Cyber-Security for Company Secretaries (CS 4 CS)

Introduction

Corporate life without computers and digital records is inconceivable today. Right from the formation of a company to its routine operations and when required, its dissolution, the use of computers and by inference the creation, maintenance, storage and retrieval of digital records is not just desirable, but inevitable.

Company being an economic entity managed for earning profits, the need to maintain confidentiality of information is necessary to enhance and retain its competitiveness and profitability. In addition, assuring its stakeholders privacy of their personal data maintained by the company goes a long way in building sustainability of the company. With corporate data created, maintained and stored in digital form, protecting and assuring cyber security is vital for the well-being of the corporate sector in the economy.

With the advent of cloud infrastructure and the use of internet, cyber security has assumed more importance as the data storage is not in the personal custody of the ‘owner’ or creator of the data. Hence the need for and the growth in technology to protect and secure data is rapid and expensive. To sum up, the growing use of cloud infrastructure combined with sophisticated technology to secure the data has made data on cloud much safer and provides many other benefits like planned disaster recovery mechanism and 24 by 7 access to data from anywhere using the internet.

Cyber Security, the Concept

Comprehensive information security for data stored and transacted digitally consists of protecting the data at three key stages, namely data at rest, data in transit and data in use.

1. Data at rest: A key feature in the digital world is the separation of input-output device from the data storage and data processing devices. This requires that the data storage unit is prevented from being accessed through unauthorized persons or from unauthorized locations.
2. Data in transit: Given that for digital data, the place of input-output device is separated from data storage and data processing modules, there is a need to secure the data when it moves to and from the input-output device to the data storage or processing  devices. While data-in-transit may not be at significant risk in desktop or laptop computing, it assumes critical dimensions when data is stored and accessed over the internet.

Data in use or Access control: Regulating access to the computer or the software containing the data. Access control in computers is regulated by using personal authentication mechanisms. Use of passwords and biometrics like fingerprints, face and voice recognition are some of the commonly used mechanisms. For data that requires higher level of security, two-factor or multi-factor authentication systems are used. One Time Password (OTP) is the most common second factor authentication for access control.

Further for data stored in the cloud or servers located outside the physical control of the user, security is enhanced by the use of firewalls, i.e. shields to prevent intruders, to protect the data and the application software on which is it hosted from unauthorized access by monitoring who is accessing the data by verifying their credentials.

Cyber Security, the techniques

Access controls for Data in Use: For data in use, access control can be built in so that only authorized users are permitted access. Access control can be of three distinct types:

1. an object in the possession of the authorized user to gain access. e.g. like a car or house key or a card used to access in hotels or offices,
2. an information known only to the user like a password or a secret code,
3. a physical part of the user like fingerprints, iris image or facial or voice recognition.

Of the three types enumerated above, the security level increases when we move from type 1 to type 2 and type 3, as the means of inadvertently sharing it is made more difficult, if not impossible. Access security can be further enhanced by using two factor and multi-factor authentication, where a combination of more than one access control techniques is used.

Encryption mechanism for Data at rest: Data in human readable form is called plain text. Data at rest is protected by converting plain text to ciphertext using encryption techniques. Common encryption techniques are substitution, where one set of characters are replaced by another set, and transposition, where the characters are rearranged to displace them from their original location.

Cipher data can be read by humans only after it is reconverted into legible form. Encryption techniques used for this conversion and reconversion are of three types:

1. Symmetric keys: in this the code used for encryption and decryption is the same.
2. Asymmetric keys: where one set of code is used for encryption and another set of code is used for decryption.
3. One-way hash: as the name denotes, it is used only for encryption and cannot be decrypted. Hence, they have limited application and are used for authentication systems like affixing digital signatures which do not need decryption.

Secure http for Data-in-transit: Data-in-transit is more vulnerable as it can be intercepted in transit by hackers and hence needs protection. The most popular form for achieving this is using SSL (Secure Sockets Layer) certificates. When SSL is added to a website, the web address is now prefixed with https, standing for hyper-text-transfer-protocol-secure, by adding the word secure.

SSL ensures data in transit is secure by following the five steps:

1. The user using their browser connect with the secure website and request for its identity
2. The website server sends its SSL certificate and its pubic key
3. The user’s browser verifies the certificate and its validity and sends a session key using the public key of the website
4. The website decrypts the session key using its private key and sends an acknowledgement key for the encrypted session to start.
5. All data transmitted between the website and the user’s browser are now encrypted using the private key and the secured information flow starts.

CS 4 CS (Cyber Security for Company Secretary)

Computers, internet and Company Secretaries go hand-in-hand. Hence awareness about cyber security is a must for all company secretaries as corporate information, including confidential and price sensitive information are shared over the internet in the form of board presentations, agenda and minutes for the board meetings and subcommittee meetings.

Company Secretaries should be aware of the risks associated with the means they use to communicate over the internet to ensure that it is trustworthy. For this at a minimum they should look for the following:

• “https” certification of websites before accessing them and/or transferring information over the internet.
• As cyber security is quite technical, ensure that they use software and services that are certified for cyber security. In this context, certifications like SOC (Service Organization Controls) certifications and ISO 27000 certifications are authentic for validating security.

SOC2 certification is for organization’s information security system prescribed by AICPA (American Institute of Certified Public Accountants) and ISO 27001, 27017 and 27018 certifies Information Security Management Systems (ISMS), Information Security on Cloud and protecting Personal Identifiable Information in Cloud respectively.