Nitin Bhatt, National Head and Partner, EY Risk Advisory, India shares his point of view about the evolution of cybercrimes and how organisations can manage the ongoing threat.
As disruptive innovations and new business models transform organisations and communities around the world, their sustainability is threatened by a plethora of cyber risks. We are already a witness to one of the largest cyber-attacks recently with “WannaCry” impacting the lives of many individuals and enterprises. Indeed, criminals and nation states are increasingly attacking the technology assets of individuals, organisations and governments, stealing and selling valuable information, and in an alarming trend, paralysing critical infrastructure. With governments and enterprises increasingly leveraging the internet for mission-critical cybersecurity continues to remain a top imperative across the world.
Unfortunately, India Inc.’s response to cyber risks has not been robust. India ranks third globally as a source of malicious activities and its enterprises are the sixth-most targeted by cyber criminals. Cyber resilience is a critical boardroom imperative. The key challenge for Indian companies is that most view cybersecurity as an “IT issue”. Consequently, cyber risks do not get appropriate top management attention. This needs to change. The cyber threat landscape continues to evolve and presents new challenges to organisations every day. In response, organisations have learned over decades to defend themselves and respond better, moving from basic measures and ad hoc responses to sophisticated, robust and formal processes.
Following is an overview of the evolution of the threat landscape for cybersecurity.
There are three high level components of cyber resilience:
• Sense: Sense is the ability of organisations to predict and detect cyber threats. This can be done by simply investing in cyber intelligence
• Resist: Resist mechanisms are basically the corporate shield to cyber-attacks. It begins with assessing an organisation’s risk appetite
• React: If Sense fails (the organisation did not see the threat coming) and there is a breakdown in Resist (control measures were not strong enough), organisations need to be ready to deal with the disruption, ready with incident response capabilities and mechanisms to manage the crisis.
Significant progress has been made in taking measures to strengthen corporate shield. In the last two to three years, we have also seen organisations focus more on their Sense capabilities. Most organisations, however, are lagging behind in preparing their reaction to a breach. Focus on cyber risks, not only on cybersecurity. A recent EY survey said:
• 75 per cent of responders said that their cybersecurity function did not fully meet their organisation’s needs.
• More than half (61 per cent) the responders said that their outdated information security controls or architecture were one of the biggest areas of vulnerability.
• 54 per cent believe that cyber-attacks are primarily targeted at disrupting or defacing the organisation’s websites or other digital assets, while they also believe that theft of IP or data continues to be an important risk.
• Surprisingly, only 58 per cent of the survey respondents from India fear that the next attack will be to their employees’ carelessness or complicity, compared with 78 per cent of global responders who consider this to be a likely source of attack.
Finally, the question remains – Where should organisations focus to better resist today’s attacks?
Activate your defences: The survey revealed that 35 per cent of responders have had a recent significant cybersecurity incident, which shows that there is still more work to be done to strengthen the corporate shield. Maturity levels are still low in many critical areas, and improving them would be a significant step forward for any organisation.
Take an unorthodox approach: In the face of today’s unpredictable and unprecedented cyber threats, a fail-safe approach can no longer be the only option. The new aim should be to design a system that is safe-to-fail. Future cybersecurity needs to be smarter as well as stronger, with a soft-resilience approach. This means that on sensing a threat, there are mechanisms that have been designed to absorb the attack, reduce the velocity and impact of it, and accept the possibility of partial system failure as a way to limit damage to the whole.
From protection to sacrifice: Technologies today make it possible to sacrifice portions of information or operations in the interests of protecting the larger network. If configured correctly to the organisation’s risk appetite, this can be performed as an automated response.
The role of leadership: Executive leadership and support is critical for effective cyber resilience. Unlike the Sense and traditional Resist activities, which can be seen as the domain of the CISO or CIO, cyber resilience requires senior executives to actively take part and lead the ‘React’ phase.
The importance of reporting: According to the survey, 49 per cent say that those responsible for information security do not have a seat on the board. In this scenario, the board has to rely on reporting instead. Based on this response, it may seem like boards are not fully informed of one of the greatest threats to their organisations today.
Anticipating and now actively defending against, cyber-attacks is the only way to be ahead of cyber criminals. It’s not a matter of ‘if’ you are going to suffer a cyberattack, it’s a matter of ‘when’ (and most likely you already have.)
National Head and Partner –
EY Risk Advisory, India