To guard against data loss and misuse, the cybersecurity conversation must evolve

Data breaches have become a part of life. They impact hospitals, universities, government agencies, charitable organizations and commercial enterprises. In healthcare alone, 2020 saw 640 breaches, exposing 30 million personal records, a 25% increase over 2019 that equates to roughly two breaches per day, according to the U.S. Department of Health and Human Services. On a global basis, 2.3 billion records were breached in February 2021.

It’s painfully clear that existing data loss prevention (DLP) tools are struggling to deal with the data sprawl, ubiquitous cloud services, device diversity and human behaviors that constitute our virtual world.

Conventional DLP solutions are built on a castle-and-moat framework in which data centers and cloud platforms are the castles holding sensitive data. They’re surrounded by networks, endpoint devices and human beings that serve as moats, defining the defensive security perimeters of every organization. Conventional solutions assign sensitivity ratings to individual data assets and monitor these perimeters to detect the unauthorized movement of sensitive data.

It’s painfully clear that existing data loss prevention (DLP) tools are struggling to deal with the data sprawl, ubiquitous cloud services, device diversity and human behaviors that constitute our virtual world.

Unfortunately, these historical security boundaries are becoming increasingly ambiguous and somewhat irrelevant as bots, APIs and collaboration tools become the primary conduits for sharing and exchanging data.

In reality, data loss is only half the problem confronting a modern enterprise. Corporations are routinely exposed to financial, legal and ethical risks associated with the mishandling or misuse of sensitive information within the corporation itself. The risks associated with the misuse of personally identifiable information have been widely publicized.

However, risks of similar or greater severity can result from the mishandling of intellectual property, material nonpublic information, or any type of data that was obtained through a formal agreement that placed explicit restrictions on its use.

Conventional DLP frameworks are incapable of addressing these challenges. We believe they need to be replaced by a new data misuse protection (DMP) framework that safeguards data from unauthorized or inappropriate use within a corporate environment in addition to its outright theft or inadvertent loss. DMP solutions will provide data assets with more sophisticated self-defense mechanisms instead of relying on the surveillance of traditional security perimeters.


Source: Tech Crunch

India’s central bank says growing presence of Big Tech in financial services a concern

India’s central bank has identified Big Tech’s push into financial services as a challenge for banks in the South Asian market, saying the growing presence of these firms have prompted concerns about creation of an uneven playing field.

In a report published on Thursday, Reserve Bank of India (RBI) said Big Tech offers a wide range of digital services that hold the promise of supporting financial inclusion, generating lasting efficiency gains, and making banks become more competitive, but their expansion in the financial services sector has given rise to “important policy issues.”

“Specifically, concerns have intensified around a level playing field with banks, operational risk, too-big-to-fail issues, challenges for antitrust rules, cybersecurity and data privacy,” the Indian central bank wrote.

Big Tech firms “straddle many different (nonfinancial) lines of business with sometimes opaque overarching governance structures” and have the potential to become “the dominant players” in financial services, wrote the central bank, which also regulates the finance market in India. “Third, Big Tech [companies] are generally able to overcome limits to scale in financial services provision by exploiting network effects.”

“For central banks and financial regulators, financial stability objectives may be best pursued by blending activity and entity-based prudential regulation of Big Tech [companies] (an activity-based approach is already applied in areas such as anti-money laundering/combating the financing of terrorism; an activity-based approach is the provision of cloud services, where minimising operational and in particular, cyber risk is paramount).”

“Furthermore, as the digital economy expands across borders, international coordination of rules and standards becomes more pressing,” it added. Worth noting that it’s not clear how RBI defines Big Tech: Is it referring to American tech giants? Does it also see Reliance Industries and Tata Group, two Indian conglomerates that are also slowly making their way into financial services, as Big Tech?

The caution comes at a time when the RBI, which in the past decade opened up the mobile payments through a retail banks-backed infrastructure called UPI in the past decade, is now opening up the entire national payment network in the country.

A number of players including the tech giants Facebook, Google and Amazon and plastic card processing firms Visa and Mastercard have applied for licenses to operate retail payments and settlement systems in the country. (RBI is expected to give some of these firms licenses later this year.)

“Nowhere else in the world would the largest corporates, banks [and] telcos in India and the largest tech players in the world would come together to build national payment networks.” analysts at Bernstein said of the NUE.

An industry executive questioned the concerns raised by RBI, saying no existing rule is preventing the big banks in India — ICICI and HDFC — that already amass a plethora of data about their customers from investing in their digital expansion.

State Bank of India “is nearly a quarter of Indian banking. And Yono [State Bank of India’s digital bank platform] claims a $40 billion market valuation. Why is their reach not a concern?”

The executive, who spoke on the condition of anonymity, said big technology firms are following the regulations set by the RBI. They are using rails built by banks and are required to operate in the space only through partnerships with banks. “The RBI is free to make more regulations — and it’s already doing so with wallet KYC restrictions and imposing market share caps for those doing payments atop UPI infrastructure.”


Source: Tech Crunch