Artificial intelligence has become a central component in modern cyber defence strategies, offering advanced capabilities to detect threats, respond to incidents, and manage vulnerabilities. As AI systems grow in sophistication, ethical considerations have moved to the forefront demanding scrutiny of how these technologies are developed and deployed. Ensuring that innovation is balanced with accountability maintaining trust and effectiveness in cyber security.

The integration of Artificial Intelligence (AI) into cyber defence systems has brought about transformative changes in how organisations protect themselves against digital threats. As AI-driven technologies become increasingly sophisticated, they offer enhanced capabilities for threat detection, rapid response, and system resilience. However, the deployment of AI within this domain raises important ethical considerations, such as the need for transparency, accountability, and fairness in automated decision-making processes. Balancing technological innovation with responsible practice is essential to ensure that cyber defence strategies remain both effective and ethically sound.

Snapshot of the Current Landscape:

Recent years have seen a surge in the adoption of AI-driven tools across the cyber defence sector. Organisations are leveraging machine learning for real-time threat detection, automated incident response, and predictive analytics to anticipate future risks. The integration of AI into cyber security operations is accelerating, with industry and government bodies actively exploring its potential. However, this progress is matched by growing debate around ethical governance and responsible use.

Some of the evolving trends while adapting to AI in the current landscape are:

Risks and Challenges:

The integration of artificial intelligence (AI) into cyber defence brings forth a host of ethical considerations, risks, and challenges. One primary concern is the potential for AI systems to act autonomously, making decisions that may inadvertently infringe upon privacy or civil liberties. For instance, automated threat detection tools could lead to excessive surveillance or the collection of sensitive personal data without proper oversight.

Another significant risk involves bias in AI algorithms. If the data used to train these systems is unrepresentative or skewed, the resulting models may discriminate against certain groups or produce inaccurate threat assessments. This raises questions about fairness, accountability, and transparency in cyber defence operations.

There are also challenges related to the rapid evolution of cyber threats. AI can adapt and learn, but adversaries can exploit vulnerabilities in AI-driven defences, leading to an ongoing arms race between attackers and defenders. Ensuring robust ethical frameworks and human like –

Finally, policymakers and practitioners must carefully balance security needs with ethical principles, fostering dialogue and regulation to guide responsible AI development in cyber defence.

Industry Best Practices:

To address these challenges, organisations are adopting robust governance structures and ethical frameworks. Best practices include regular audits of AI models, clear documentation of decision-making processes, and adherence to compliance standards. Collaboration between industry, academia, and policy makers is vital to establish guidelines that promote responsible AI use. Training and awareness programmes further support ethical deployment by fostering a culture of accountability.

The integration of artificial intelligence (AI) into cyber defence has introduced significant ethical considerations for organisations and practitioners. As AI systems become more sophisticated in detecting, preventing, and responding to cyber threats, it is essential to ensure their deployment aligns with ethical principles and industry standards.

By adhering to these best practices, organisations can leverage AI to enhance their cyber defence capabilities while maintaining public trust and upholding ethical standards.

Balancing Innovation with Accountability:

Responsible AI deployment requires a strategic approach that integrates ethical considerations into every stage of development and operation. Strategies include establishing clear accountability mechanisms, investing in explainable AI, and engaging stakeholders in oversight. By prioritising transparency and fairness, organisations can harness the benefits of AI while safeguarding against ethical pitfalls.

The integration of artificial intelligence (AI) into cyber defence strategies is transforming the way organisations and governments protect digital assets. AI-driven systems are capable of rapidly detecting and responding to threats, analysing vast amounts of data, and adapting to evolving cyber risks. However, this technological leap comes with significant ethical considerations that must be addressed to ensure responsible deployment.

One of the primary ethical challenges involves maintaining accountability in automated decision-making. As AI systems become more autonomous, it is crucial to establish clear guidelines regarding who is responsible for actions taken by these technologies. Transparency in algorithmic processes and robust oversight mechanisms are necessary to prevent unintended consequences, such as unjustified surveillance or discrimination.

Furthermore, the use of AI in cyber defence raises questions about privacy and the potential for misuse. While AI can enhance security, it may also infringe upon individual rights if not governed appropriately. Striking a balance between safeguarding digital infrastructures and respecting civil liberties requires ongoing dialogue among stakeholders, including technologists, policymakers, and the public.

To achieve ethical innovation in cyber defence, organisations must prioritise fairness, accountability, and transparency in their AI systems. This involves regular auditing, ethical training for developers, and the implementation of frameworks that guide responsible use. Ultimately, the goal is to harness the benefits of AI while upholding ethical standards that protect both society and the integrity of digital environments.

The future of AI in cyber defence is promising, but it hinges on a steadfast commitment to ethical principles. By following best practices, addressing risks, and promoting responsible innovation, cybersecurity professionals and policy makers can ensure AI technologies protect critical assets without compromising integrity. Continued collaboration and vigilance will be essential as the ethical landscape evolves.

About the Author :

Ms. Kavitha Srinivasulu
CCISO | DPO| DTO| CISA | CRISC | CISM | CGEIT | PCSM | IAPP AIGP | ISO42001: LA
Program Director: Cybersecurity & Data Privacy
Tata Consultancy Services

Ms. Kavitha Srinivasulu is an Award winning Technology Leader.

Ms. Kavitha Srinivasulu is a Senior Cyber Risk and Resilience executive with over 22 years of global leadership experience advising Boards and Executive Committees across Financial Services, Healthcare, Retail, Technology, and regulated industries.

Ms. Kavitha Srinivasulu has delivered and led large-scale, regulator-driven cybersecurity, AI driven, PCI, and SOC transformations for Tier-1 banks, global healthcare organisations, and highly regulated enterprises operating across the UK, EU, USA, APAC, and ANZ.

Ms. Kavitha Srinivasulu is a trusted advisor to Boards, C-suite, regulators, and global enterprises, consistently delivering resilient, compliant, and scalable cyber operating models.

Ms. Kavitha Srinivasulu is an Advisory Member in National Cyber Defence Research Centre (NCDRC)

Ms. Kavitha Srinivasulu is a Board Member of Women in CyberSecurity (WiCyS) India

Ms. Kavitha Srinivasulu is an Executive Committee Member at CyberEdBoard Community

Ms. Kavitha Srinivasulu is an ambassador at ISAC

Ms. Kavitha Srinivasulu is Bestowed with the following Licenses & Certifications :

https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/details/certifications/

https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/details/publications/

Ms. Kavitha Srinivasulu can be contacted at :

LinkedIn

Disclaimer :

“The views and opinions expressed by Ms. Kavitha Srinivasulu in this article are solely her own and do not represent the views of her company or her customers.”

Also read Ms. Kavitha’s earlier article:

The post AI Integrity in Cyber Defence appeared first on Industry4o.com.

When Hackers Employ AI: Is It Time to Rethink our Security Defences?

The rapid expansion of artificial intelligence (AI) across industries has changed countless capabilities, delivering benefits in efficiency, automation, and innovation. However, the same technology has also become a powerful weapon in the hands of predators, essentially altering the landscape of digital threats and malicious activities. As cybercriminals leverage AI to craft more clever and obscure attacks, the level of data protection is questioned. Organisations must relook into their current security strategies to verify, redefine, enhance and remain fit for purpose.

Current Impact on Businesses: Key Metrics

As AI-powered cyber threats rise, businesses are experiencing tangible impacts. Here are some key metrics to illustrate the current landscape:

The Rise of AI-Powered Cyber Threats

Cybercriminals are increasingly leveraging artificial intelligence to enhance both the deception and efficiency of their data exploitation tactics. By implementing machine learning algorithms, these malicious actors can automate activities like credential theft, password cracking, vishing, smishing, and phishing on an unprecedented scale. AI not only accelerates the identification of vulnerabilities within an organization’s systems but also makes breaches and intrusions more challenging to detect and address promptly

Moreover, the emergence of generative AI has introduced new forms of deception, including highly personalised phishing emails and realistic fake content. These advancements empower cybercriminals to orchestrate multi-layered campaigns that adapt dynamically to security measures, leaving traditional defence mechanisms struggling to keep up. As the tools available to hackers become ever more advanced, the threat landscape continues to evolve at a rapid pace, demanding a fundamental rethinking of how we approach cyber security.

For instance, AI-driven deepfake technology has been utilized to produce highly realistic voice and video impersonations, which are exploited in social engineering attacks. Additionally, automated tools can swiftly scan extensive networks for vulnerabilities, outpacing human capabilities. Furthermore, AI-powered bots can execute coordinated attacks that dynamically adjust to the defences they encounter in real-time.

Risks on using Traditional Security models to manage AI Threats:

• Inability to detect unusual Threats: Traditional security models often rely on static signatures and predefined rules, making them ineffective against new and previously unseen AI-generated malware or attack techniques.

• Slow Response Times: Manual analysis and intervention are no match for the speed at which AI-powered attacks operate.

• Overwhelmed Resources: The sheer volume and complexity of AI-driven threats can quickly overwhelm traditional security teams and tools, resulting in missed alerts and insufficient coverage across networks and endpoints.

• Weakness in handling Social Engineering: Conventional defences are ill-equipped to recognise sophisticated social engineering tricks, such as deepfake-based phishing or voice impersonation, which can deceive even security-aware personnel.

• Limited Threat Intelligence Integration: Legacy tools often do not integrate with global threat intelligence platforms, missing out on real-time updates about emerging, AI-driven attack vectors.

• Reactive Rather Than Proactive Approaches: Traditional security models tend to respond to attacks after they occur, rather than predicting or preventing threats by analysing behavioural anomalies and unusual patterns.

• Lack of Automation: Without automation, traditional security operations centre (SOC) teams may become bogged down by repetitive tasks, unable to focus on strategizing against the most sophisticated threats.

Limitations of Traditional Security Tools

Traditional security solutions, such as signature-based antivirus software and static firewalls, were designed to detect known threats using predefined rules. While these tools are still essential for baseline protection, they struggle to keep pace with novel, AI-driven attacks that constantly evolve and mutate.

• Signature-based detection: Relies on known malware signatures, but AI attacks create new variants that evade detection.

• Rule-based firewalls: Static rules are easily bypassed by adaptive AI attack strategies.

• Manual monitoring: Human analysts struggle with the speed and scale of AI-driven threats.

In short, the dynamic and unpredictable nature of AI-powered threats exposes the limitations of conventional defences.

The Case for Next-Generation Cyber Security

To keep pace with AI-enabled hackers, organisations must augment their traditional defences with advanced, intelligent security solutions. These include:

• AI-driven threat detection: Security platforms that use machine learning and behavioural analytics to identify anomalies and suspicious activities, even those not seen before.

• Automated response systems: Tools that can respond to threats in real time, containing breaches and neutralising attacks without human intervention.

• Adaptive security frameworks: Solutions that continuously learn and update their defence mechanisms, staying one step ahead of evolving threats.

• Comprehensive threat intelligence: Integrating global threat data and predictive analytics to anticipate and block emerging attack patterns.

By embracing these next-generation tools, organisations can level the playing field against AI-enabled adversaries.While AI is crucial for modern cyber defence, it is not a silver bullet. Skilled security professionals are needed to interpret AI-generated insights, make strategic decisions, and respond to complex incidents.The integration of AI by hackers has significantly transformed the cybersecurity landscape and it’s time for the Organisations to reshape their existing cybersecurity posture to handle AI threats. By continuously evolving our defences, we can strive to stay ahead in this dynamic digital arms race.

About the Author :

Ms. Kavitha Srinivasulu
CCISO | DPO| DTO| CISA | CRISC | CISM | CGEIT | PCSM | IAPP AIGP | ISO42001: LA
Program Director: Cybersecurity & Data Privacy
Tata Consultancy Services

Ms. Kavitha Srinivasulu is an Award winning Technology Leader.

Ms. Kavitha Srinivasulu is a Senior Cyber Risk and Resilience executive with over 22 years of global leadership experience advising Boards and Executive Committees across Financial Services, Healthcare, Retail, Technology, and regulated industries.

Ms. Kavitha Srinivasulu has delivered and led large-scale, regulator-driven cybersecurity, AI driven, PCI, and SOC transformations for Tier-1 banks, global healthcare organisations, and highly regulated enterprises operating across the UK, EU, USA, APAC, and ANZ.

Ms. Kavitha Srinivasulu is a trusted advisor to Boards, C-suite, regulators, and global enterprises, consistently delivering resilient, compliant, and scalable cyber operating models.

Ms. Kavitha Srinivasulu is an Advisory Member in National Cyber Defence Research Centre (NCDRC)

Ms. Kavitha Srinivasulu is a Board Member of Women in CyberSecurity (WiCyS) India

Ms. Kavitha Srinivasulu is an Executive Committee Member at CyberEdBoard Community

Ms. Kavitha Srinivasulu is an ambassador at ISAC

Ms. Kavitha Srinivasulu is Bestowed with the following Licenses & Certifications :

https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/details/certifications/

https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/details/publications/

Ms. Kavitha Srinivasulu can be contacted at :

LinkedIn

Disclaimer :

“The views and opinions expressed by Ms. Kavitha Srinivasulu in this article are solely her own and do not represent the views of her company or her customers.”

Also read Ms. Kavitha’s earlier article:

The post Next Gen Cyber Security for AI Powered Cyber Threats appeared first on Industry4o.com.

As we are nearing 2026, the cyber security landscape is undergoing rapid evolution, fuelled by technological advancements, emerging AI transformation and increasingly sophisticated cyber threats. Let’s dive deep into the most notable emerging trends in cyber security for 2026, emphasizing the profound impact of artificial intelligence (AI), the crucial importance of identity management, and the expansion of the attack surface into previously unexplored areas.

Technological innovation is reshaping the fabric of cyber security. Artificial intelligence, machine learning, quantum computing, and the proliferation of connected devices are revolutionising both defensive and offensive capabilities. While these advances offer remarkable opportunities for automation, threat detection, and rapid response, they also introduce new vulnerabilities and attack vectors. The pace of change demands that cyber security teams remain agile, continually updating their skills and tools to keep pace with the latest developments.

The future of cyber security extends beyond traditional boundaries. Organisations must proactively address emerging risks such as quantum threats, deepfake technologies, and the exploitation of artificial intelligence. Additionally, the regulatory landscape is evolving, with stricter data privacy laws and compliance requirements. Proactive risk management, regular security assessments, and investment in employee training will be essential to staying ahead of the curve and building organisational resilience.

The Rise of Artificial Intelligence in Cyber Security

Artificial intelligence has emerged as a double-edged sword in the realm of cyber security and that has been discussed frequently across all round tables. On one side, AI-powered tools are significantly enhancing the capabilities of defenders, enabling them to detect, analyse, and respond to threats with uncommon speed and precision. Machine learning models can sift through massive datasets to identify anomalies, automate incident responses, and even predict future attacks based on historical data. Contrarywise, cybercriminals are exploiting AI to automate their attacks, increase the identity, create highly convincing phishing campaigns, and evade traditional security measures.

Looking ahead to 2026, we anticipate a notable increase in the deployment of AI-driven security solutions, including autonomous threat hunting, intelligent deception technologies, and adaptive authentication systems. However, this advancement also necessitates heightened vigilance against AI-generated threats, such as deepfake-based social engineering and AI-assisted malware. As AI continues to evolve, both defenders and attackers will need to adapt their strategies to navigate this rapidly changing landscape.

Identity as the New Perimeter

In the era of cloud computing and distributed workforces, the concept of a fixed network perimeter has lost its significance. Instead, identity around users, devices, and service accounts has emerged as the central pillar of enterprise security and adapting to zero trust. Malicious actors increasingly target credentials and identity systems, recognising that breaching identity controls can grant access to a wide array of resources to influence. As a result, robust identity protection is now vital, with digital identity serving as the gateway to critical information, applications, and infrastructure, the need for investing time and effort on this area has become the emerging demand in this new threat landscape.

Some of the places to invest includes –

Biometric authentication, Face identity verification, behavioural analytics, and adaptive access controls will become more prevalent, aiming to minimise the risk of credential theft and account compromise. The focus will shift from defending networks to safeguarding digital identities, with increased investment in identity threat detection and response (ITDR) solutions.

By embracing these measures, cybersecurity professionals and IT leaders can position their organisations to meet the evolving challenges of a perimeter less digital world, safeguarding assets and ensuring operational resilience well into 2026 and beyond.

The Expanding Attack Surface: New Frontiers

The digital landscape is undergoing a rapid transformation, driven by the propagation of Artificial Intelligence, Internet of Things (IoT) devices, the integration of operational technology (OT), and the emergence of smart infrastructure. As organisations accelerate their adoption of these technologies, the digital attack surface is increasing with potential vulnerabilities that expands dramatically.

For cybersecurity professionals and IT leaders, this evolution presents both unprecedented opportunities and urgent challenges, as adversaries exploit new vectors to target critical systems and infrastructure. Moreover, the convergence of cyber and physical security means that attacks may have substantial, real-world impacts. For example, ransomware targeting bank systems, healthcare platform, and autonomous vehicles is raising severe consequences for public safety and trust.

Some of the key challenges that’s raising in recent past –

Key Recommendations for Organisations

Invest in AI-driven security tools: Leverage the power of AI to automate threat detection, response, and predictive analytics, while staying informed about adversarial AI techniques.

Prioritise Secure-by-Design Principles: Integrate security into the development and deployment of IoT and OT devices, ensuring robust authentication, encryption, and update mechanisms.

Strengthen identity management: Adopt zero trust principles, implement multi-factor authentication, and monitor for identity-based threats using advanced analytics.

Secure the expanding attack surface: Conduct regular risk assessments of IoT, OT, and supply chain environments, and collaborate with partners to address shared vulnerabilities.

Enhance Supply Chain Security: Conduct rigorous vetting of suppliers, enforce contractual security standards, and monitor third-party risks continuously.

Monitor regulatory developments: Stay abreast of evolving data protection and cyber security regulations to ensure compliance and best practice adoption.

Foster a culture of cyber resilience: Provide ongoing security awareness training, develop incident response plans, and encourage collaboration across business units.

Implement Zero Trust Architecture: Assume that no device or user is inherently trustworthy, and continuously verify access at every stage.

Develop Incident Response Plans: Establish comprehensive procedures for detecting, responding to, and recovering from cyber-physical attacks, with an emphasis on cross-functional collaboration.

Simulated Exercises: Conduct drills and simulations to test awareness and readiness for regulatory-driven scenarios, such as data breach notification.

Training and Awareness: Run focused campaigns on emerging threats (e.g., phishing, ransomware) and regulatory updates, using posters, emails, and intranet resources.

The expanding digital attack surface presents a difficult challenge for cybersecurity professionals and IT leaders. The rapid adoption of AI, IoT, OT, and smart infrastructure, coupled with emerging technologies like quantum computing and 5G, demands a proactive and holistic approach to risk management. By strengthening security across supply chains, critical infrastructure, and cyber-physical systems, organisations can safeguard their operations and mitigate the real-world impacts of digital attacks. The urgency to act has never been greater; those who anticipate and address these risks will be best positioned to thrive in the hyper-connected world of 2026 and beyond.

Conclusion

The year 2026 promises to be the moment of evolution in cyber security space trying to adapt and managing emerging risks and growing in digital transformation. The digital environment in which organisations operate is undergoing transformative shifts, driven by the convergence of advanced technologies and increasingly resourceful adversaries. To succeed in this dynamic landscape, organisations must adopt forward-thinking strategies that address the challenges of today while anticipating the risks of tomorrow.

By embracing artificial intelligence responsibly, reinforcing identity management, and proactively confronting new and emerging risks, organisations can enhance their resilience and safeguard their digital future. The journey ahead demands vigilance, adaptability, and a commitment to continuous improvement.

About the Author :

Ms. Kavitha Srinivasulu
CCISO | DPO| DTO| CISA | CRISC | CISM | CGEIT | PCSM | IAPP AIGP | ISO42001: LA
Program Director: Cybersecurity & Data Privacy
Tata Consultancy Services

Ms. Kavitha Srinivasulu is an Award winning Technology Leader.

Ms. Kavitha Srinivasulu is a Senior Cyber Risk and Resilience executive with over 22 years of global leadership experience advising Boards and Executive Committees across Financial Services, Healthcare, Retail, Technology, and regulated industries.

Ms. Kavitha Srinivasulu has delivered and led large-scale, regulator-driven cybersecurity, AI driven, PCI, and SOC transformations for Tier-1 banks, global healthcare organisations, and highly regulated enterprises operating across the UK, EU, USA, APAC, and ANZ.

Ms. Kavitha Srinivasulu is a trusted advisor to Boards, C-suite, regulators, and global enterprises, consistently delivering resilient, compliant, and scalable cyber operating models.

Ms. Kavitha Srinivasulu is an Advisory Member in National Cyber Defence Research Centre (NCDRC)

Ms. Kavitha Srinivasulu is a Board Member of Women in CyberSecurity (WiCyS) India

Ms. Kavitha Srinivasulu is an Executive Committee Member at CyberEdBoard Community

Ms. Kavitha Srinivasulu is an ambassador at ISAC

Ms. Kavitha Srinivasulu is Bestowed with the following Licenses & Certifications :

https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/details/certifications/

https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/details/publications/

Ms. Kavitha Srinivasulu can be contacted at :

LinkedIn

Disclaimer :

“The views and opinions expressed by Ms. Kavitha Srinivasulu in this article are solely her own and do not represent the views of her company or her customers.”

Also read Ms. Kavitha’s earlier article:

The post Emerging Cyber Security Trends in 2026 appeared first on Industry4o.com.

Ransomware attacks have become much more common with technology growing across the industries, it is not only complex and challenging, but they are more sophisticated and costly in the past and in coming years. Ransomware attacks continued to trend upwards in 2025, rising by 11% compared to 2024, underlining the resilience of Enterprise security culture.

Ransomware attacks are up in recent times, with cyber criminals succeeding in encrypting the data or locking the data in over half of the attacks arising in the industries across the globe. The time taken to recover, the cost involved during the crimes and the type of ransomware attacks are changing with time. Some of the key patterns that’s shooking the industries across are:

The BFSI industry has been the favorite target for many of the malicious cyber criminals, leading to cybersecurity and data protection becoming a major investment for many financial organizations. A research report from the New York Federal Reserve notes that financial firms experience 300 times more cyber-attacks than firms in other industries in the recent past. Cyber criminals target financial firms for major ransoms. Ransomware is predominantly effective in the banking industry as the business holds a large amount of customer data and cannot bear any downtime as it will show a huge impact to business. These ransomware attacks are designed to cripple people or businesses by locking their applications / encrypting the data / making the systems unusable until they pay a “ransom.”

Ransomware has risen vividly during the pandemic across various industries; however, the banking/finance industry has been hit hard for imposed to work in an open environment during the covid. The financial services industry is a very attractive target to cyber criminals because of the valuable customer information they possess and manage. The threat of leaking the data on the dark web, and the resulting reputational damage, compels many financial services organizations to comply with ransom demands without a choice to withhold their reputation and recover critical data without an impact to business.

Some of the major challenges faced by the organizations during ransomware attacks are:

It’s getting harder for organizations, especially in the financial firms, to secure the data. This has driven almost all financial organizations to make changes to their existing cyber defenses to improve their data protection. Ransomware attacks are not only becoming more pervasive, but more sophisticated. They Cyber criminals have been creating various threats that even the most secured banks with robust security controls are compelled to stop. Ransomware remained the standout threat for the past 2 years and expected to cross billions of losses by 2023, however, financial firms have given key priority to invest in data security to ensure data protection and safeguard from the current threat landscape.

As a matter of high or very high priority, enhanced protection measures to prevent ransomware attacks from invading backup data has become the key focus area. Having robust backup mechanisms and back up strategies has always been the tactical solution for quickly recovering data and not paying the ransom. But recent attacks have shown that attackers have developed very creative approaches to target the systems/applications in a very effective manner to target BFSI sector among others. Continuous monitoring, patching, enabling the right set of security controls and upgrading the systems on an ongoing basis is the key.

Some of the best practices recommended to prevent ransomware attacks are:

Increasing complexity in IT space continues to lead to ransomware attacks and compromises highlighting the need for more holistic approaches to data-protection. The current cybersecurity threat landscape requires a multi-layered solution that has a holistic approach including employees, contract employees, relevant stakeholders, and 3^rd parties to eradicate the evolving cyber threats rising from both internal/external network.

Disclaimer : The views and opinions expressed by Ms. Kavitha Srinivasulu in this article are solely her own and do not represent the views of her company or her customers.

About the Author :

Ms. Kavitha Srinivasulu
Cyber Risk Advisory and Consulting Partner
CCISO | DPO | CISM | CEH | CCSO | CCIO| PCSM | PDPP

Tata Consultancy Services

Ms. Kavitha Srinivasulu is an Award winning Technology Leader.

Ms. Kavitha Srinivasulu is an experienced Cybersecurity and Data Privacy Leader with overall 21 years of experience focused on Risk Advisory, Data Protection and Business Resilience.

Ms. Kavitha Srinivasulu has demonstrated expertise in identifying and mitigating risks across ISO, NIST, SOC, CRS, GRC, RegTech and in emerging technologies with diverse experience across corporate and Strategic Partners.

Ms. Kavitha Srinivasulu possess a solid balance of domain knowledge & smart business acumen ensuring business requirements and organizational goals are met.

Ms. Kavitha Srinivasulu is a Board Member of Women in CyberSecurity (WiCyS) India

Ms. Kavitha Srinivasulu is an Executive Committee Member at CyberEdBoard Community

Ms. Kavitha Srinivasulu is an ambassador at ISAC

Ms. Kavitha Srinivasulu is Bestowed with the following Licenses & Certifications :

https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/details/certifications/

https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/details/publications/

Ms. Kavitha Srinivasulu can be contacted at :

LinkedIn

Also read Ms. Kavitha’s earlier article:

The post Is there a Massive Surge In Ransomware Attacks ? appeared first on Industry4o.com.

The UK DUA (Data Use & Access) Bill was introduced in the UK House on 24th November 2024 to streamline the UK’s approach to governing and managing data regulation more effectively, with various amendments into the existing UK General Data Protection Regulation (GDPR) and the Data Protection Act (2018) for modernising the existing regulation aligning to EU GDPR and emerging technology trends. The DUA Bill significantly introduced to bring an impact on UK data protection to ease the regulatory burden on small and medium enterprises, simplify legitimate interests, data transfers, cookies management, data subject access requests (DSARs), and align with EU data initiatives. However, the decision on the bill amendment is expected in 2025 and it would be a critical evolution in UK’s data protection regime.

The King’s Speech during the meeting in November 2024 announced a comprehensive agenda on strengthening and enhancing the data protection of the individuals leading up to the DUA Bill. This proposed law advances a unique approach to data practices by streamlining the data sharing model and strengthens data rights. The proposed DUA Bill keeps in mind UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR) to meet the adequacy of these regulations and strengthen the data protection.

The DUA Bill is envisioned to control the capacity of data for UK economic growth, to protect people’s personal data and to ensure adequacy to EU GDPR. Some of the key areas that DUA Bill looks closely into are –

DUA Bill has primarily emended propositions in ensuring that the organisations should make sure there are appropriate adequacy practices in place to transfer personal data from the EU to the UK or vice versa. Organisations should be aware that there would be greater compliance costs, owing to the significant restrictions imposed on the international transfer of personal data under EU data protection law.

Till date, there have been two readings of the DUA Bill in the House of Lords, and it has also been discussed in detail in the committee on the key considerations while amending DUA Bill. The discussion over the Bill’s contents during the Lords committee stage exhibits the careful balancing act that the government is having to perform with EU-UK in place. Organisations are expected to consider their compliance programmes in preparation for the DUA Bill to meet the regulatory requirements and expectations to strengthen the current data protection posture. However, multi-jurisdictional organisations operating across both a UK and EU are likely to continue to align their practices with the EU GDPR expectations. However, organisations to keep in mind that the DUA Bill is at the early stages of the legislative process, and it could be amended as it passes through the House of Lords and House of Commons before being enacted in UK law. So, we need to ensure that the existing compliance practices, organisations legal and regulatory programs are evaluated to align with the emerging DUA bill expected to amend with the UK GDPR and Data protection act in 2025.

The DUA Bill is still in its initial stages, meaning everything is subject to change as it passes parliament post the last discussion in December 2024. The DUA Bill indicates a critical evolution in the UK’s data protection regime, ensuring a solid balance between regulatory compliance, data security and privacy. EU Financial Data Access regulation and the UK Data Use and Access (DUA) Bill, both expected to become law in 2025 strengthening the data security and ensuring adequacy to the EU GDPR standard requirements.

About the Author :

Ms. Kavitha Srinivasulu
Cyber Risk Advisory and Consulting Partner : BFSI
CCISO | DPO | CISM | CEH | CCSO | CCIO| PCSM | PDPP

Tata Consultancy Services

Ms. Kavitha Srinivasulu is an experienced Cybersecurity and Data Privacy Leader with overall 21 years of experience focused on Risk Advisory, Data Protection and Business Resilience.

Ms. Kavitha Srinivasulu has demonstrated expertise in identifying and mitigating risks across ISO, NIST, SOC, CRS, GRC, RegTech and in emerging technologies with diverse experience across corporate and Strategic Partners.

Ms. Kavitha Srinivasulu possess a solid balance of domain knowledge & smart business acumen ensuring business requirements and organizational goals are met.

Ms. Kavitha Srinivasulu is a Board Member of Women in CyberSecurity (WiCyS) India

Ms. Kavitha Srinivasulu is an Executive Committee Member CyberEdBoard Community

Ms. Kavitha Srinivasulu is Bestowed with the following Licenses & Certifications :

https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/details/certifications/

https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/details/publications/

Ms. Kavitha Srinivasulu can be contacted at :

LinkedIn : https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/

Also read Ms. Kavitha’s earlier article:

The post DUA Bill appeared first on Industry4o.com.

Cloud computing has become one of the most used technologies across organisations in various sectors including BFSI, Healthcare, Manufacturing, Education, Retail and many others adopting to various service offerings to increase the availability, scalability, and boundaries in increasing business resilience. Several cloud services are readily available for businesses to improve their day-to-day operations, including Amazon Web Services (AWS), Google Cloud Platform (GCP), Azure Sentinel and other Infrastructure-as-a-Service (IaaS) providers. As most of the organisations depend on cloud-based technology, as remote working has become the new normalcy of delivering services, however, it’s so true to accept on evolving key vulnerabilities which is rising with the growth in technology. Organizations must take key security measures to ensure systems are secure and confidential data remains protected.

By 2025, organizations will shift from a standalone discipline to an integral part of cloud service providers’ offerings. Hyperscale’s will embed advanced capabilities directly into their platforms, moving beyond cost monitoring to deliver comprehensive, AI-driven solutions for real-time optimization and automation. Businesses of all models and sizes have realized the potential of cloud computing and have adapted to this technology either as private, public or as a hybrid model.

Some of the interesting stats:

While bringing this sudden change in adapting to cloud globally has been beneficial to continue services without disruptions, increase the scalability, maintain business continuity, and developed the availability of services beyond boundaries. However, this rapid change has brought in multiple security and data protection issues during the digital transformation. Cyber security becomes a critical concern as more companies complete their digital transformation and migrate systems/applications/data to the cloud. As the threat environment is constantly growing, it is critical to reduce the risk of cloud computing as much as possible and ensure data and systems are protected at rest, in use, and in transit. If the cloud undergoes any kind of attacks/malware/ransomware, there is a huge loss on data, reputation and continuing the business without impact.

Some of the major cloud risks are :

As per recent surveys, the average cost of a data breach is ranging between 20-32 million and it typically takes around 245 days for an organization to detect, remediate, and recover. From a sectoral standpoint, banking financial services and insurance have been adopting cloud and pushing the digitization agenda forward. However, in majority of places the importance of enabling cloud security controls to have been neglected or missed to increase the cyber incidents / data breaches significantly in recent times.

Some of the key Threats and Challenges in Cloud:

• Lack of understanding about dynamic and sophisticated cloud-based threats
• Non-alignment of businesses objectives/ values with risk mitigation plan
• Insufficient or fragmented cloud assurance and governance framework
• Multi/hybrid cloud makes assurance and governance complex
• Implementation inappropriate security controls with no validation
• Weak cloud security policies with limited coverage
• Inability to comply with multiple regulations and legislations
• Lack of third party or vendor risk management strategy/ plan

As cloud computing increases the scalability, availability and increasing the boundaries in the infrastructure, it also brings in unique security issues and challenges evolve day by day. In the cloud, cloud security plays a key role in collaborating with cloud service providers to engage in a shard service model to ensure the right level of security controls are enabled and increase the security posture of the cloud environment. Some of the key benefits in using cloud security in the cloud computing environment are –

Cloud Security Benefits :

Cloud computing provides various benefits to businesses including access to data virtually, irrespective of the place, without needing to maintain a server or physical infrastructure. However, accessing data virtually accompanies with business-critical risks which needs to be addressed and prevented using robust security controls. Each challenge in cloud brings new and different threats which requires distinctive solutions to increase the organisations resilience system. There must be various precautionary measures built and enabled in an organisation to strengthen the cloud computing technology. Organisations have to take the cloud security responsibility as a shared responsibility collaborating with cloud service providers and eradicate rising vulnerabilities proactively to build a threat free cloud security environment.

About the Author :

Ms. Kavitha Srinivasulu
Cyber Risk Advisory and Consulting Partner : BFSI
CCISO | DPO | CISM | CEH | CCSO | CCIO| PCSM | PDPP

Tata Consultancy Services

Ms. Kavitha Srinivasulu is an experienced Cybersecurity and Data Privacy Leader with overall 21 years of experience focused on Risk Advisory, Data Protection and Business Resilience.

Ms. Kavitha Srinivasulu has demonstrated expertise in identifying and mitigating risks across ISO, NIST, SOC, CRS, GRC, RegTech and in emerging technologies with diverse experience across corporate and Strategic Partners.

Ms. Kavitha Srinivasulu possess a solid balance of domain knowledge & smart business acumen ensuring business requirements and organizational goals are met.

Ms. Kavitha Srinivasulu is a Board Member of Women in CyberSecurity (WiCyS) India

Ms. Kavitha Srinivasulu is an Executive Committee Member CyberEdBoard Community

Ms. Kavitha Srinivasulu is Bestowed with the following Licenses & Certifications :

https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/details/certifications/

https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/details/publications/

Ms. Kavitha Srinivasulu can be contacted at :

LinkedIn : https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/

Also read Ms. Kavitha’s earlier article:

The post Importance of Cloud Security in 2025 appeared first on Industry4o.com.

Over the years, the banking sector has experienced significant changes in adapting to growing technologies and financial services continue to evolve in enabling robust cybersecurity practices for safeguarding sensitive information, managing risks and in maintaining customer trust. With enduring technological advancements, the level of online transactions is rising day by day, offering enhanced accessibility for both customers and financial institutions. Based on the recent studies and surveys, the increase of cyber incidents and ransomware attacks reported across various industries has affected across sectors, however, financial institutions have emerged as the sector most affected.

Global Banking Security Market is estimated reach a staggering amount of US$8.52TN and is projected to result in a significant increase, leading to a market volume of US$10.83TN by the year 2029 (Source: Statista Market Insights). Despite global economic challenges, the banking sector in countries worldwide continues to innovate and adapt to digital transformation to meet the evolving needs of customers. This study has considered the base year as 2024, which estimates the market size of market, and the forecast period is 2024 to 2029. New regulations and Standards, such as Sarbanes-Oxley Act (SOX), SOC, ISO, Basel II, Data Privacy, Consumer Privacy, Anti-Money Laundering (AML), CCPA, PDPA, GDPR, NIST, HIPAA, PCI DSS etc. need to be carefully analyzed and controls need to be defined while adapting to emerging technologies in this digital transformation period. Financial institutions should stay focused on complying with, design and implement a security framework and necessary processes in a manner to demonstrate compliance with these regulations/laws. It is important for a cybersecurity team to identify the information flowing in and out of the organization including third parties, service providers and sub-contractors ensuring the process is defined, assessed, monitored and managed to reduce risks.

What is changing in the Banking Industry –

• Digitization
• Cloud Migrations. Moving data to Cloud in Private/Public/Hybrid
• Mobile Banking
• Unified Payment Interface (UPI)
• Blockchain Integration
• Generative Artificial Intelligence (AI)
• Adopting to Zero Trust Maturity Model
• Preparing to comply with new BFSI act, DORA (Digital Operational Resilience Act)
• Increasing Cyber Resilience Operating Model
• Privacy Implementation across Geos for securing personal data

The most common trend in the financial industry today is the shift to digital transformation, specifically mobile and online banking to increase the availability, scalability and convenience for the customers and financial institutions. As the availability increases in today’s era of unprecedented cyber threats, banks must take exclusive steps in enabling robust cybersecurity controls to use the emerging technologies with ease. Cyber security concerns influencing online banking transactions are one of the biggest concerns. Cybercrimes are increasing because of the technology’s rapid growth and widespread applications without taking required security measures. Banks must invest in next-generation security solutions to enhance the existing security posture, continuous education in increasing the competencies of the security resources while adapting to new security trends and vigilance in their digital interactions.

Cyber Risk base requirements and recommended safety measures –

• Develop robust Security posture aligning to Enterprise Threat landscape
• Enterprise Risk Management
• Build Business Resilience acclimate to industry best stds.
• Real-time detection using continuous monitoring
• Giving visibility to the effects and the extent of damages by saving logs and analyzing data
• Continue strengthening security methods to allow correct decisions to be made By putting these measures into practice, corporations can minimize the risks.
• Manage administrative privileges with appropriate authorization and authentication
• Cybersecurity Incident response plan in place.
• Training & Awareness.

Some of the key changes happening around us now are –

What to expect in 2025 and beyond –

Day by Day the practices and approaches used by banking institutes are not limiting to one or two, its significantly changing the ways to address the challenges and manage them more effectively in today’s threat environment by adapting to various new gen security controls to increase the business and cyber resilience. In today’s digital society in which ICT and Internet connectivity are indispensable, ensuring security controls are in place is one of the most essential requirements in various places to manage the organization culture effectively without getting preyed to predators. Also, it’s very important to change the old legacy models and integrate the current practices with the new gen. security models to stay business resilient. Some of the key elements to relook into are –

• Protection of an ever-increasing attack surface will gain importance.
• Cloud Security Assessments and Implementation.
• Gen AI (Artificial Intelligence) based automation for gap analysis and reducing incident response times.
• Automizing Manual Efforts in doing Risk Assessments, Stress Tests, Visualization and Reporting.
• 100% compliance with Data Privacy and Regulations.
• Global supply-chain issues will become data-protection issues.
• Need for DPO (Data Protection Officer) will be in high need.

The BFSI security market offers various opportunities driven by technological innovations, growing threat landscapes, and the increasing need for robust security measures during the digital transformation. Opportunities exist for the development and adoption of various advanced next gen solutions like threat detection solutions using technologies such as artificial intelligence (AI), machine learning (ML), Public/Private/Hybrid clouds using advanced data security solutions, increasing blockchain technologies, robust incident response planning and behavioral analytics to identify and mitigate sophisticated cyber threats. There are many security solutions to secure the infrastructure of a financial institution like GRC, designing and implementing zero trust, enabling robust network security controls, vulnerability management, SOC operations, endpoint security, disaster recovery, business continiuity and many more. The importance of cybersecurity for the BFSI sector cannot be overstated, given the critical role financial institutions play in managing enormous volumes of sensitive data and being involved in various online transactions. By enabling robust security controls and implementing comprehensive cybersecurity measures in the right places will help the banks and financial institutions to effectively mitigate cyber risks and safeguard their operations. Being vigilant and taking proactive approaches to cybersecurity, the BFSI industry can increase customer trust, protect customer assets, and maintain its reputation in this fast-growing digital world.

About the Author :

Ms. Kavitha Srinivasulu
Global Head – Cyber Risk & Data Privacy – R&C BFSI
CCISO | DPO | CISM | CEH | CCSO | CCIO| PCSM | PDPP |

Tata Consultancy Services

Ms. Kavitha Srinivasulu is an experienced Cybersecurity and Data Privacy Leader with overall 21 years of experience focused on Risk Advisory, Data Protection and Business Resilience.

Ms. Kavitha Srinivasulu has demonstrated expertise in identifying and mitigating risks across ISO, NIST, SOC, CRS, GRC, RegTech and in emerging technologies with diverse experience across corporate and Strategic Partners.

Ms. Kavitha Srinivasulu possess a solid balance of domain knowledge & smart business acumen ensuring business requirements and organizational goals are met.

Ms. Kavitha Srinivasulu is a Board Member of Women in CyberSecurity (WiCyS) India

Ms. Kavitha Srinivasulu is an Executive Committee Member CyberEdBoard Community

Ms. Kavitha Srinivasulu is Bestowed with the following Licenses & Certifications :

https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/details/certifications/

https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/details/publications/

Ms. Kavitha Srinivasulu can be contacted at :

LinkedIn : https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/

Also read Ms. Kavitha’s earlier article:

The post Cyber Threats & Growing Security Opportunities appeared first on Industry4o.com.

Gen AI is doing rounds in the cybersecurity space and becoming a gamechanger as it can handle large amount of risk data with quick turnaround time. As cyber threats are growing significantly in this digital era, the need for robust security protection controls against cyber-attacks is increasing in this society. The amount of data that the organization holds is also humongous to digest and keep track of the wholistic picture. The lack of data visibility and gaining critical insights are weak in most places. To address the same, applying Gen AI in cybersecurity space in today’s digital-first world can enhance their cyber security measures while customizing the control points as per customer requirements and organizational needs.

Gen AI is in niche area where organizations are looking at inclining in cybersecurity controls creating tremendous opportunities to enhance security measures. Gen AI can detect potential threats and vulnerabilities by analyzing vast amounts of data while providing proactive predictive analysis, anomaly detections, threat management, automated responses to attacks, effective incident management with appropriate communications and furthermore. Additionally, the Gen AI can help the organizations in advancing authentication systems and simulate attack scenarios to test the effectiveness of security measures to enhance the cyber resilience posture.

How GenAI helps in strengthening Cybersecurity controls –

In the context of cybersecurity, Gen AI plays a versatile role in multiple layers revolutionizing traditional cyber defense mechanisms and enhancing the capabilities of cybersecurity experts/SMEs/professionals. Gen AI has already been implemented in several real-life cybersecurity scenarios, providing predictive analysis, automated response, threat detection, Incident management, authentication and security testing to enhance the current cybersecurity posture. Some of the key capabilities that Gen AI helps in strengthening Cybersecurity controls are as follows:

Imagine the potential of this new Gen AI technology integrated with industries like BFSI, healthcare, Manufacturing and cybersecurity, where it can be used to create, automate and innovate solutions to primarily addressing the evolving cybersecurity glitches. However, with enhancing opportunities and applications in cybersecurity, Gen AI comes with its own risks and challenges. Some of the key challenges are quoted below –

Challenges In Implementing Generative AI In Cyber Security

Despite the potential benefits of using Gen AI in Cybersecurity, there are always some foreseen risks and challenges associated with its. As technology grows and evolves day by day, some significant challenges are accompanied through them. Predators or cyber hackers use Gen AI to develop more sophisticated cyber threats with realistic approaches to exploit the users’ network.

Using Gen AI in Cybersecurity is a potential bias. Gen AI has become a great and essential tool in Cybersecurity because of its ability to detect and prevent cyber-attacks more efficiently than traditional methods, however, AI algorithms are prone to discriminatory outcomes due to bias. Using biased algorithms in Cybersecurity has ethical implications, particularly regarding social justice and fairness. Bias can arise from different sources that may mislead the user trying to adapt.

Ethical considerations around biased algorithms in Cybersecurity are very important from a fairness and transparency standpoint. It’s also important to ensure that training data is varied and users to reduce biases while using the AI algorithms.

Some of the key challenges prevailing in the niche environment are –

Gen AI based cybersecurity solutions are yet to function independently without human intervention. Cybersecurity SMEs play a critical role to ensure that AI-based cyber systems are not subject to manipulation using false logic or providing misleading outputs. However, Gen AI is changing the old legacy of manual control efforts in most of the cyber defense areas and its enhancing in the faster response to threats on sensitive data.

GenAI is capable of a lot of possibilities and managing large scale data without challenges, however, we must be mindful of the security risks or challenges it can bring. This mindful consideration is primarily due to the uncensored prompts, misleading outputs, misconceptions, accidentally revealing sensitive data, problems with storing data, difficulties with global laws, and information leak are the vulnerabilities in this growing niche area.

Addressing these evolving challenges, we need to take a holistic approach that combines Gen AI with other cybersecurity practices and ongoing vigilance to stay ahead of growing threats. The possibilities of using Gen AI in cybersecurity are truly endless, and we are only at the beginning of this exciting journey to evolve, adapt, use and protect the Business Environment.

Disclaimer : “The views and opinions expressed by Ms. Kavitha Srinivasulu in this article are solely her own and do not represent the views of her company or her customers.”

About the Author :

Ms. Kavitha Srinivasulu
Global Head – Cyber Risk & Data Privacy – R&C BFSI
CCISO | DPO | CISM | CEH | CCSO | CCIO| PCSM | PDPP |

Tata Consultancy Services

Ms. Kavitha Srinivasulu is an experienced Cybersecurity and Data Privacy Leader with overall 21 years of experience focused on Risk Advisory, Data Protection and Business Resilience.

Ms. Kavitha Srinivasulu has demonstrated expertise in identifying and mitigating risks across ISO, NIST, SOC, CRS, GRC, RegTech and in emerging technologies with diverse experience across corporate and Strategic Partners.

Ms. Kavitha Srinivasulu possess a solid balance of domain knowledge & smart business acumen ensuring business requirements and organizational goals are met.

Ms. Kavitha Srinivasulu is a Board Member of Women in CyberSecurity (WiCyS) India

Ms. Kavitha Srinivasulu is an Executive Committee Member CyberEdBoard Community

Ms. Kavitha Srinivasulu is Bestowed with the following Licenses & Certifications :

https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/details/certifications/

https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/details/publications/

Ms. Kavitha Srinivasulu can be contacted at :

LinkedIn : https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/

Also read Ms. Kavitha’s earlier article:

The post Using Gen AI in Cybersecurity appeared first on Industry4o.com.

In the context of growing digital space and emerging technology, cybersecurity is vital and third-party risk is one of the growing threats in an organization. Cybersecurity incidents and data breaches are increasing across vendors, suppliers, and other businesses not limiting to the bank. In a digitally interconnected world, the cybersecurity strength of any organization is not measured by its own defense controls but by the weakest link in the third-party sources. Hence, digital banks need to consider their third parties cybersecurity posture to an equal degree as their own to build business resilience.

Although the banking sectors work hard on keeping their ecosystem strong, it doesn’t make or take cautious efforts to eliminate third-party risks. Often the third parties are not very vigilant about their own security which could, in turn, be putting an organization at risk of cybersecurity attacks, where substantial costs and reputational damage is involved. The importance of managing third-party risk cannot be overstated in the ever-evolving banking sector landscape. Banks rely on external vendors, suppliers, and service providers to enhance efficiency, cut costs, and offer a broader range of services. However, this dependency also exposes them to a myriad of risks.

This article delves on the challenges, strategies, and best practices for effectively managing third-party cyber risks in the banking sector with deeper study for a clear understanding. Working with third parties is primarily challenging but a necessary part of the business globally. So, it’s very important for the banks to make sure that the third party they are engaging with are secure, developed, and reliable to establish a connection. Third-party cyber risk is evolving day by day increasing the risk of leaving third party cybersecurity unaddressed. It primarily focuses on identifying, analyzing, and minimizing risks relating to cyber threats/data breaches. Many have faced cybersecurity attacks, phishing attacks, malware, data breaches and other cybercrimes majorly involving their third-party partners. To mitigate the cyber risks posed by third parties, banks need to take a proactive approach to build a robust cybersecurity posture that covers everything from end-to-end to protect the vendor environment.

If business resilience is the primary objective of the digital bank, it should take precautionary measures on its standards, its approach, processes, and metrics across different third parties to reduce cyber risks and increase the third-party risk resilience. For building a robust cybersecurity culture and implement security standards in a third-party environment, it is important to understand the prevailing risks and challenges associated with third parties.

Key challenges in the Third-Party Environment :

As the banks are evolving day by day in this digital world and adapting to changing technologies, it’s very important to have clear and concise policies/procedures that outlines the organization’s needs & expectations from the third-party service providers to mitigate the risks associated with regulatory uncertainty or in defending any cyber threats that may arise. The biggest challenge in enforcing end-to-end cybersecurity governance in a third-party environment are :

Usually, banks have a structured protocols to enforce the cybersecurity culture across inhouse business functions using their enterprise policies, procedures, and guidelines, but, when it comes to third parties, banks don’t have controls over their security standards and struggle to embed their cybersecurity culture. The main principle of third-party risk management is very clear and simple, if you’re not able to control it, you will not be able to secure it. This includes everything from identifying the right set of vendors, categorizing them, defining contractual obligations with clear visibility, conducting vendor risk assessments, mitigating the risks, continuous monitoring and implementing end-to-end encryption.

Best Practices to manage Cybersecurity and Data Protection Third Party Risks :

For managing third-party cyber risks, banks should take a proactive approach to define various business requirements, build business relationships, and risk factors for building a robust cybersecurity culture. Based on the size and criticality of the vendor, banks need to work on third-party risks to evaluate and do an in-depth assessment to understand the current maturity levels. Few important factors while doing an assessment are the regions where the vendor operates, spread of the vendor employees, practicing tools and technologies, their cloud strategies, ISO status, back up plans during a cyber incident/data breach, the insurances leveraged by the third party and incident response levels.

Overall compliance with regulatory requirements is non-negotiable in the banking sector. It’s very important to ensure the security controls within the organization and with their third parties are robust to face the emerging threats in this digital space. Failure to comply with legal and regulatory requirements can lead to substantial fines and reputational damage.

Managing third-party cyber risks in the banking sector is an ongoing process that requires a proactive approach to stay resilient in nature. By following best practices and adhering to legal & regulatory requirements, the banking sector can build a cyber-resilient environment to protect itself against the evolving third-party cyber risks.

About the Author :

Ms. Kavitha Srinivasulu
Global Head – Cyber Risk & Data Privacy – R&C BFSI
CCISO | DPO | CISM | CEH | CCSO | CCIO| PCSM | PDPP |

Tata Consultancy Services

Ms. Kavitha Srinivasulu has around 20+ years of experience focused on  Cybersecurity, Data Privacy & Business Resilience across BFSI, Financial  services, Retail, Manufacturing, Health care, IT Services and Telecom domains. She has demonstrated her core expertise in Risk Advisory, Business Consulting and Delivery assurance with diverse experience across corporate and Strategic Partners.She is a natural leader with versatility to negotiate and influence at all levels.

Ms. Kavitha Srinivasulu is a Board Member of Women in CyberSecurity (WiCyS) India

Ms. Kavitha Srinivasulu is an Executive Committee Member CyberEdBoard Community

Ms. Kavitha Srinivasulu is Bestowed with the following Licenses & Certifications :

https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/details/certifications/

https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/details/publications/

Ms. Kavitha Srinivasulu can be contacted at :

LinkedIn : https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/

Also read Ms. Kavitha’s earlier article:

The post Cyber Risks in the Digital Banking Sector appeared first on Industry4o.com.

As we are emerging in the technology space and moving into the digital era, one of my primary focuses is to analyze and understand customers’ business challenges, arising threats and difficulties in recovering the data, specifically when their production environment is compromised due to ransomware or a cybercrime. When an organization is compromised to a data breach, data exploitation or data theft is a big threat and protecting the data without data loss and data restoration is the key. Cyber recovery is a emerging trend to identify, categorize and set controls implemented to recover and restore critical systems, data, and operations in the event of a cyber incident or a data breach. It involves strategies, technologies, and procedures aimed at recovering from the effects of a cyber-attack, minimizing downtime, and restoring business continuity.

As cyber-crimes and incidents continue to evolve and become more sophisticated, organizations must take a comprehensive approach to protect their critical data and systems. While many organizations focus on implementing robust cybersecurity controls, they have started building a solid cyber recovery plan to protect the data and restore the data during an incident.

Cybersecurity Recovery plan main objectives are –

While we all focus on digital transformation in the new normal, the need for strengthening cybersecurity controls and protecting the data has become crucial. Cybersecurity threats are becoming more complex and sophisticated, organizations must take a wholistic approach to protect critical data, assets, and systems. Cyberrecovery is another important control for restoring data after a cyber-attack or a ransomware attack. It is a crucial component of robust cybersecurity to ensure that an organization can recover data after an incident and resume normal operations.

Cyber Recovery planning and enablement protects critical data through five preliminary methods –

• Data integrity, availability, and confidentiality with layers of cyber security controls.
• Cyber recovery planning helps in identifying the risks and in preventing future data loss.
• Isolating the network physically and logically separates the data in a vault.
• Continuous monitoring and taking proactive measures will prevent in becoming victimized.
• Enabling cybersecurity controls in the current threat landscape will help the organization to recover data during an incident.

The Implementation of Cyber Recovery Solution into your data protection environment will enable a defense layer to restore data during an incident. We can also integrate additional technologies and capabilities with your Cyber Recovery environment to increase cyber resilience:

• Implement vault infrastructure and enable data protection layers.
• Enable data backups and build a robust recovery response plan to support Cyber Recovery Vault requirements
• Build and establish a CyberRecovery Vault process to include recovery processes, retention policies, inventory, and applications
• Include training and awareness on the cyber recovery vault to avoid insider threats.

Cyber recovery is emerging in the ecosystem to enhance cyber resilience and to avoid unknown vulnerabilities attacking the surface. Some of the key aspects of cyber recovery and its importance in cybersecurity are:

• Restoration of Data
• Avoid contingency in Operations.
• Protection of Data and Intellectual Property
• Business continuity and Disaster recovery
• Improving Cyber Resilience
• Incident Response Planning
• Legal and Regulatory Requirements
• Identification and Mitigation of Persistent Threats
• Continuous Monitoring
• Applying Proactive measures

Cyber recovery is a crucial aspect of cybersecurity that focuses on rapidly restoring critical systems, data, and operations following a cyber incident or a ransomware attack. It’s not a one day or one time activity to see cyber resilience. It’s enabled by building a robust cyber recovery strategy in place, organizations can minimize downtime, protect sensitive data, maintain business continuity, comply with regulations, enhance incident response capabilities, and continuously improve their cyber resilience. Hence, businesses must be ready with a Cyber Recovery solution to handle the unexpected incidents that’s prone to happen and how an organization will be able to avoid losing the data in the event of a cyber-attack or a ransomware attack.

Cyber Recovery in Action:

Cyber Recovery planning is built to help organizations protect their critical data and systems from cyber threats and enhance cyber resilience. By implementing the cyber recovery process, it enables protection layers to ensure that critical data remains secure.

Cyber recovery is a crucial component of a robust cybersecurity posture to ensure that the organizations are resilient in nature and how they can quickly recover from cyber-attacks or ransomware attacks during a disruption. Organizations that do not have a solid cyber recovery plan in place are prone to risks of losing data and financial losses during an incident. Hence, its always important that an organization have all of the cyber recovery controls in place to protect the organization from all the known and unknown risks to enhance cyber resilience.

About the Author :

Ms. Kavitha Srinivasulu
Global Head – Cyber Risk & Data Privacy – R&C BFSI
CCISO | DPO | CISM | CEH | CCSO | CCIO| PCSM | PDPP |

Tata Consultancy Services

Ms. Kavitha Srinivasulu has around 20+ years of experience focused on  Cybersecurity, Data Privacy & Business Resilience across BFSI, Financial  services, Retail, Manufacturing, Health care, IT Services and Telecom domains. She has demonstrated her core expertise in Risk Advisory, Business Consulting and Delivery assurance with diverse experience across corporate and Strategic Partners.She is a natural leader with versatility to negotiate and influence at all levels.

Ms. Kavitha Srinivasulu is a Board Member of Women in CyberSecurity (WiCyS) India

Ms. Kavitha Srinivasulu is an Executive Committee Member CyberEdBoard Community

Ms. Kavitha Srinivasulu is Bestowed with the following Licenses & Certifications :

https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/details/certifications/

https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/details/publications/

Ms. Kavitha Srinivasulu can be contacted at :

LinkedIn : https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/

Also read Ms. Kavitha’s earlier article:

The post Why Cyber Recovery is Important ? appeared first on Industry4o.com.

Data protection by design and default is a key element of the UK GDPR’s risk-based approach and its primary focus is on accountability. According to GDPR, data protection by design and default means “an appropriate technical and organizational controls and measures required to implement the data protection principles and safeguard individual rights”. Privacy by design focuses on embedding privacy protection measures throughout the organizational technical infrastructure including the design, development, build and running for software, products, processes and services to ensure personal data processed by these means is managed, secured, and the risk to the data subject is significantly reduced. The GDPR’s key Article 25 indulge controllers to adopt technical and organizational measures that, by design, implement data protection principles into data processing and protect the rights of individuals whose personal data is processed or utilized.

Article 25 of the GDPR—titled “Data Protection by Design and by Default” is the primary source on the need for designing privacy by default and implement control measures to improve privacy posture of the organization. Implement data-protection principles in an effective manner and integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects. Privacy by Design and default means that organizations need to consider privacy from the first design stages and throughout the complete development process of any new processes or services that involve processing of personal data. This means that it is no longer just about data protection but rather about designing and building systems so data is inherently protected.

It’s vital to acknowledge that data privacy is critical and ensure this message resonates throughout the organization. It should be integral to the business culture. From the top down, the importance of user privacy must be encouraged, throughout all business practices and ensure that everyone respects this. Ensure that you design and build in the necessary controls to enable consumers to enforce their privacy requirements and the level of protection that they require. Flexibility ensures that users can provide privacy and data protection for varied conditions and environments to support unique and individual security requirements better.

There has always been a strategy that organizations have been following that “Data is always good, everything is important, collect as much as you can and use it when required.” This thinking needs a change while adapting to GDPR’s data minimization requirement, organizations must limit the data collection, define purpose of data requirement and store it in a secured manner of the required data only. Processing of personal data complies with various restrictions to protect the data and avoid data exploitation or losing the data in large numbers.

Exceptions to the GDPR:

Under the GDPR, there are two significant exceptions to note –

The first exception is for companies with less than 250 employees. Organizations in this category are not fully exempt, but they enjoy a more lenient coverage under the regulation. However, such companies must fully comply with the GDPR when:

• Their processing activities may risk the rights and freedoms of data subjects
• They process sensitive personal data or process data frequently, or
• They process a special data category relating to “criminal convictions and offenses”

Secondly, the GDPR does not apply to individuals or companies involved in purely “personal or household activities”. Its scope only covers “commercial or professional activities.”

Procedures for Responding to Privacy Requests:

A major component of GDPR compliance is responding to data subject requests as they come in. There are several types of requests:

• Access requests
• Deletion requests
• Requests to correct inaccuracies
• Object to processing
• Requests to limit processing
• Opt-out of automated decision-making

Responding to any of these data subject requests can be demanding, and they generally must be completed within a one-month time limit. This requires advance planning on the part of controllers, and failure to put procedures in place will not excuse inadequate or late responses.

Simplified GDPR Compliance:

As the principle of data protection by design makes clear, GDPR compliance is not just cosmetic changes, but, stringent in the way it has to be aligned with the regulatory requirements. It requires vigilant planning and thoughtful action. Each and every GDPR principle has its defined process and steps to follow to ensure data security is embedded at the designing stage itself by default.

Article 25 of the GDPR requires a data protection by design and default, data controllers or data processors or sub processors based on the role that as organization is playing, it must ensure that robust planning is done to put technical and organizational controls in place to define the process of processing personal data. Building compliant process means that the new functionality needs to be embedded within the organization structure in a very structured manner to meet both the organizational policy and regulatory standard requirements to deliver privacy protected services.

Key takeaways to ensure GDPR compliance:

Data Privacy policies should be implemented at a technical and business process level. When personal data is no longer required, it needs to be destroyed or anonymized. Consent management for approving, anonymizing the data, storage of data and other data treatments is an integral part of near-future systems to ensure controlled processes are defined to avoid unauthorized access or data leakage.

Best Practices to safeguard Personal Data:

• Try to prevent crises rather than seeking solutions
• Embrace privacy as the default setting to ensure protection of privacy data
• Integrate privacy into the design and embed it into the Organization policy.
• Privacy should be completely functional
• Protect data throughout its lifecycle
• Complete transparency and lawful processing of data
• Prioritize the protection of individuals information

It’s important to assign responsibility to make sure that the end-user privacy is considered. This needs to be done throughout the whole product life cycle and throughout the different business processes. When collecting personal data and processing the data at various levels, an organization should designate an authorized individual to ensure end-user privacy is built into the services, business processes and monitor the privacy posture on an ongoing basis to ensure data protection.

Disclaimer :

“The views and opinions expressed by Ms. Kavitha Srinivasulu in this article are solely her own and do not represent the views of her company or her customers.”

About the Author :

Ms. Kavitha Srinivasulu
Global Head – Cyber Risk & Data Privacy – R&C BFSI
CCISO | DPO | CISM | CEH | CCSO | CCIO| PCSM | PDPP |

Tata Consultancy Services

Ms. Kavitha Srinivasulu has around 20+ years of experience focused on  Cybersecurity, Data Privacy & Business Resilience across BFSI, Financial  services, Retail, Manufacturing, Health care, IT Services and Telecom domains. She has demonstrated her core expertise in Risk Advisory, Business Consulting and Delivery assurance with diverse experience across corporate and Strategic Partners.She is a natural leader with versatility to negotiate and influence at all levels.

Ms. Kavitha Srinivasulu is a Board Member of Women in CyberSecurity (WiCyS) India

Ms. Kavitha Srinivasulu is an Executive Committee Member CyberEdBoard Community

Ms. Kavitha Srinivasulu is Bestowed with the following Licenses & Certifications :

https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/details/certifications/

https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/details/publications/

Ms. Kavitha Srinivasulu can be contacted at :

LinkedIn : https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/

Also read Ms. Kavitha’s earlier article:

The post Data protection by design and default to comply with UK GDPR appeared first on Industry4o.com.

In our digitized world, there are growing trends across various areas including AI, ML, IoT cloud computing etc., implying the value of personal data as one of the crucial needs for businesses. Management of personal data of customers or end users is the key to handling business activities. However, with the immense value of personal data comes a pressing need for privacy and security to build threat free environment. The Digital Personal Data Protection Act (DPDP) of 2023 coming up in India addresses these issues, aiming to protect personal data, empower individuals, and impose strict data handling standards. This digital act is not just another piece of legislation; it is a game-changer. This act is created after lots of discussions and key considerations on safeguarding personal data, giving individuals more control over their information, and establishing rigorous data protection standards. It is a benchmark towards ensuring that the data is protected, and we live in a safe and secure India.

 There are key responsibilities and ownership across various sectors to safeguard the data. However, one of the critical sectors in managing personal data is BFSI sector where humongous data is crucially managed. We would take some time to see the influence of this act on the financial services sector, which is expected to be significantly high, specifically on the key regulatory changes required in the presence of non-traditional actors, and its digital transformation. The Act serves as the guiding framework for managing digital personal data, delicately balancing the preservation of individual rights with the necessary data processing requirements.

The highly regulated Financial Services sector faces challenges of aligning with existing financial regulations adding to which DPDP Act 2023 is an additional key responsibility to protect customer data. BFSI sector needs to take some strict measures on embedding data privacy policy into enterprise security policy and have a more mature approach to compliance than other sectors.

Impact on Financial Services functions:

The DPDP act brings significant effects to various functions within the financial services sector. Banks and other financial institutions manage a large volume of sensitive customer data which is crucial to business. Hence, protecting the data is vital and the consequences of any data breach are irretrievable. This makes banking a high-risk sector with respect to data privacy and data protection. The impact of the DPDP bill on the financial sectors can be seen across all the activities executed starting from the time the customer is onboarded into the banking system till the time the data is disposed-off from the system. Some of the key impacts across the BFSI sector are –

Regulatory changes

Significant Data Fiduciaries in the financial services sector will have increased responsibilities under the DPDP bill/act. Regulators expect the organizations/stakeholders under BFSI sector to customize DPDP obligations as per the business requirements and train officials accordingly.

Risk management

Risk management plays a crucial role in managing and adhering the regulatory requirements. Data fiduciaries and regulators expect an organization to be responsible for DPDPA compliance. Risk management is central to their core function, and they must ensure consent is obtained before processing personal data.

IT, Cybersecurity and Resilience

DPDPA’s focus on personal data protection reshapes IT and data safeguarding practices to ensure business resilience. BFSI sector should do a due diligence having in mind DPDP and invest in the right set of security controls enabling advanced threat detection, strong encryption, advanced response process, automation, and regular audits to safeguard customer data from cybercriminals and maintain a robust security culture.

Data Retention

The DPDP changes how organizations manage customer data starting from on boarding a customer, due diligence, acquisition, service, retention, and loyalty. It emphasizes explicit security safeguards, consent, clear data policies, data minimization and maintaining data for necessary purposes only.

TPRM

Third Party Risk Management (TPRM) is one of the high dependencies for many organizations be it BFSI or NON-BFSI. To manage a third – party compliance, Data fiduciaries hold primary compliance responsibility to comply third party regulatory requirements.

Outsourcing

BFSI sector widely outsources and partners with various stakeholders to expand and manage business, and this leads to some additional compliance to comply with DPDP bill to adhere to third party related fiduciaries.

Increased compliance for BFSI sector

Under DPDP act, Indian BFSI, in partnerships with financial institutions, must adhere to stringent data fiduciary regulations, likely leading to a transformation in the current BFSI collaboration model.

Penalties for Non-Compliance:

As per the DPDP act, the Data Protection Board, a new regulatory body to be set up by the government and the board can impose a penalty of up to ₹250 crores if there is non-compliance by a person/individual/group found to be substantial. Unlike the EU GDPR, the DPDP Act does not consider the turnover of a business when determining the amount of fine. Instead, Schedule A to the DPDP Act lists predetermined ranges for each violation.

Following the implications of these penalties can empower individuals and organizations to adhere more effectively to the DPDP Act, thereby securing personal data and evading substantial penalties. turn data

Best Practices in Financial Services for Data Protection:

Financial service organizations encompass various roles that deal with managing personal data of customers. Data security is a mixture of processes, applications and tools that aims to protect an organization’s critical/sensitive data. Data protection is very important both at rest and in transit. Some of the best practices to protect and safeguard personal data are as follows:

• Re-look into existing Corporate Governance framework and embed DPDP requirements.
• Develop a centralized data inventory using data discovery techniques.
• Implement Privacy by Design mechanism to collect, maintain, track, and update personal information.
• Training and Awareness.
• Develop mechanisms to provide notices to data principals as applicable in the Privacy Act and ensure valid supplier contracts to protect data.
• Establish and maintain robust technical and organizational security measures to safeguard personal data.

The DPDP Act of 2023 stands as a testament to the evolving regulatory guidelines in the BFSI sector. By increasing the compliance requirements and mandating transparency, consent, and robust security measures, its focused on building a secured Indian threat landscape to protect individuals’ personal data and reduce data breaches.

Disclaimer :

“The views and opinions expressed by Ms. Kavitha Srinivasulu in this article are solely her own and do not represent the views of her company or her customers.”

About the Author :

Ms. Kavitha Srinivasulu
Global Head – Cyber Risk & Data Privacy – R&C BFSI
CCISO | DPO | CISM | CEH | CCSO | CCIO| PCSM | PDPP |

Tata Consultancy Services

Ms. Kavitha Srinivasulu has around 20+ years of experience focused on  Cybersecurity, Data Privacy & Business Resilience across BFSI, Financial  services, Retail, Manufacturing, Health care, IT Services and Telecom domains. She has demonstrated her core expertise in Risk Advisory, Business Consulting and Delivery assurance with diverse experience across corporate and Strategic Partners.She is a natural leader with versatility to negotiate and influence at all levels.

Ms. Kavitha Srinivasulu is a Board Member of Women in CyberSecurity (WiCyS) India

Ms. Kavitha Srinivasulu is an Executive Committee Member CyberEdBoard Community

Ms. Kavitha Srinivasulu is Bestowed with the following Licenses & Certifications :

https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/details/certifications/

https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/details/publications/

Ms. Kavitha Srinivasulu can be contacted at :

LinkedIn : https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/

Also read Ms. Kavitha’s earlier article:

The post Digital Personal Data Protection appeared first on Industry4o.com.

As the most awaited and much needed legislation in India is getting prepared to release, I would like to take some time to give a brief overview on this Digital Personal Data Protection Bill (DPDP) to understand about this bill’s expectations, the need of it and its benefits to safeguard an individuals’ personal data. The DPDP Bill has been developed to protect the personal data in this digital age getting affected from the emerging threats and risks in the recent past. Government of India is taking serious steps in releasing this bill to establish a robust privacy culture to protect the personal data. This bill applies to any personal data of an individual that can recognize them, whether it’s accumulated online or offline or digitized and then processed without securing a proper consent from the data owner.

The widespread adoption of the usage of internet and digital technology in this country has led to the need for strong data protection laws to safeguard the privacy and security of the personal data of every individual. As per the draft bill, this bill is primarily focussed on the rights and duties of every citizen on one hand and on the other hand, its on the obligations to use the collected data lawfully adhering to the data fiduciaries. This bill focusses on some key considerations to govern and protect the use of personal data, core principles to set the rights and duties of users, and the key expectations on businesses.

On August 3, 2023, the Digital Personal Data Protection Bill, 2023 (“DPDP Bill”) was proposed by the Central Government in the Indian Parliament. This bill primarily focusses on digital personal data and does not apply to non-personal data. Once this bill is passed and released, it will replace Section 43A of the Information Technology Act, 2000 (“IT Act”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011 (“SPDI Rules”). The main objective of this bill is to establish a holistic legal framework that governs the collection, storage, processing, and transfer of personal data by individuals, organisations (both private and public) or any other stakeholders operating within the boundaries of India.

Data transfer and storage of personal data is allowed in some countries while raising the penalty for violations in some places based on the liability. This bill strongly focusses on consent before collecting and processing of the personal data and stringent penalties of as much as ₹500 crore if any individual/organisation fails to prevent data breaches including accidental disclosures, sharing, altering, or destroying personal data. Hence, it’s very important for an individual / for every entity like private/ public to build a robust security posture adhering to DPDP bill requirements and core principles.

This bill is composed of 7 core principles which revolves around the collection and usage of the personal data of citizens of India.

The bill has some strict fiduciaries that mandates the penalties for any non-compliance on exploiting the personal data and failing to adhere to the core principles of DPDP. This Bill extends its reach to digital personal data processing that involves profiling or offering of goods/services to individuals within India. It raises expectations on any organization in any part of the world, which handles the personal data of Indian citizens to adhere to the DPDP bill requirements.

In the bill, a penalty of ₹200 crore is proposed if the data fiduciary or the data processor fails to report a personal data breach to the Data Protection Board and affected individuals without due course delay. Also, there is a strict penalty payment on failure to ensure acceptable security safeguards to protect the personal data, failing which the Data Fiduciary or Processor can be penalized up to ₹250 crores as per the proposed bill. The draft bill allows only monetary penalties for personal data breaches or non-compliance, ranging from INR 50 crore to INR 250 crore, with a maximum penalty of INR 500 crore for significant data breaches.

The DPDP Bill takes data breaches seriously and have established strong fiduciaries to reduce the data breaches which has raised significantly in the recent past. Both the data fiduciary and any data processor they work with must notify the Data Protection Board and the affected individuals in case of a breach as expected by the bill without delays.

Some of the individual’s rights include to be aware and followed:

1. The right to know if their data is being processed.
2. The right to know where their data is stored and for how long.
3. The right to know what kind of data is collected and where it will be used.
4. The right to know who it’s being shared with and for what purpose.
5. The right to change/edit/delete an individual’s personal data.
6. The right to decline consent to any requirements that involves an individual personal data.

If an individual is not satisfied with the way an individual’s personal data is used / exploited, they can file a complaint with the Data Protection Board.

How to Get Prepared?

The draft DPDP bill establishes compliance requirements and legal obligations for protecting the personal data from data exploitations or breaches. Every individual or organizations or businesses will need to ensure that they adhere to DPDP obligations without fail to ensure the protection of data. This bill primarily focusses on obtaining consent for data processing, maintaining data accuracy, implementing security measures, and establishing mechanisms for data breach notifications. Any non-compliance to these requirements can result in high penalties, legal and reputational damage.

It’s very important for the organisations to regularly monitor updates and guidance from the Data Protection Board and relevant authorities regarding the interpretation and enforcement of the data protection bill to avoid non-compliance to the bill and diminish data breaches. There must be a strong governance structure to ensure ongoing compliance and to address any specific concerns or gaps related to the organization’s current security posture. Embracing these measures and best practices will not only ensure compliance with the law but also strengthen trust between organizations and their customers, promoting a strong data ecosystem in the long run.

The upcoming enforcement of the Digital Personal Data Protection Bill 2023 in India marks a significant step towards protecting personal data and ensuring privacy rights for Indian citizens, while also imposing responsibilities on businesses to enhance data protection practices. While businesses may initially perceive it as a challenge due to potential fines and increased obligations, it is important to recognize that the bill aims to strike a balance between privacy protection and fostering innovation and economic development. Embracing these measures will not only ensure compliance with the law but also strengthen trust between organizations and their customers, fostering a healthier data ecosystem in the long run.

Disclaimer :

“The views and opinions expressed by Kavitha in this article are solely her own and do not represent the views of her company or her customers.”

About the Author :

Ms. Kavitha Srinivasulu
Global Head – Cyber Risk & Data Privacy – R&C BFSI
CCISO | DPO | CISM | CEH | CCSO | CCIO| PCSM | PDPP |

Tata Consultancy Services

Ms. Kavitha Srinivasulu has around 20+ years of experience focused on  Cybersecurity, Data Privacy & Business Resilience across BFSI, Financial  services, Retail, Manufacturing, Health care, IT Services and Telecom domains. She has demonstrated her core expertise in Risk Advisory, Business Consulting and Delivery assurance with diverse experience across corporate and Strategic Partners.She is a natural leader with versatility to negotiate and influence at all levels.

The views and opinions expressed by Ms. Kavitha Srinivasulu in this article are only from her personal side and not representing her company viewpoints or sharing any of her customers views.

Ms. Kavitha Srinivasulu is Bestowed with the following Licenses & Certifications :

https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/details/certifications/

https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/details/publications/

Ms. Kavitha Srinivasulu can be contacted at :

LinkedIn : https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/

Also read Ms. Kavitha’s earlier article:

The post Digital Personal Data Protection Bill 2023 appeared first on Industry4o.com.

Today we have seen how AI technology has immersed into our lives through every service we use starting from Siri to the facial recognition software used to unlock your phone in recent times. The latest and most interactive leap has been the advent of AI chatbots – most notably the ChatGPT model that’s shaking the tech world by storm and is getting smarter in today’s growing technology space by providing various intelligent services. Machines were built to make life simpler and create a better future for all of us, however, these innovations come with advanced techniques making life simpler and at the same time with their own inherent risks.

ChatGPT is a pre-trained language model developed by OpenAI. It is based on the GPT (Generative Pre-trained Transformer) architecture, which was first introduced in 2018. The original GPT model was trained on a massive dataset of internet text and was able to generate human-like text. In 2019, OpenAI released a new version of the model called GPT-2, which was even more powerful and able to generate more coherent and fluent text. After that, in 2020, OpenAI announced ChatGPT as a conversational version of GPT-2. It was trained on a dataset of conversational text and is optimized for tasks such as question answering and dialogue generation. When OpenAI released ChatGPT to the public in November 2022, it was using GPT-3. Taking everything into account, Chat GPT has the potential to reform the cybersecurity industry by improving the current threat detection process, enabling quick incident response, and helping organizations in better decision-making.

As the digital world is growing towards adapting to various technologies, cybersecurity is becoming increasingly crucial to protect sensitive data and safeguard systems from cyber-attacks. Artificial intelligence and machine learning are playing a key role in introducing new intelligent tools to improve the security of the digital world. ChatGPT is one such tool that is transforming the face of cybersecurity and its intelligence in responding to queries or incidents in a more effective manner. In this article, we will discuss some of the ways that ChatGPT is bringing a change in the cybersecurity current practices and why it is a critical tool for businesses to consider in the new threat landscape –

1. Advanced Threat Detection

One of the most significant ways ChatGPT is supporting cybersecurity to emerge is through advanced threat detection by analyzing large volumes of data and identifying potential cyber threats in a proactive manner to avoid potential impact to business. It helps in analyzing patterns in data to identify suspicious behavior and detect anomalies that may be indicative of a cyber-attack.  Traditional cybersecurity measures rely on pre-programmed rules and signatures to detect and prevent attacks. However, these measures often fail to identify emerging threats or attacks that deviate from the expected behavior. ChatGPT utilizes natural language processing and machine learning to analyze large amounts of data and identify anomalies that could indicate a potential threat. This helps organizations to stay ahead of emerging threats and better protect their infrastructure from internal/external threats.

2. Efficient Incident Response

ChatGPT can be applied in cybersecurity on managing incident response effectively as time is the essence during a disruption/attack. The longer it takes to detect and respond to an attack, the greater the damage that can be done. ChatGPT can rationalize the incident response process by providing real-time alerts and suggested actions to take in response to a breach or a cyber incident. ChatGPT can automate parts of the incident response process, such as gathering information, identifying the scope of the incident and recommendations to respond to the incident in a timely manner. This can greatly speed up the incident response process and reduce the risk of data loss or other damage to business.

3. Training and Awareness

As technology is growing and adapting to changes is an emerging challenge in this new threat landscape. Employee awareness and human errors are globally accepted threats as the leading cause of it being the major cause of cybersecurity breaches. Even with the most advanced security measures in place, a single mistake by an employee can lead to a data breach. ChatGPT can help organizations to address this issue by providing user training and awareness sessions to overcome the internal threats, the risk of human error and improve overall cybersecurity.

4. Enhanced Threat Intelligence

Threat intelligence is critical to stay ahead of emerging threats and prevent attacks. ChatGPT has a unified approach in enhancing the threat intelligence process by analyzing large amounts of data from a variety of sources, including social media, dark web forums, and hacker websites. This helps the organizations to get valuable insights into potential threats and enable them to take proactive measures to avoid attacks before they occur. With the ability to understand natural language, ChatGPT can also extract relevant information from all types of sources including unstructured data, such as reports and articles, and classify and categorize them. This can help the organizations to stay ahead on the latest threats, trends, and emerging risks to develop more effective security strategies and build business resilience.

ChatGPT is changing the face of cybersecurity in several significant ways and its ability to respond to natural language inputs is valuable for taking better decisions in enabling and protecting cybersecurity controls. With the ability to analyze and process large volumes of data, understand natural language, and generate human-like text, ChatGPT can improve the efficiency and effectiveness of cybersecurity operations. ChatGPT will support businesses to stay ahead of emerging threats and safeguard sensitive data to enhance Cyber Resilience.

About the Author :

Ms. Kavitha Srinivasulu
Global Head – Cyber Risk & Data Privacy – R&C BFSI
CCISO | DPO | CISM | CEH | CCSO | CCIO| PCSM | PDPP |

Tata Consultancy Services

Ms. Kavitha Srinivasulu has around 20+ years of experience focused on  Cybersecurity, Data Privacy & Business Resilience across BFSI, Financial  services, Retail, Manufacturing, Health care, IT Services and Telecom domains. She has demonstrated her core expertise in Risk Advisory, Business Consulting and Delivery assurance with diverse experience across corporate and Strategic Partners.She is a natural leader with versatility to negotiate and influence at all levels.

The views and opinions expressed by Ms. Kavitha Srinivasulu in this article are only from her personal side and not representing her company viewpoints or sharing any of her customers views.

Ms. Kavitha Srinivasulu is Bestowed with the following Licenses & Certifications :

https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/details/certifications/

https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/details/publications/

Ms. Kavitha Srinivasulu can be contacted at :

LinkedIn : https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/

Also read Ms. Kavitha’s earlier article:

The post How ChatGPT is changing the face of Cybersecurity appeared first on Industry4o.com.

On March 2, 2023, USA President Joe Biden administration released its 2023 US National Cyber Security Strategy to understand the current emerging trends, managing challenges and to build a digital ecosystem that is more resilient against cyber-attacks. The Strategy recognizes what the US government must seek to protect the critical infrastructures including hospitals, banks, education, manufacturing, and clean energy facilities to protect national security, public safety, and economic prosperity from cyber threats.

The world is gradually increasing more complex and vulnerable threat environment which needs robust changes in the current threat landscape and in handling the ransomware attacks that’s running into millions of dollars in the US as per recent reports. In 2022, the average cost of a ransomware attack was more than $4.5 million, according to IBM report. In United States, private sector technology underlies all essential services open to its citizens to adapt to new changes and growth. However, protecting that space lies within the PPP- Public: Private Partnership space to strengthen the country’s cybersecurity competence and sustain its overall technology Governance strategy. This announcement by the Biden administration signals that the federal government to be determined and build a strong cybersecurity posture.

US National strategy’s vision is primarily focussed on having a more defensible and resilient cybersecurity posture to minimize the impact of cyber incidents and increase the infrastructure security.

• US National Strategy’s five pillars:

US National cybersecurity strategy has come up with five key pillars to build a resilient digital ecosystem that is built to defend and then attack. A quick overview on the 5 pillars expectations:

1. Defend Critical Infrastructure

Critical Infrastructure Protection and facing critical threats in today’s landscape is highly vulnerable. It consists of actions taken to prevent, remediate, or mitigate the risks resulting from vulnerabilities of critical infrastructure assets and core capabilities. As the risks are evolving with the growth in technology, focus should include changes in tactics, techniques, policies, procedures, frameworks adding on to redundancy dependencies, assets, hardening and guarding etc. To build conviction in the resilience of US critical infrastructure, regulatory frameworks will establish minimum cybersecurity requirements for critical sectors to strengthen current security posture.

2. Disrupt and Dismantle Threat Actors

This strategy focuses on handling malicious cyber actor’s incapable of threatening the national security or public safety of the United States by diligently using applications/ tools to disrupt bad actors, engaging the private sector, and addressing ransomware threats in collaboration with all stake holders .Working across with public and private sectors, the US will seek to address the ransomware threat and disrupt malicious actors. Addressing the ransomware threat through a comprehensive Federal approach and in lockstep with our global strategic partners.

3. Shape Market forces to drive Security and Resilience

Public Private Partnerships and services play a major role in placing the responsibility of building new eco system. There must be various initiatives taken to promote investment in secure infrastructure, liability for secure software products and secured services to protect the environment from most vulnerable threats. This strategy will primarily focus on who can better control cyber threats, including by shifting liability to software products and services.

4. Invest in a Resilient Future

This strategy primarily focuses on strategic investments, collaborative action, extended alliances, and partnerships to lead the world in the innovation of secure and resilient next-generation technologies and infrastructure. Reducing systemic technical vulnerabilities in the foundation of the Internet and across the digital ecosystem will help in building a more resilient business strategies and fight against transnational digital repression. Another key focus area is on building a resilient network to develop a robust national cyber workforce.

5 Forge International Partnerships to Pursue shared goals

The strategy seeks to leverage international coalitions and alliances and bolster defensive strategies to protect against cyberattacks. United States shall also work on leveraging international coalitions and partnerships among like-minded nations to counter threats to US digital ecosystem through joint preparedness, response, and cost imposition. Working with various allies and partners to make secure, reliable, and trustworthy global supply chains for information and communications technology.

All the five pillars provided above are primarily focussed to increase the cybersecurity governance structure, expand regulations of critical sectors, relook into liability frameworks for software security, increase the speed and scale of collaboration with the private sector to disrupt the threat actor groups and harmonize the cybersecurity regulations that apply to businesses.

Whether an organization is in the public or private sector, this National Cybersecurity Strategy will have an impact on upgrading or improving the current cybersecurity posture across critical sectors. Some of the key expectations are:

• Infrastructure Security in the core
• Minimum cybersecurity controls enabled within the organisations.
• Need Data Protection and its regulations complied.
• Protecting technology is a national security essential.
• Private enterprises are a critical dependency for national security.

Emerging trends in 2023 to protect the Data:

• Higher Data Privacy and Regulatory Pressures
• Threat Intelligence replacing huge dependencies on SOC operations.
• End point security priority increases
• Zero Trust replaces VPN.
• Increase of scrutiny in managing Third Parties
• Demand for Cyber Risk quantification increases
• Security on Mobile Devices ramp
• AI & ML need for Data Privacy Increases
• Need for Cloud Security increases in Cloud Computing

Industry Best Practices:

• Develop employee awareness culture within the DNA of the organization.
• Enable restricted access for all employees and implement MFA (Multi-Factor Authentication) to ensure multi-layer security.
• Create a data usage policy.
• Establishing a process for the backup and recovery of essential data.
• Install anti-virus software and keep all computer software patched on an ongoing basis.
• Update operating systems, applications, and antivirus software regularly.
• Reduce 3rd party / supplier dependencies.
• Disable pop-ups, unknown emails, and links to avoid Phishing / Social Engineering.
• Use Data Encryption.
• Use endpoint security systems to protect your data.
• Conduct an Annual Penetration test and Vulnerability assessment.

Currently, regulatory requirements and corresponding compliance burdens are continuing to expand globally, both with respect to applicable standard requirements and sector-specific demands. Adapting to changing regulatory requirements and handling fluctuating compliance obligations is itself now a key part of effective cybersecurity and data privacy governance. The U.S. commitment to international partnerships on cyber issues remains strong, and the Strategy emphasizes working with public and private partners to build a defensible, resilient, and values-aligned digital ecosystem.  Evolving shared goals requires a strong global cyberspace where responsible state support is expected and without which it is both costly and isolated.

About the Author :

Ms. Kavitha Srinivasulu
Global Head – Cyber Risk & Data Privacy – BFSI R&C
Tata Consultancy Services

Ms. Kavitha Srinivasulu has around 20+ years of experience focused on  Cybersecurity, Data Privacy & Business Resilience across BFSI, Financial  services, Retail, Manufacturing, Health care, IT Services and Telecom domains. She has demonstrated her core expertise in Risk Advisory, Business Consulting and Delivery assurance with diverse experience across corporate and Strategic Partners.She is a natural leader with versatility to negotiate and influence at all levels.

The views and opinions expressed by Ms. Kavitha Srinivasulu in this article are only from her personal side and not representing her company viewpoints or sharing any of her customers views.

Ms. Kavitha Srinivasulu is Bestowed with the following Licenses & Certifications :

https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/details/certifications/

https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/details/publications/

Ms. Kavitha Srinivasulu can be contacted at :

LinkedIn : https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/

Also read Ms. Kavitha’s earlier article:

The post USA National Cyber Security appeared first on Industry4o.com.

As there is a significant growth in the industry trends towards adapting to various new technologies and models, organizations are adapting to various technologies accompanied by security threats in this new threat landscape. Increasing security vulnerabilities and data breaches has become one of the hot topics for discussion across the board due to the proven impact to business and reputation loss. Based on the incidents related to cyber-crime and data breaches, organisations are mandated to comply with privacy acts and regulatory requirements to prevent risks and safeguard the data. Significant fines for violating data privacy legislation aren’t the only reason businesses should strengthen personal data security, but also keeping in mind the exploitation of customers personal data which is highly critical to business.

The importance of data used across various industries and handled by the users are highly critical, this data handling weakness or data loss will affect the consumers faith on the organisation which in turn determines the company profit. The global privacy landscape is constantly evolving. It leaves companies and privacy professionals with the tough challenge of ensuring that their security posture is strong, compliant, and resilient in nature to safeguard the data from any unknown /unexpected disruptions. Privacy needs and data protection requirements will continue to increase in complexity as the regulatory landscape expands its reach and controls worldwide.

Some of the current Data Privacy risks and challenges:

1. Gaining clear visibility of data present within the organisation
2. Embedding data privacy within the existing security design of the organisation
3. Complying to various Privacy Acts and Regulatory requirements across the Geos
4. Ransomware attacks
5. Cross Boarder Data Transfer
6. Insider Threats
7. Unauthorised access controls
8. Inadequate Data Privacy Training and Awareness is weak
9. Emerging new technologies like AI, IoT, ML, Cloud computing etc.

There are various other privacy risks in the current threat landscape like exploitation of personal data, inadequate data security and weakness in privacy Governance. Data breaches or ransomware attacks are major challenges as they can expose personal data to potential misuse. Privacy trends are changing and developing different functionalities and models to data-centric protection controls such as CASB, and other privacy-preserving techniques for establishing collaborative data relationships with enterprises, such as embedding privacy principles in the current enterprise network, Privacy by design, Data Encryption, AI governance, applying threat intelligence etc.

With the evolving threats and vulnerabilities in the data protection space, there are some emerging trends in data privacy which we need to understand and adapt to with the right level of data protection controls to reduce threats.

Some of the emerging trends are :

1. Increased regulatory expectations and Demand

In the recent past, the focus on personal data protection and enabling stringent data security controls has grown intensively across all Geos. The legislation to secure the protection of data and privacy are not resilient in nature currently, however, organisations are struggling to overcome evolving privacy risks and staying compliant to regulatory requirements. Regulations are becoming more specific, and ambiguities are getting tighter to safeguard the data from any internal/external threats. There is a rapid progress among regulators in strengthening regulatory oversight across geographies to enable smooth cross boarder communications and data safety.

2. Data localisation

The most important part of data localisation is managing the overall data within the country to avoid issues related to cross boarder transfer without proper due diligence, data leaks, identity thefts, insider threats, data security etc. Data localisation helps the organisations to get more visibility on available data and easier to maintain. It’s getting adapted by organisations across the Geos to limit the physical storage and data processing within the boundaries of the jurisdiction. Many countries have implemented data localization process to reduce concerns over free data flow.

3. Artificial Intelligence and Machine learning adaption

The EU Artificial Intelligence Act is set to be established and released soon to match the emerging vulnerabilities accompanied with the AI Ops technology. This privacy act will classify AI applications into three risk categories and will apply to manufacturers of connected products.  The three categories are:

• Unacceptable / Critical Risk – AI systems found to be highly critical in nature and they are mostly used in critical infrastructures that could put the business at high risk if exploited or attacked.
• High risk – This includes tools like CV assessment software. These will be closely monitored.
• Low risk – These are all other apps that the AI Act doesn’t explicitly address.

4. Privacy by Design

Privacy by Design is a framework based on proactively embedding privacy into the design and operation of IT systems, networked infrastructure, and business applications.  It’s involved in creating an engineering base privacy risk aware culture to handle data security in a very effective manner.

5. Zero Trust Security Model

Zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. A Zero Trust model is a process defined to safeguard the data against ransomware, cyber-crimes, and cybersecurity threats by allocating the minimum required access to perform specific tasks.

In 2023, there will be a significant increase in the data privacy legislations, legal and regulatory requirements across the globe to safeguard the data. It is also expected to have high stringent rules that’s required for the organisations to follow overseen by regulators, there would be a development of privacy regulations at Geo levels specific to their environment, more investment in privacy by design and privacy technology, a trend toward a cookie less future, and other developments.

About the Author :

Ms. Kavitha Srinivasulu
Global Head – Cyber Risk & Data Privacy – BFSI R&C
Tata Consultancy Services

Ms. Kavitha Srinivasulu has around 20+ years of experience focused on  Cybersecurity, Data Privacy & Business Resilience across BFSI, Financial  services, Retail, Manufacturing, Health care, IT Services and Telecom domains. She has demonstrated her core expertise in Risk Advisory, Business Consulting and Delivery assurance with diverse experience across corporate and Strategic Partners.She is a natural leader with versatility to negotiate and influence at all levels.

The views and opinions expressed by Ms. Kavitha Srinivasulu in this article are only from her personal side and not representing her company viewpoints or sharing any of her customers views.

Ms. Kavitha Srinivasulu is Bestowed with the following Licenses & Certifications :

https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/details/certifications/

https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/details/publications/

Ms. Kavitha Srinivasulu can be contacted at :

LinkedIn : https://www.linkedin.com/in/kavitha-srinivasulu-5619ab7/

Also read Ms. Kavitha’s earlier article:

The post Evolving Data Privacy Trends and Challenges in 2023 appeared first on Industry4o.com.