilities, only then will they understand where they’re exposed and to what extent.
A recent Forrester commissioned study alluded that CISOs cannot rely on technical data alone. They need to be able to move from arcane technical language to a concise language suitable for business decision-making by translating technical data into business insights. These insights help security teams prioritize and focus remediation based on business risk and receive guidance on the optimal actions to remediate those risks for better collaboration with IT. These insights also help CISOs communicate cyber risk to decision-makers within the government in a way that fosters a business-based dialogue.
2. New normal is almost a parallel virtual world for real people to operate. How safe is it for the general public?
Operating in the digital environment may result in potential attacks but the solution doesn’t lie in shunning away from technology progression but understanding where the risks lie and proactively managing it.
Many of the attacks conducted by cybercriminals are the result of known, but unpatched vulnerabilities. Conducting cybersecurity awareness campaigns for the public is a great step in the right direction but the onus of security lies with government organizations. They need to practice good cyber hygiene, such as maintaining their systems, enforcing multi-factor authentication and using encryption.
This is the basis of strong cybersecurity programs. Knowing their networks and continuously monitoring systems is critical, particularly as the compute base changes and the attack surface expands.
3. As we are shifting to a paperless functioning, how is cloud computing bettering the traditional systems.
Cloud computing can be a game-changer for many organizations, especially those with distributed and remote workforces. But, as with any new technology, it expands the attack surface and cybercriminals will take advantage of any sign of weakness. Therefore organizations must be able to manage measure and reduce their cyber risk across their entire infrastructure — from traditional IT to IoT to cloud.
4. COVID has opened up immense opportunities for the IT sector to step in and take over. What is your take on this?
Under normal circumstances, organizations would have taken months if not years to accommodate a secure infrastructure that allows remote connectivity. However, Covid-19 has sped up this process and forced organizations to shift to a remote-work model almost overnight – in turn expanding the attack surface and making it more susceptible to attack.
So in the short term, we’ll see cybercriminals targeting users in a variety of ways, including leveraging malicious emails to phish users and spreading digital viruses. And in the long term, organizations will have to rethink business models that are aligned with new working patterns, customer demand and supply arrangements. Security teams will have to re-establish effective controls over a new hybrid home and office working model.
This means that security strategies need to evolve from the old reactive and siloed approach of “detect, protect, and defend” to a strategy that empowers security and the business to take a holistic view of cybersecurity risk and align it to business decisions. The same Forrester commissioned study shows that in India, only four out of 10 security leaders can confidently answer the question “How secure or at risk are we?”. This means that security leaders are struggling to provide an answer about their risk posture in understandable terms to business leaders because they lack the process, data and technology. By aligning their cybersecurity strategy with business objectives, security leaders will be more confident about their risk posture at any point in time.