The onset of the Digital India initiative and Covid-19 has expedited our dependence on technology as it forced many traditional businesses to have an online presence to survive these unprecedented times. Cyber security is an integral aspect of national security and influences all domains like military, commerce, governance and welfare, the National Cyber Security Policy, 2013 was developed by the Department of Electronics and Information Technology (DeitY).
Majority of these new websites are built quickly and without following any safety protocols, which makes them susceptible to cyber-attacks. This is a policy framework which aims to protect the public and private software infrastructures from cyber attacks and build a safe, secure, resilient, trusted and vibrant cyberspace for Indian businesses. But do we really need these frameworks?
A massive amount of cyber attacks have been witnessed in sectors like banking, governance, healthcare and telecom recently. According to EY Global Information Security Survey India Edition 2020, although 73% of boards/executive management teams perceive cyber risk as a significant risk to the organisation, only 31% of organisations involve cyber security in the planning stage of a new business initiative. Having cyber security frameworks in place helps safeguard our software from common attacks, which are summarised in the figure below.
Threat actors behind confirmed breaches
What is a Cyber Security Framework Exactly?
According to Origin Security, ‘An information security framework is a series of documented, agreed and understood policies, procedures, and processes that define how information is managed in a business, to lower risk and vulnerability, and increase confidence in an ever-connected world.’ In simpler words, what this means is that a cyber security framework aims to build more robust softwares and protects it from common security breaches.
These frameworks have several components which guide an organisation’s security protocols. Each framework has different objectives and a company may opt for multiple frameworks for different components of its software depending upon the requirements. It is essential that the organisations have security frameworks in place to secure their bottom line revenues since a cyber attack can results in their financial loss to mitigate the risk and can hamper their reputation in the market.
Need For Cyber Security Frameworks
Having necessary security frameworks in place will ensure secure software architectures and protocols to secure data from being accessed by an unauthorised entity. There is a need for these frameworks to be put in effect due to the following reasons:
- To build a secure cyberspace: As the telecom industry continues to make internet accessible to even the most remote parts of the country, there is an increased need to educate people on how to secure their data. Additionally, with many businesses building their online presence, there is a need to secure their softwares from being hacked.
- Increasing digital economy: The government has been trying to convert paper money to digital money to increase transparency by tracking the sources of money, thereby reducing frauds. Demonetization was a bold step in this direction. However, to safeguard the hard earned money of the citizens, the banks and other financial systems need to be prepared to sustain cyber attacks to ensure safe transactions.
- Increasing complexity of cyberspace: With the latest technological advancements like Blockchain, Internet of Things (IoT), Data Science, Machine Learning, Artificial Intelligence, Cloud Computing and the like, the cyberspace has become a complex domain, which makes the process of securing these softwares even more complex.
How to Identify Which Security Framework Suits your Requirement
A cyber security framework isn’t a one-size-fits-all approach since each organisation is exposed to different threats, vulnerabilities and risk tolerances. Hence, the each organisation needs to evaluate these parameters and utilise the best available frameworks or device a framework of their own. Moreover, a framework isn’t an immutable protocol and needs to evolve periodically to cope up with the dynamic environment to mitigate latest threats and meet the needs of the critical infrastructure.
According to the National Institute of Standards and Technology (NIST), each security framework has five main functions to cater to and an organisation should evaluate these parameters before fixing upon a specific framework. These functions are:
- Identify: This function lays the foundation for the framework. The organisation needs to identify the context of their business, critical resources, assets, data and the risks it is exposed to. For example, in this function, an organisation identifies the scope of the framework: Asset Management, Risk Assessment, Risk Management, etc.
- Protect: This function aims to outline the necessary steps needed to be taken to safeguard the organisation’s assets. The assets can be protected by following various protocols like providing role-based access, laying necessary information protection protocols, spreading awareness among employees by hosting training sessions and workshops, etc.
- Detect: This function aims to lay down the protocols to be followed to identify the occurrence of a security breach. For example, detecting anomalies, continuous monitoring of network and data logs, identifying triggered events, etc.
- Respond: This function lays down the steps of actions to be taken in case of a security breach to contain the impact of the incident and to prevent further similar attacks in the future. Eg. Analysis of the attack, response planning, etc.
- Recover: This function aims to restore the services or data impaired due to the security breach as quickly as possible to minimise the loss due to the security breach. Eg. recovery planning, recovering data from backups, etc.
Common cyber security frameworks
There are more than 250 different cyber security frameworks used globally to suit a wide variety of businesses, sectors and requirements. The security frameworks are needed to lower risk and vulnerabilities and increase confidence in the software’s architecture. Therefore, many organisations opt to follow multiple security frameworks for different components of their businesses. Three most influential cyber security frameworks used currently are:
- Payment Card Industry Data Security Standard (PCI DSS): This framework aims to provide secure payment solutions for all the financial transactions in which payment cards are used, be it by a small point-of-sale vendor or a huge financial institution. All companies which accept payment cards, process transactions, secure payment data or transmit payment data are supposed to be compliant to this framework.
- National Institute of Standards and Technology (NIST) Cybersecurity Framework: The NIST has put together a range of frameworks to help organisations strengthen their software architectures. These frameworks are cost effective and flexible and hence many organisations use it globally.
- Healthcare Insurance Portability and Accountability Act (HIPAA): This framework laws down several protocols to be followed by healthcare organisations to keep the health records of the people confidential. Healthcare systems deal with a lot of sensitive information and so are very prone to cyber attacks. Hence, HIPAA is a very important security framework and a failure to comply to the framework may lead to hefty fines, amongst other consequences.
To encapsulate, all organisation should strive to implement cyber security frameworks. Doing so not only helps to keep their software infrastructures secure, but also helps define the protocols to be followed in the case of a security breach. However, security needs to be implemented at both the organisation’s as well as user’s sides.
These cyber security frameworks are just the first line of defense. The government and organisations should strive to educate the citizens to follow common precautionary measures to prevent themselves from being a victim of a cyber attack.
By Saarthak Jain