Sourabh Tiwari, CIO, Meril Group of Companies | Monday, 19 September 2022
Information Security is a critical requirement in the Bank¬ing and Healthcare industry. News abounds about data theft and breaches affecting millions of customers. With increasing threat vectors and rising intensity of attacks it is im¬portant that we have a robust security framework. The article highlights the critical facets for protecting the business from various types of cyberattacks and secures the business-critical information. As Banks & Financial Institutions and Healthcare provid¬ers are dealing with confidential Personally Identifiable Infor¬mation (PII), Protected Health Information (PHI) it requires a high degree of safety and security. While there has been a good amount of focus on protecting the assets in terms of physical and logical security still there have been discernible gaping holes.
As Banks & Financial Institutions and Healthcare providers are dealing with confidential Personally Identifiable Information (PII), Protected Health Information (PHI) it requires a high degree of safety and security
b. Logical Security: Adequate controls need to be deployed at the desktop level to prevent any form of data leakage. To ac¬cess remote applications, documents, desktops securely Citrix application is installed on all end point devices. The access to the application should be through 2 factor authentication. Besides disabling Internet services, Personal mails such as Gmail, Yahoo Mail, and access to home drive should be disa¬bled. USB and CD & DVDROM’s are also disabled. Right click access to save on desktop and Utilities to create, read, and edit text files. Operating system should be latest and supported by OEM.
There should be a daily Anti-Virus signature update and patches should be deployed at least once a month. The internal and external Vulnerability scan to be conducted on a quarterly basis and all the critical and major gaps to be acted upon. For all applications Penetration Testing should be conducted and all the gaps to be fixed on an annual basis.The list of employees having privileged access to the IT Infrastructure (Application servers, database servers, database, network devices, VPN, An¬tivirus, Firewalls, Workstations, and Products/Applications) should be reconciled with the active employee list on the date of review by the concerned Project Manager on a monthly basis. Similarly all user access to the above IT infrastructure should be reconciled at least once in two months.
c. 24 X 7 Physical Security & Surveillance: It is one of the most overlooked aspects of security. As per a 2015 study of healthcare data breaches found that physical se¬curity is the most common cause of security compromise. Hence the need for adopting a layered security strategy to protect the crown jewels which are the raison deter of the business.
d. Social Engineering: 98 percent of cyber-attacks rely on social engineering. The human firewall is the weakest link in information security and deception as a technique is used by cyber criminals to manipulate the employees to divulge confi¬dential or personal information. There are various techniques used such as Phishing (Email), Vishing (Voice), Smishing (SMS), shoulder surfing, dumpster diving , impersonation, whaling used to target the gullible employees and exploit them to break the security protocols and procedures.