Protecting enterprise digital assets against growing threats & risks

Protecting enterprise digital assets against growing threats & risks

Achal Kataria, Vice President and Global Head of Technology, EXL Service, discusses how enterprises can stay secure in the threat-filled digital space.

The threat scenario is getting murkier by the day. Hyper connectivity and digitalisation have put enterprises’ information assets at greater risk than ever before. Achal Kataria, Vice President and Global Head of Technology, EXL Service, talks about what enterprises need to do to stay secure in the hostile and threat-filled digital space.

As companies embrace digital technologies, sensors and IoT, they are more vulnerable to cyber attacks. How are technology providers addressing this aspect and what should enterprises do to secure themselves?
In today’s digital economy, one of the foremost challenges faced by technology providers and enterprises is protection of digital assets from ever evolving and complex cyber threats. Technology providers have to lead from the front when they work with enterprises and act as equal stakeholders by proactively sharing industry trends and information, best practices on how enterprises should look at cyber threats and prepare much in advance before they become victims. They also need to partner with enterprises on developing a roadmap for cyber awareness, with the right set of tools, technologies and processes to make them smarter and mature in this journey.

Enterprises should develop a cyber security framework to ensure end-to-end protection of data and information through phases of identify, protect, detect, response and recover. They should adopt an industry recognised cyber security framework like the one from National Institute of Standards and Technology. Other considerations are—business information study, cyber threat study and prioritised risk mitigation, defence-in-depth security architecture, 24x7 SOC cyber threat monitoring with global threat intelligence, digital forensics and malware analysis, data recovery processes and technologies.

Identity and access management has always been challenging. With the cloud it gets even more complicated. What are the bottlenecks and how do enterprises overcome them?
As organisations shift from hosting services on private local area networks to cloud-based enterprise platforms, CIOs are increasingly concerned with privacy and data security. IT environment and systems face growing threats from inside the organisation and external online threats. Global threats are compounded by public cloud-hosted applications and the mobile workforce that needs to access these on their own devices.

Security concerns around identity and access management (IAM) need to be balanced with providing fast, easy and secure access to organisation services for critical day-to-day operations in a world of constant budget constraints. A common challenge and myth is ‘this is an IT problem’. Organisations need to understand that IT can do only as much as business can adopt. It can influence business to have the right set of tools and controls, define governance and review mechanism, but to be successful, Business and HR need to partner with IT to lay a solid IAM foundation.

IAM is evolving in to a business user self-service activity. According to research, 80 per cent of digital access will be shaped by new mobile and non-PC architectures by the end of 2020. Many experts consider cloud as one of the largest driving forces behind IAM strategy; cloud deployments rewrite the old model of managing user access.

Some basic principles that can be considered are having a standardised IAM process, defining one digital identity across enterprise, implement role based access management (RBAC) control and monitoring and producing intelligent analysis to increase success ratio.

Despite device management tools, policies and best practices, mobility has its own risks and challenges. How are companies dealing with them?
BYOD remains a major opportunity and challenge for enterprises. From an employee perspective, the biggest concern is loss of privacy. Employees worry their company will have inappropriate access to their financial and health data, personal photographs, etc—and that they could lose it all if the company removes or ‘wipes’ business information from the device, which happens after employment has concluded.

On the employer side, the primary apprehension is related to security. For example, personal devices might not have an automatic lock code or timeout function, and many people do not use passwords to protect their devices. Equally troubling is that employees may use unsecured Wi-Fi hotspots, share devices with others or lose them.

Organisations need to have the right approach to identify risk, develop an effective policy that can be rolled out and adopted. They should also implement the right technology solution to ensure business and personal data are kept separate, create awareness among employees on the best practices, monitor and report the usage for controls, access management and device configurations. With all above measures in place, it is possible to capitalise on the benefits of BYOD without adding significant risk.

RPA can contribute immensely to productivity while lowering costs; yet why is its adoption slow? Is it due to lack of availability of cost-effective platforms and solutions? Or because the technology has not matured enough?
Robotic Process Automation (RPA) is dramatically changing the way organisations do business today, offering unprecedented opportunities for growth and innovation. RPA adoption is not slow. There are RPA providers with good platform options in the market. RPA providers have matured their solutions over the last 18 months and are working to develop solutions for real life business challenges. However, enterprises have to be smart and find the right opportunities with the relevant business case. They need to understand their real business challenge and deliberate if RPA is the solution, or do they just want to go ahead with RPA because everyone else is doing it. They will have to discuss their business problem with RPA providers and identify the right solution if RPA is a candidate for the problem.

Enterprises should consider the following when working with providers for deployment, because if not done well it may result in the slow adoption of RPAs—identify the right business opportunity for implementation, prioritise best-suited RPA use cases, determine realistic ROI expectations, establish a well-defined governance structure, select capable RPA tools and providers, re-engineer processes to maximise RPA benefits, and enable strong collaboration between business and IT.

What are the potential information risks companies run today considering they are embracing new technologies? How does one mitigate them?
Organisations are sidestepping the IT function and neglecting governance, which can lead to significant costs and risks. Establishing a governance framework that embraces disruptive technologies and encourages innovation while ensuring risks are identified and managed is essential to an organisation’s ability to survive and thrive in a digital world. Proactive governance while embracing new technologies can help you be more conscious of potential vulnerabilities and loopholes that can have significant business impact.

Technology architecture simplification while adopting emerging technologies can help avoid surprises of incompatibility and interoperability amongst disparate systems. It will also enable much better control on services and offerings with stringent access management, and avoid situations and gaps that can expose these services on the Internet, making them vulnerable to malware and phishing attacks.

With emerging technologies there are lots of services that are consumed on cloud in different forms of IaaS, PaaS, and SaaS. Consequently, enterprises need to have a clear roadmap of how they would like to consume these services on cloud and will have to work closely with service providers to ensure data is protected with the right set of controls, segregation, encryption and protection. Providers need to comply with industry-accepted standards like PCI, HIPPA, GLBA, SOX, GDPR, etc.

Finally, with all the above technology controls and tools implemented, the most important part that needs to be addressed is employee awareness of potential information security risks by conducting proactive mandatory training sessions so information security becomes part of organisational culture.