Is banning the right solution to dealing with problem apps? [Q&A]
Lots of apps are potentially transmitting and saving user data without express permission and this has led some administrations to consider bans.
In May, Montana passed the first bill to ban TikTok statewide due to data concerns, and India has banned 60 apps, including TikTok, claiming they were transmitting user data back to China.
We spoke to Hexnode CEO, Apu Pavithran who believes that bans are unenforcable and CISOs must take matters into their own hands when it comes to app and web management and security.
BN: How is the cyber threat landscape evolving as more and more governments aim to boost the emerging data economy and society?
AP: The cyber security landscape is changing in various ways as more governments try to support the developing data economy and society. One of the main features of this progression is the rise in supply chain attacks, sophisticated cyberattacks, bigger target surfaces, and evolving technologies and hazards. Governments now devote more funds to developing cutting-edge cyber capabilities as a result of the data economy's expansion. Attackers are creating sophisticated strategies and using advanced persistent threats (APTs), zero-day exploits, and social engineering techniques to compromise government networks and systems. Governments frequently rely on several suppliers and third-party vendors to supply technologies and services. Because of the risk this interconnection generates, cybercriminals may attack government systems by taking advantage of weak points in the supply chain.
Attacks on the supply chain, like the one that happened to SolarWinds, have the potential to affect several organizations at once. Governments must prioritize strong cybersecurity measures, improve coordination with the private sector and global partners, invest in cutting-edge defense capabilities, and encourage cybersecurity awareness and education among their citizens in order to address the expanding cyber threat landscape.
BN: With the overuse of social media apps and AI technologies, what are the security vulnerabilities and what measures can be taken in order to make the workplace secure from potential threats?
AP: When considering digital expansion with conversational AI, there are several key security gaps and measures that need to be addressed. One of the key considerations includes Data Privacy. Conversational AI technologies often involve collecting and analyzing whatever data is provided to it. It is crucial to ensure robust data privacy measures are in place to protect user information. This includes implementing strong data encryption, anonymization techniques, and ensuring compliance with relevant data protection regulations such as the General Data Protection Regulation (GDPR).
With user-generated content playing a significant role in platforms like TikTok, it is vital to have effective content filtering mechanisms in place. These mechanisms should employ advanced technologies like natural language processing and image recognition to detect and prevent the dissemination of malicious or inappropriate content.
Another major cause of concern is the Third-Party Integration Security. When integrating conversational AI technologies with other systems or third-party applications, security considerations should extend to those integrations as well. Thoroughly vetting and auditing third-party providers for their security practices is crucial to ensure the overall ecosystem remains secure.
BN: Is banning the only option when it comes to keeping 'trust' in check?
AP: No, there are alternatives to a total ban that can be used to maintain public trust. While banning a platform or technology may be one strategy in some situations, it is not always the best or most practical choice. Instead, a variety of strategies can be used to uphold trust while addressing issues. The first step is to implement clear regulations and standards. Regulatory frameworks can set standards for appropriate conduct and impose penalties for non-compliance, promoting user confidence. By making investments in strong security measures like encryption, safe authentication methods, and frequent security audits, this can be improved even further.
Protecting user data and reducing security risks can be achieved by implementing privacy-enhancing technologies and industry best practices. Companies should also take responsibility for their actions, be open about how they handle user data, and address any risks. Building trust can be facilitated by promoting transparency in technology platform operations, including data usage policies, algorithms, and content moderation procedures. Trust in the technology or platform can be increased by providing users with simple options for managing their privacy preferences, controlling the information they share, and understanding how their data is used.
It's crucial to remember that the specific strategy for preserving trust will vary depending on the situation, available technology, and issues at hand. An approach that is well-rounded and multifaceted and combines security improvements, regulatory controls, transparency, user empowerment, and collaboration is frequently more successful in fostering trust and addressing potential risks than a blanket ban.
BN: As mobile devices take over communication and collaboration, how can the public sector ensure utmost security and prevent devices from being wrongly utilized?
AP: As mobile devices become increasingly prevalent in the public sector, ensuring utmost security and preventing their misuse is indeed crucial. Some of the basic measures to begin with includes implementing a strong device management strategy. This includes features such as remote device tracking, data wiping, and policy enforcement. MDM solutions provide a centralized platform for managing and securing mobile devices. They offer features like app whitelisting and blacklisting, device encryption, and remote configuration management. Mobile Device Management (MDM) solutions enable organizations to enforce security measures, track device usage, and quickly respond to potential threats.
In order to add an extra layer of security, strong authentication mechanisms can be used. For example, multi-factor authentication (MFA) on mobile devices adds an extra layer of security. This helps prevent unauthorized access even if the device is lost or stolen. Another major cause of concern is the attack during a data transfer over any network. Establish secure connections for mobile devices by using virtual private networks (VPNs) or secure network protocols can address this concern. This encrypts data transmissions and protects sensitive information from interception. Apart from this, IT security hygiene must include regular updating of software and firmware, conducting security audits and assessments, regularly monitoring and analyzing device activities and encouraging responsible device usage.
BN: With fast-paced digitization, how can the public sector define the IT security perimeter without limiting the scope of growth?
AP: Defining the IT security perimeter in a fast-paced digitization era is a complex task for the public sector. It requires striking a balance between protecting critical assets and enabling growth and innovation.
The best approach is implementing a Zero Trust Architecture supported by Data-Centric security. This will help the public sector to move away from traditional perimeter-based security models and adopt a Zero Trust Architecture (ZTA) approach. It employs strict identity verification, continuous monitoring, and access controls based on user context and behavior. This approach provides granular security controls without limiting growth and innovation.
Implementing strong data encryption, access controls, and data classification to ensure that sensitive information is protected regardless of its location or the devices accessing it supplements this approach. ZTA assumes that no user or device should be inherently trusted, regardless of their location or network connection.
With the implementation of cloud technologies, the emphasis on considering a robust Identity and Access Management (IAM) solution is crucial to protect critical resources. Implementing multi-factor authentication, strong password policies, and regular access reviews will strengthen the security standards. And lastly, in order to be proactive when it comes to IT security in the public sector, implementing a robust monitoring system to detect and respond to security incidents promptly with the help of security information and event management (SIEM) solutions, intrusion detection systems, and endpoint protection is essential.
By adopting these strategies, the public sector can define an IT security perimeter that is adaptable, scalable, and focused on protecting critical assets while allowing for growth and innovation in the rapidly digitizing landscape.