August 18, 2023
Kannan Subbiah
FCA | CISA | CGEIT | CCISO | GRC Consulting | Independent Director | Enterprise & Solution Architecture | Former Sr. VP & CTO of MF Utilities | BU Soft Tech | itTrident
If you think this is all a tough ask, you should know that the law is simpler and less prescriptive than data privacy laws in many countries. This kind of simpler law is appropriate for a country like India for two reasons – one, because India is just starting down the road of data privacy compliance and two – because India has a huge SME sector that would struggle to comply with a more complex law. At the same time, the law is stricter than GDPR in some ways; for example, in the EU, a business that can develop a case for it having a “legitimate interest” to process personal data can do so without consent. This is largely not possible in India. Further, in the EU, a data breach needs to be reported only to the regulator and individuals only where the data fiduciary concludes that the breach could result in a risk to the rights and freedoms of the individual. The government has given itself the power to exempt classes of data fiduciaries from provisions of the law. This includes start-ups, which have been specifically mentioned.?
At an organizational level, both diversity and equity can be addressed through recruitment processes, but inclusivity is the most challenging and up to the company as a whole, including all employees. One of the ways to encourage employees to adopt inclusive behavior is through the power of education. When people understand why change is important, they are often more inclined to respond. The word “inclusive” is not a new concept—however, sometimes it is referred to with little substance. Workplaces say they are inclusive because they have a diverse representation of employees, but when you ask the minority groups in that organization if they feel heard, the answer is often conflicting. Rather than playing the game, they feel as though they are mascots or warming the bench. When employees realize inclusion means making sure minority groups feel like they belong, it allows them to assess and challenge their own personal bias, which may be preventing them from fully embracing all perspectives.
The first step for any cyber criminal looking to pull off a years’ long hack is find a way into a target’s network. Even when organizations make it difficult, there’s usually one entry point. Whether by using initial access brokers (IABs), exploiting vulnerabilities, or using employee credentials – the most effective of the three – they need to get in without tripping any alarms. During the early days of a breach, hackers will do very little other than observe a business and how its people work. They’ll learn all the different processes that staff execute during a typical workday and use that knowledge to mask their movements around the network. There will be no intrusive actions (data exfiltration, vulnerability exploits, lateral movements) until they know how to blend in with everyday traffic being triaged by the organization’s security operations center (SOC) analyst. Attackers usually indulge in one of two methods to remain undetected for extended periods of time. The first is when they use genuine compromised credentials and mimic that employee’s usual behavior?
领英推荐
So if projects are already getting off the ground, what are feelings about where generative AI works best, and how? “The best practises are undoubtedly cross-functional collaboration, ‘try before you buy,’ and learn from what you do,” says Marc O’Brien, CIO at radiology healthcare service provider Medica Group. “In my experience, the algorithms from reputable firms do what they say on the tin but what really matters is where you position in the workflow.” Team Teach’s Ivell believes companies can gain a fast start by using tools being built into applications and suites. “One of the key and immediate opportunities of generative AI is it’s already being built into some tools we already use, be that Power BI, Adobe or more industry-specific apps,” he says. “To take advantage of these needs some internal discovery or analysis of these new functions, understanding how we’d use them, and, in the first instance, training our staff how to exploit the new features. People tend to use tools in the way they always have, and adoption of new features can be slow, so we need to accelerate that.”
It’s important to have strong multifactor authentication around all corporate accounts, says Bryan Willett, CISO at Lexmark. "What we’re finding with some of the latest phishing services that are out there, such as EvilProxy, is that they’re getting very good at imitating a login screen that looks just like your corporate login screen and your corporate MFA challenge," Willett says. "And the user has the potential of falling victim to that and sharing their MFA." ... Organizations should also implement contextual access management that considers a user’s current location, the device being used, time of access, network environment, behavior patterns, and other contextual information, according to Halstead. "By doing so, the risk of unauthorized access, often exploited in corporate account takeovers, can be significantly minimized," he says. ... Employee education and awareness are critical, says Halstead. This "human firewall" remains a very important defense in preventing corporate account takeovers.
What are your employees most interested in? What’s most likely to capture their attention? If you don’t know, ask. Gather insights from employees to identify their current concerns and interests and integrate those into the content. Consider how you could leverage their personal interests in your storytelling approach. For instance, if you have a large base of avid football fans, how might a Super Bowl-themed story or challenge related to data security help capture their interest? Ensure accuracy while entertaining: learning outcomes need to take center stage in your communication efforts, of course. Strive to provide accurate information about cybersecurity and employees’ roles in helping to protect systems and data, while integrating some fun into the delivery of the content. ... Good stories have a protagonist (in this case, the employees), an antagonist (cybercriminals), and some tension that leads to a climax in the plotline. Use these elements to create content that entertains while also illustrating the tangible outcomes and repercussions of poor data security practices, like the potential damage to personal and professional relationships.
Realtor Associate @ Next Trend Realty LLC | HAR REALTOR, IRS Tax Preparer
1 年Thanks for sharing.