Cyber security incidents on the rise in Indian enterprises, but information security function not keeping pace

Burgess Cooper
Partner – Information & Cybersecurity, Ernst & Young

We are living in a globally connected world, fuelled by the growth in connected-devices and advances in communication technologies. The digital age and the inherent connectivity of people, devices and organizations is rapidly providing opportunities for innovation, and businesses have turned their attention to significant benefits such as creation of new products/markets and better understanding of the consumers.

While the opportunities are abundant, many organizations tend to overlook the risks associated with the digital world. After land, sea, air and space, warfare has entered the fifth domain: cyberspace. As many organizations have learnt the hard way, cyber-attacks are no longer a matter of if, but when. Cyber attackers are increasingly getting relentless and often politically motivated. As old sources of cyber threats evolve, new sources are emerging to add to the complexities for the organizations. Cyberattacks have become more sophisticated and harder to defeat over time. The nature of threats is only expected to become more complex over the next five or 10 years.

Cyber incidents and associated damages on the rise in India

According to EY’s Global Information Security Survey (GISS) 2015, which involved more than 200 Indian CIOs and CISOs, approximately 20% of respondents reported financial damages up to INR15 million due to information security incidents over the past year.

More importantly, 27% of the respondents reported that they were unaware of the extent of financial damage due to information security incidents. This combined with the fact that close to 40% of respondents reported that their Security Operations Center (SOC) takes more than four hours to initiate an investigation on discovered/alerted incidents, highlights the vulnerability of Indian organizations to security incidents.

The cumulative effects of an information security incident on an organization can be huge and can affect different functions of the business. These include loss of sales and competitive advantage, loss of public trust and other legal costs.

Look within – the enemy is inside

Cyber-attacks originate from a multitude of sources, including but not limited to criminal syndicates, hacktivists, lone wolves, and external contractors among others. The Global Information Security Survey found that 70% respondents considered hacktivists and 55% considered criminal syndicates as the most likely source of attack.

However, what is astonishing is the fact that close to 50% of the survey respondents considered employees and internal contract staff as the main source of cyber-attacks. Considering the fact that these cyber criminals (employees) can spend months inside the organization and know the most vulnerable entry points, counter-measures need to be devised around areas of most value and highest risk in order to minimize the damage from cyber incidents.

Growing adoption of SMAC technologies brings cyber security risks

The coherence of social media, mobile, cloud and analytics (SMAC) technologies will impact the manner in which technology is consumed. While the adoption of SMAC technologies can make organizations agile and generate new revenue streams, they also have security implications due to issues around privacy and data security. Adding to this challenge is the fact that more than 40% of the survey respondents reported that they did not have a role or department in their information security function to analyse the impact of emerging technologies on information security.

More enterprises are adopting cloud computing, due to the associated benefits such as low initial investments and the ability to scale on demand. As a result, more organizations are moving data to the cloud, most likely with third parties. This leads to a loss of control and exposes sensitive organization data.

Humans are one the weakest links in cybersecurity and human error plays a significant role in security incidents. The growing proliferation of mobile devices and the advent of bring your own device (BYOD) in the workplace exposes organizations to certain risks such as exposure of corporate networks to unauthorised mobile apps, uncontrolled data sharing through file-sharing tools. This fact is validated by the Global Information Security Survey, where 33% of the respondents felt vulnerable in relation to careless or unaware employees and 28% from the use of mobile computing.

Many organizations still face issues in effectively addressing cyber-security threats

Having an effective information security function is imperative to address the threat from security incidents. The GISS 2015 found that an overwhelming 78% reported that their information security function does not meet organizational requirements and needs improvement.

Budgetary constraints and lack of skilled resources are the major reasons which impact the contribution and value that information security function provides to the organization, indicating that the situation is deteriorating, rather than improving.

Organizations will have to be on constant guard to ward off cyber threats.

The digital world does not allow any organization to feel comfortable in the area of cybersecurity threats and vulnerabilities. As the saying by Sun Tzu goes, “The more we sweat in peace, the less we bleed in war”, organizations will have to be on constant guard to respond to the evolving threat landscape.

It will be tough for organizations to be completely shielded from cyber threats in today’s testing times, but they need to do their bit to minimize the incidents or limit the extent of loss from an incident. Cybersecurity is the key to unlocking innovation and expansion. It will be hence imperative for boards and senior management to reinforce the cyber security agenda in their respective organisations.