K7 Dialogue is an initiative from K7 Security that features interaction with cybersecurity experts and thought leaders to spread awareness and share real-world insight on how businesses can combat cyberthreats.
Sanjiv Ranjan (C-CRO, CRISC, CISSP, CISM, CCSFP, CTPRP, CDPSE, NACD-CYBER, C-CISO, ERM [UCLA]) has over 25 years of experience in leading Cybersecurity, Privacy, Compliance, Internal Audit, and Enterprise Architecture organisations across various industries including Biotech, e-Commerce, Financial Services, IT Services, Telecommunications, and Transportation. He has served as the CISO at multiple large multi-national companies, and is currently a consulting Cybersecurity and Compliance Risk Advisor for Roche Pharmaceuticals.
1. How has the pandemic impacted cybersecurity considerations in high-security industries like pharmaceuticals?
Most humans and companies, big and small, have had covid challenges. Most non-essential employees are working from home. The company network now extends to include individual employees’ home networks and devices, including laptops and phones. Like any other company, pharmaceutical companies had to ensure that their expanded network and data were protected. Zero-Trust and micro-segmentation have become a priority. We cannot control nature, but we must be prepared for what may come next.
2. What cybersecurity controls should large enterprises prioritise when transitioning to cloud-deployed applications?
- Comprehensive real-time visibility – Traffic Analysis, Privileged Access, and Configuration Changes – combined with threat intelligence feeds and ongoing red team exercise
- Access control – No internal user access without MFA. Strictly limit access to critical data; privileged user access attestation every 30 days
- Data Encryption – All data is encrypted in transmission, no exception. A limited number of users have access to the encryption keys
- Secure Service Accounts
- Secure code deployments
- Process to automate, prioritise, and mitigate vulnerabilities and patch challenges
- Effective boundary defence
3. Data privacy regulations vary across nations and even within nations. Are there any best practices you can recommend to help companies avoid compliance risk as they expand their operations?
- Privacy is a fundamental right of all humans across the globe. Each of us has the right to our lives and our data, including the right to know who has access to our data and why. This right should not be based on boundaries but should be seen as a universal right of all humans. Here are a few things any company can do to protect their employee and customer data:
- Ensure all personal data – including Race (Caste), DOB, Health Information/Records, Address, Political Beliefs – is protected from unauthorised use. All-access is enabled on a need-to-know basis. All-access to personal data is managed and monitored
- Different countries may have additional regulations when it comes to data privacy. However, at the simplest level, if you follow GDPR, you will meet 90% of the world’s data protection requirements and a lot more, including all of Europe, Japan, the USA, Brazil, Australia, Singapore, etc. That will be a great start
4. Based on your experience in developing IT security for various industries, what cybersecurity factor is often deprioritised by businesses but should receive greater attention when preparing to counter emerging cyberthreats?
Digital transformation is core to business growth and customer satisfaction. Data drives digital transformation. For the business’s success, it is critical to ensure that team members have access to the right data at the right time to make efficient and risk-managed decisions. However, internal and external hackers are also trying to access these business crown jewels – PHI, PII, Customer Information, Intellectual Property, Sales and Financial Data, etc. This is a significant challenge for security teams. Most security teams do not have a comprehensive view of what constitutes critical and where it is stored – in the data centre, in the cloud, on users’ laptops, or at a vendor site. Identifying corporate crown jewels and implementing proper controls to protect the crown jewels is a complex and time- and resource-intensive task that gets postponed. Data loss is business lost. Let us make sure the security team knows What and Where are our crown jewels, and ensure they are well protected and secured from internal and external threats.