With the wide adoption of internet for varied applications/programs across the government and enterprise bodies, the online data is exposed to high cyber risk, which has led to increased awareness for cybersecurity. Ongoing adoption of digital technologies, increasing focus on e-governance and recent events such as demonetization drive have compelled the organizations to revisit their cybersecurity measures.
Further, the rapidly evolving dynamics of cyber-threat landscape is also posing serious challenges for the organizations. With the increasing number of cyber threats, the organizations are now looking for ways to improve their cyber resilience.
Increasing focus on cyber resilience
Today organizations have shown concerns over self-reliance in their cybersecurity processes. Accordingly to recent two EY Global Information Security Survey, 75% of the respondents in India, have shown lack of confidence in their companies’ cybersecurity processes. This number is even higher for the global enterprises, 86%. The organizations are realising a need to invest in robust cybersecurity processes that are future ready. Thus, the organizations need to be cyber resilient. This is an ability to not only predict the threat but also create a framework which can enable organizations to adapt to the changing conditions and help them respond efficiently.
Cyber resilience encompasses three high-level components i.e.: sense, resist and react.
Focus on improving ‘sense’ capability
In recent time, many organizations have shown inclination for using cyber threat intelligence to predict cyber-attacks effectively. They are now focusing on improving their “sense” capability. In order to achieve this goal many organizations are installing continuous monitoring mechanisms, such as a Security Operations Center (SOC).
Despite the awareness of cyber threat intelligence mechanism, most of the organizations are still lacking the basic cyber security system and processes, which puts them to a greater risk. As per GISS survey findings 33% of organizations in India do not have SOC as compared to 44% globally; whereas 55% do not have or have only an informal threat intelligence program. Most organization are still oblivious of the damage caused by cyber threat and hence have shown reluctance in increasing their cybersecurity spending. Based on the results of the survey, 52% of the organizations would not increase their spending even after experiencing a cyber breach which did not appear to do any harm.
Increasing adoption of Internet of Things (IoT) has further increased the pressure on organizations’ sense capabilities. Emergence of connected devices and increasing data traffic has created new set of challenges for the organizations globally. In order to mitigate these risks, the government and other regulatory bodies are collaborating together to set up new regulations and laws. These regulations will be directed to create a cohesive environment which will encourage regulators, stakeholders, business partners and customers to proactively share and collaborate.
Strive to develop capability in order to resist cyber attacks
Organizations are continuously striving to improve their ability in order to resist cyber-attacks. However, standard cyber control measures deployed by them may not be fully equipped to combat risk/attacks caused by organized cyber criminals. Almost 61% of respondents surveyed considered their outdated information security controls as one of the biggest areas of vulnerability. Employees’ carelessness or complicity also emerges as one of the key concern with 78% of global respondents consider it to be a likely source of attack. This number is surprisingly low for India, with only 58% of respondents attributing the cyber-attacks to carelessness.
There are variety of effective solutions available today which can help an organizations to defend themselves against changing cyber threat environment, however the maturity level still appear to be low for various critical processes including, software security, security monitoring and network security.
The other key challenge that organizations face today is lack of interest in spending for cyber security. Security budgets have been witnessing y-o-y increase with 69% of respondents stating an increase in their budget over the last 12 months. A lack of budget and skilled resources have emerged as key obstacles for information security operations.
Effective response framework to react efficiently
Lack of awareness amongst the leadership and support acts as a major roadblock for implementing effective cybersecurity mechanism in an organization. One of the common trend that the survey indicates is that the personnel responsible for cybersecurity mechanism are not involved in board room decisions. This leaves the board to rely only on static reporting mechanism.
As per the survey only 8% of the respondents have mature metrics and reporting management process where as 76% of organizations do not evaluate the financial impact of significant breach or cyber-attack. This reflects a big gap in reporting by the organizations which indicates that board members are not fully informed of one the crucial threat faced by the organization today.
Turning fear to opportunity
The time has come for the organizations to develop a centralized enterprise wide framework Cyber Breach Response Program (CBRP) — which is led by experienced technology personnel who can ensure effective enterprise wide implementation of business continuity plan. CBRP will help in smooth and timely flow of information among the internal stakeholders and navigate the complexities of working with outside legal counsel, regulators and law enforcement agencies. Organizations also need to drive significant change in their strategy by collaborating their corporate strategy and security team to device robust cybersecurity solution.
Access the Global Information Security Survey 2016-17, India report here.