Citing an increasingly insecure cyberspace environment, the National Cyber Emergency Services Response Team (PKCERT) released data protection rules for organizations handling citizens’ personal information on Wednesday.
Protecting Pakistan’s digital assets, private data, and vital infrastructure against cyberattacks, cyberterrorism, and cyberespionage is the responsibility of PKCERT, a federal organization.
Companies that retain Personally Identifiable Information (PII) are subject to the recommendation, which recommends short-, medium-, and long-term solutions such as multi-factor authentication, improved encryption techniques, and sensitivity-based data classification.
According to the notification, “financial services, telecommunications and internet providers, commerce and logistics [companies], government agencies, healthcare institutions, educational entities, as well as third-party and outsourced service providers” are among the organizations that may gather, process, store, or transmit personally identifiable information.
According to PKCERT’s suggestions, businesses should upgrade their PII handling systems, only maintain PII for as long as is necessary by law, and get rid of old data to prevent theft.
Additionally, it called on organizations to make sure that their procedures comply with the Prevention of Electronic Crimes Act of 2016 and the National Cyber Security Policy 2021 (NCSP).
The advise states that as a matter of national security and public trust, the NCSP “mandates safeguarding the confidentiality, integrity, and availability of citizens’ personal data.”
Additionally, PKCERT urged security training for all employees managing personal information, an immediate examination of the methods that organizations have been employing to manage PII, and ongoing monitoring to prevent unauthorized access.
The cybersecurity body outlined potential threats and vulnerabilities and emphasized the importance of data protection, stating that “urgent remediation measures are required due to the growing sophistication of cybercriminals, the widespread exploitation of misconfigured systems, and negligent data handling practices.”
According to the advice, threat actors could include:
- Cybercriminal Gangs: Making money off of stolen personal information through dark web marketplaces, phishing kits, and identity fraud.
- State-Sponsored APT Groups: These groups use compromised citizen data for intelligence collection, political manipulation, and surveillance.
- Hacktivists: They target organizations for ideological causes and frequently make private information available to the public.
- Employees or contractors that take advantage of privileged access for their own benefit or retaliation are known as malicious insiders.
Inadequate data security can result in “identity theft, fraud, mass privacy breaches, operational disruption, erosion of public trust, national security risks, and legal and regulatory consequences,” according to PKCERT.
The alert advised people to take preventative steps like creating strong passwords, turning on multi-factor authentication, avoiding revealing personal information online, and only providing personal papers and CNICs when required.
In May, PKCERT warned the public to take immediate precautions after discovering that over 180 million Pakistani internet users’ login information had been compromised in a worldwide data breach.
The credentials of up to 2.7 million persons were compromised between 2019 and 2023, according to a Joint Investigation Team (JIT) established in March 2024 to look into a data leak from the National Database and Registration Authority (Nadra).
SOURCE: DAWN NEWS
Add a Comment