Go Digit General Insurance Limited is a non-life general insurance company incorporated in the year 2016.The company offers non-life general insurance solutions through their digital platform and based in Bengaluru. GoDigit forays into wide range of insurance covering mostly health, car, travel, commercial vehicle, jewellery etc to name a few. The organization aims to puts its customers first in all circumstances, be it the matter of buying insurance online or filing claims.
DynamicCISO spoke to Samrat Bhatt,CISO, Go Digit General Insurance shared his views on the business continuity strategy of the company during Covid-19. He says that Go-Digit has an advantage being born as a cloud based company with an inherent advantage of a cloud based data center that can be administered and monitored from anywhere. In case of a local disruption where users can’t access the office, it was always relatively easy for Digit to switch to a work from home /other location option. So business continuity is a part of the business strategy and as now WFH (work from home) is mandatory and we are going on with it considering the safety of our employees and as a mandate.
To achieve this continuity and keep the business process running, several initiatives and project were undertaken to identify all the critical business processes within the organization and key resources within all the critical departments.
At infrastructure level it was also accessed if there are any dependencies if the users are required to work from home. The BCP tests were conducted and the results guided us to tweak the requirements to achieve the desired results. The learning’s for the BCP test runs showed us the way to achieve the total work from home in case of any emergency.
At the same time in the boardroom communication, during the Covid-19 was clearly mentioned that all employees must safeguard themselves and the customers who have taken our policies too. As an insurance company there is a lot of responsibility on Digit to make sure that all the claims are settled in time and the work as usual is not hampered below a defined level.
The most challenging task as a CISO, always remains in keeping pace with the ever-changing threat landscape. This also includes collaboratively increase the Information Security awareness in the organization and make sure all security protocols are followed strictly says Samrat Bhatt.
DynamicCISO : To protect critical customer data assets in a world that continues to digitize and go more online is important and as a CISO what steps you are taking in your organization?
Samrat Bhatt(SB) : Data security is becoming tougher these days mainly due to digitization, use of Cloud storages etc. have grown. A CISO must be aware of all the processes and departments that are directly or indirectly responsible to accept, process, save and report the customer data and specially PII (Personally Identifiable Information).
In our organization we have ensured that InfoSec team knows all the teams performing the above tasks. Following steps are performed:
- Who accepts the data – We identify all channels the customer critical data is being accepted by which team, through which application?
- What is the format of the data (Physical, Scanned PDFs, JPEG, GIFs etc.)?
- Where the data is stored after it is accepted?
- How the data is stored? In Databases (DBs) then which DBs, or which intermediately tables or flat files?
Once we have all these details, we make sure that all the critical fields of the data are encrypted or the whole DB is encrypted at times. Any data that the marketing team wants to publish on the site or make a report goes through a Security and Legal review to make sure we don’t publish something that should not be published.
The chain is as strong as its weakest link and for all organization the weakest link are the employees. We can implement 100 technologies but if our employees are not aware of the risks posed by the threat actors all technologies will fail. So every organization must make efforts to make sure the user awareness program for InfoSec is at the top priority.
DynamicCISO: The threat landscape is constantly evolving and any Cyber security program is only good for a limited period. Are there metrics to measure the effectiveness of your InfoSec program?
Samrat Bhatt : The threat landscape is very agile and always changing and to thwart the same our Cyber security program is also very agile and adaptable. We have adopted a risk-based approach for cyber threat evaluation and assess all our critical services based on the risks they face and apply mitigation respectively.
To track the effectiveness of the InfoSec program we use the following metrics:
- Removal or adjustment of access rights (Access Control Matrix results) – To ensure that the access control is stringent and under control.
- DLP (data Loss Prevention) Alerts list – This provide the insight of the possible accidental or intentional DLP events the more the events the more education is required.
- End Point Security (Servers / Laptops / Desktops)
- Patching (OS, Application) status
- Controls against malware – Virus detections, AV DAT updates.
Addressing security within supplier agreements remains one of the crucial process. At the same time management of technical vulnerabilities including all VA PT findings closure data, SOC alerts closure status.
For any sort of data leakage or data loss prevention we have taken all measures to ensure that data security remains our top most priority. Our organization also give utmost importance to information security awareness, education and through training periodically.
DyanmicCISO: What kind of technologies have you deployed to automate the process of malware detection or even understanding the human behavior?
Samrat Bhatt: Data volume has been growing exponentially, dramatically increasing opportunities for theft and accidental disclosure of sensitive information and that is the reason security is essential in every layer and keeping in mind we have deployed the following technologies to protect sensitive customer data:
We have our DLP (Email and Endpoint) as this identifies monitors and protects data in use, data in motion on our network. Internal email threats can result from a compromised email account, a malicious employee or the unintended consequence of human error. And, no single security control is 100% effective, so we have tightened our Email Security.
We have introduced Webproxy which again reduces the chance of a breach. Proxy servers add an additional layer of security between your servers and outside traffic. A proxy server is used to create a single web address to serve as the access point. The proxy will also balance the requests to each server so none overloads. All of this works in the background to ensure a seamless customer experience on your website.
We have in place CASB (Cloud Access Security Broker), IP whitelisting for limiting the data access and Endpoint Protection that includes – AV, Machine Learning, Virtual Patching, Vulnerability Protection etc, WAF (Web Application Firewall), SOC – with EDR and UBA.
DynamicCISO: What are your take as a CISO on WFH(work from home) strategies and best practices?
Samrat Bhatt: As per my understanding all InfoSec professional must Securing their home networks, Home router must be updated with the latest firmware. Using a VPN (virtual private network) on work PC / desktop would be the next main thing and avoiding any unwanted websites, apps etc.
We should also understand what type of communication we are using .In the present circumstances only official emails for work communication would be the best thing to do. For remote working, tools provided by the organizations should be used. At this time ensuring all devices are patched with latest updates and backed up. Keep your Antivirus updated and restart your systems regularly.
Beware of phishing attacks. Always be cautious of suspicious emails. Look at the ‘from’ email address, is it spelled correctly? Always delete the emails if not expecting. It is crucial to be in touch with security teams of your organization, so in case of any incident reaching out to teams would be the best approach. Lastly user awareness must be done regularly regarding the Scams, Phishing attacks and secure working
As this time is very crucial for all of us says Bhatt, a wise investments in controls and business resiliency is of primary importance to keep focus. There will be cost cutting in every department, but prioritizing the important area would be the best approach so that the cyber security requirements are met at every level.