Sanjaya Kumar, MD, is the CEO of cybersecurity company SureShield, Inc. Dr. Kumar has more than 25 years of healthcare compliance, risk management, and security experience. In an exclusive interview with Cyber Intelligence, he outlines the challenge presented by the current environment of data overload and some of the steps organizations should take to mitigate the associated risks from it.
Cyber Intelligence: People have spoken of companies suffering from data overload – how big a problem is this?
Sanjaya Kumar: Rapid evolution and adoption of Connected Devices, Artificial intelligence (AI), and increasing ready access to harnessing data across multiple channels is exponentially increasing the volumes of data that companies have at their disposal and use. For example, in the USA, personal data is already big business and growing year over year at a rate of eight percent. With data breaches and system hacks also on the rise, exposing millions of customer records on the dark web, companies are learning the high risks associated with amassing large volumes of data and securing it with the required access level controls when in use and when stored.
Cyber Intelligence: In what way is ‘big data’ already ‘big business’ and what challenges does this pose for the data-fueled ecosystem we live in today?
Sanjaya Kumar: Over the last decade, corporations have realized the power of different facets of data and the value that can be realized from mining their data troves. The larger the datasets, stretching over periods of time, the more they can derive deep insights at both the population and individual levels. Today, corporations probably know more about us than we do about ourselves. There are businesses that are focused on only harnessing data and mining for insights that are then sold to other companies to drive their sales and marketing campaigns. Also, huge chunks of personal data are often now sold to third parties. The challenging part is protecting personal data when large quantities of it are bought and sold, changing hands many times. Today, companies are not doing third-party cybersecurity checks or assessments to determine how their data is going to be secured and protected from data breaches and system hacks. Very few companies actually do due diligence on the security of third-party systems today. In my opinion, we have to move away from just signing terms on an agreement to an active mode of ensuring that outsourced vendors have the necessary controls to protect personal data from exposure.
Cyber Intelligence: If people’s data is compromised at some stage, how will they react?
Sanjaya Kumar: In most cases, people have become immune or resigned to the fact that a large portion of their personal data has been exposed already in some data breach or other. In the US, we live in a very litigious environment, so folks are always tempted to sue if they find that their personal data has been compromised. However, most large corporations, when a data breach is made public provide some form of remuneration to their customers to appease them and perhaps avoid a more costly legal suit. Aside from the people affected, the companies reporting data breaches face regulatory scrutiny and penalties. The average cost of a data breach for companies today is more than $4.5 million.
Cyber Intelligence: How can companies insure themselves against the likely repercussions of compromised customer data?
Sanjaya Kumar: In the USA and the UK, there is now a widespread trend for corporate cybersecurity insurers to run compliance and security risk assessments, and active checks through their clients’ network ecosystems to identify any existing threats and vulnerabilities. They require their customers to correct any compliance gaps and apply remediations to mitigate any risk from threats identified. To do this, they offer a reduction in insurance premiums. Sort of like if you have a car alarm and you park your car in a garage you get a discount on your car insurance. Following the initial compliance and security risk assessments, companies are increasingly being obligated to carry out regular active security scans of their IT environment.
Cyber Intelligence: How can organizations start reducing and safeguarding the vast mountains of personal data they hold?
Sanjaya Kumar: To do this, organizations need to establish policies and procedures on how long they want to keep discrete personal data as opposed to derived and summary-level information, such as insights from their data analytic programs. Personal discrete data should not be kept for longer than its use in deriving the results of the analytics. After this personal data needs to be encrypted and archived in a secure location. Outdated personal information should be deleted on a regular basis where appropriate. We should all note that the weakest link in any security chain is people within companies and the vendors that they work with. Over 70 percent of data breaches result from cybercriminals getting through a company’s defenses through a phishing exercise. With AI, phishing attacks are becoming even more sophisticated and complex. I cannot overstate the importance of staff cyber-training and increasing staff awareness. This is now essential so that unwitting employees do not, for example, fall for phishing lures and click on weaponized links embedded in fake emails from unsolicited sources.
