MiIdentity in conversation with Smit Kotadiya
The MiIdentity team sat down with Smit Kotadiya to discuss his professional journey, his experiences in the field of cyber security, and his recommendations for businesses and individuals to safeguard themselves in an increasingly digital world.
From an early age, Smit has been captivated by the world of technology. Fast forward to 2024, and he’s now a seasoned Cyber Security Consultant.
“I landed my first job in cyber security by identifying a vulnerability in the company’s portal,” recalls Smit. “After reporting it, I asked the person handling the issue to pass my resume along to HR. At the time, they had a job opening that required 2–3 years of experience, but I had just graduated from college! Despite that, I got an interview as they appreciated my initiative, and that’s how I got my first job in cyber security.”
Embracing ethical hacking
For many companies, the term ‘hacking’ conjures up visions of faceless criminals breaking into their systems to steal information and cause havoc. However, rather than fearing the hacking community, businesses should see ethical hackers as valuable partners in fortifying their defences and staying ahead of emerging threats.
“When you open yourself to the world, you will get more visibility from a real-world cyber security perspective,” says Smit. “If you are just hiring one penetration tester, you have one mindset within your company. But if you put yourself out there on a platform like HackerOne and others, you’re getting access to hundreds of people which increases the probability of finding vulnerabilities. Through this process you will also get a lot more data about your system which will help you with security and future events.”
By collaborating with ethical hackers, particularly through bug bounty programs, companies can continuously improve their security infrastructure, and gain proactive vulnerability detection, helping their team identify and fix security gaps before malicious actors exploit them.
A change in IT infrastructure
Over the past decade, companies have been steadily transitioning from on-premises IT infrastructure to cloud hosting. During this time, Smit has observed significant changes in the threat landscape, particularly with the rise of remote work culture. As businesses and employees increasingly operate remotely and rely on cloud computing, the security challenges have evolved dramatically.
“Remote and cloud has changed the threat landscape. Now hackers are mostly targeting the cloud environment, because the technology is new for people, and they don’t completely understand what kind of attacks can happen,” claims Smit. “Today, most people still don’t know what kind of misconfiguration their cloud systems may have, and that’s what hackers are leveraging. If you analyse breach patterns of IT infrastructure, most of the time it’s due to misconfiguration from a cloud perspective.”
As companies take their platforms and applications online with cloud providers, such as Azure, AWS, or GCP, users need to understand the shared responsibility of security and defending against cyber-attacks.
“With a shared responsibility model, if any attack happens to a cloud platform specifically, that provider is responsible. But, if any attack happens to your application which you have hosted on the cloud platform, you are responsible,” Smit explains, “and most people do not know that. They think that by using these platforms, they’re already secure, but it’s not like that. This is a fundamental problem that everyone needs to understand.”
Tools of the trade
Smit started consulting at a time when office network attacks were rife, with companies scrambling to secure their office networks with firewalls and configuring EDR (Endpoint Detection and Response) and XDR (Extended Detection and Response). The ‘cloud boom’, as Smit describes it, has put the focus on EDR and XDR aimed at the cloud, endpoint, and network.
Traditionally, when under attack, analysts investigate through their system consoles one by one to pinpoint where the attack is originating. This method is time consuming, potentially resulting in deeper penetration and more damage. Now, by employing XDR solutions that ingest traffic from all end points, analysts can view their system information more efficiently resulting in faster response times.
“XDR solutions are now ingesting everything in my system – firewalls, network endpoints – everything in one console to show me my threat landscape. All the logs are collected in one place, so when any attack happens, I can open one single screen and can get all my data automatically from that same console.” says Smit. “There are a lot of solutions in the market that give predefined correlation rules, so if I find an attack from an endpoint, it’s automatically correlated with my firewall and email solution, showing me what’s happening within a few seconds. By having all the artefacts I need, I know exactly what my next step should be to respond, saving a lot of time by being able to articulate correctly.”
Defending against cyber attacks
Cyber security isn’t just a buzzword for enterprise. In the digital age, anyone who accesses the internet and shares information needs to learn how to protect themselves. Whether an employee at work or a person at home, cyber security awareness is Smit’s top recommendation.
“Everyone needs to invest in cyber security awareness,” he suggests. “Everybody should know not to click on untrusted links and to enable MFA (multi-factor authentication) on accounts.”
Smit also explains that it is key for companies to know if any of their company data or employees’ information is in the dark web. For example, by knowing your CFO’s personal information is available on the dark web, a company can build processes and procedures internally to mitigate risk.
Individuals can take proactive measures themselves to monitor the internet for their data. Websites such as haveibeenpwned.com let users submit their email address and receive insight into historic breaches that the address has been part of.
There are also more robust monitoring solutions available. The MiIdentity platform, for example, enables users to monitor their personal data – such as email address, phone number, national identity cards, and financial information – across the internet, dark web, and financial bureaus. Real-time alerts inform users when their data is found, and restoration support helps them secure their compromised data. In cases of monetary loss caused by an identity theft, users can receive insurance payments to help them mitigate the loss, for example to replace a stolen passport or reimburse lost funds after a fraudulent transaction.
“I appreciate the MiIdentity platform’s comprehensive approach to identity protection, particularly the focus on real-time alerts for identity discovery. This proactive feature is crucial in today’s digital landscape, where timely information can make a significant difference,” considers Smit. “Additionally, the inclusion of insurance is a unique and valuable offering for individuals. Addressing the financial aspect of identity theft truly sets MiIdentity apart in the market.”
The social media culture of sharing personal information is also of concern to Smit. We discussed a recent campaign by Deutsche Telekom depicting a girl’s image being stolen from a parent’s social media account and the potential for that to be used for deepfake to manipulate the parents and harm the child’s reputation. Smit has simple advice to avoid your data being used against you.
“Limit the amount of information you are giving out,” he says. “If you are posting everything about your life to the world, hackers and cyber criminals can use those pictures and information against you – you never know how it could be used by them and against you.”
Cyber security in India
India is making progress with data protection. In August 2023, the Indian Parliament passed the ‘Digital Personal Data Protection (DPDP) Act, 2023’, which aims to protect individuals’ personal data by regulating its collection, processing, and storage, while ensuring accountability and safeguarding privacy in the digital realm.
As the nation focuses on digitisation, businesses of all sizes and trades are collecting customer information – in many cases requesting sensitive information before completing transactions beyond what customers believe to be necessary. While the DPDPA offers some solace that data should be being handled lawfully and securely, Smit enthuses that individuals must remain vigilant.
“Companies are typically collecting customer information to make individual profiles and serve targeted advertisements,” he explains, “but often this data is then being sold to third parties, and customers are not aware of this or how their data will be used.”
In addition to the DPDPA, the government have devised initiatives to help its citizens protect their sensitive data, such as Masked Aadhaar, from UIDAI. Smit encourages people to make use of the initiative. By generating e-Aadhaar cards with digits obscured, people can provide their sensitive information with an additional layer of security, reducing the chance of their Aadhaar data being used for criminal purpose.
Utilising identity tracking tools is a practical approach to taking charge of your personal information online. MiIdentity is live in India, providing must-have visibility to individuals. Knowing your information and data has been leaked and is available is half the battle. By gaining visibility and awareness to your digital presence puts you in control.
Top tips for keeping your personal identity safe
Finally, we discussed tips that everyone should follow in their everyday lives – simple measures for individuals to ensure that their personal identities are not misused.
Smit recommends taking precautions when providing copies of physical documentation, by indicating clear intent for the data being provided and understanding what will happen with your data.
“When providing a copy of identification, write in clear text that this is only for use by who you are giving it to, not for any other purpose,” he suggests. “Your data is your responsibility, so ask questions. How are you storing this data? What is the limit you will store it for? What measures are you taking to secure it?”
Impersonation scams are also high on Smit’s priority list. A common tactic for scammers is call their victims, posing as authority figures, such as police officers, and demanding money to resolve a fictitious situation.
“This might be calling a parent and saying their child has been caught committing a crime, or that you have a parcel being held that has been found to contain illegal material such as drugs,” explains Smit. “The scammer will ask for a transfer of money to pay a bail or fine. People panic and fall for the scam.”
“People need to be super cautious of calls from unknown numbers and whatever they’re doing online,” he adds.
Interested in proactively monitoring your digital identities? Simply send us your name and email address to learn more.