EY Survey: Higher Budgets Not Enough to Inspire Confidence in India Inc.’s Cyber Security

While India Inc. is spending more on cybersecurity each year, organizations are still not confident of their ability to sense, resist and respond to cyber threats, says the latest survey by EY, the global professional services organization.

The report, titled Path to cyber resilience: Sense, Resist, React: EY’s 19^th Global Information Security Survey 2016-17, is based on responses from 1,735 global C-suite executives, including 124 CXOs from India. 69% of Indian respondents reported an increase in their cybersecurity budgets over the last 12 months and almost three-fourths expect budgets to increase further in the next year. Despite the increased investments, 75% of the Indian respondents say that their cybersecurity function does not fully meet the organization’s needs.  These findings are in line with the global trend where more than half of the respondents reported increased budgets on cybersecurity, but 86% are still not confident of their cybersecurity function.

Speaking on the occasion, Dr. Gulshan Rai said: “We are at the cusp of a cybersecurity paradigm shift and it is imperative that for the overall national security we join hands to share, evaluate and acquire threat intelligence and develop a robust operational framework to use this with security technologies. We will need immense focus to encourage technological innovations in cyber security to secure national critical infrastructure from cyber criminals.”

Increasing risk exposure

According to the survey, outdated information security architecture and controls has most increased risk exposure for India Inc over the last 12 months, with as many as 61% of the respondents citing this aspect as their topmost vulnerability. Careless or unaware employees is their second-most important concern (58%), while vulnerabilities related to mobile computing, social media, and cloud computing also feature prominently as contributing to enhanced risk exposure for corporate India. Among threats, the majority (54%) believe that cyber-attacks are primarily targeted at defacing/disrupting organizations or towards stealing intellectual property or data (51%), followed by fraud (48%).

Nitin Bhatt, EY India’s Risk Advisory Leader said, “Disruptive innovations and the digital transformation of businesses and governments are exponentially enhancing cyber-risks. What is worrisome is that the response gap - which is the difference between the abilities of the attackers and the capabilities of organizations is increasing as well, leading to this lack of confidence in the cybersecurity function.”

The survey highlights that while respondents are more confident in their ability to predict and detect a cyber-attack with 52% saying that they would be able to do so, but not enough attention is being given to building basic, yet essential capabilities. More than half of the respondents (55%) do not have a formal, threat intelligence program, while 44% do not have a vulnerability identification capability.  Further, more than a third (33%) do not have a security operations center (SoC), which serves as a continuous monitoring mechanism. More than half (52%) would not increase their cybersecurity spending after experiencing a breach which did not appear to do any harm, which the report highlights as a matter of concern, observing that ‘cyber criminals often making test attacks or lie dormant after a breach.’

“The need of the hour is for organizations to review if their security governance and architecture is adequate to protect their crown jewels. Since cyber resilience cannot be achieved by buying “security-in-a-box,” organizations need to focus on gathering periodic threat intelligence, enhancing their threat-hunting and breach detection capabilities, and institutionalizing a robust incident response framework,” said Nitin Bhatt, EY India’s Risk Advisory Leader.

According to the Indian respondents, management and governance issues (42%), followed by   lack of quality tools for managing information security and lack of executive awareness and support (41%) were seen as the main challenges for information security operations as compared to lack of budgets (61%) and skilled resources (56%) globally. 38% of the Indian respondents say that boards are not fully knowledgeable about cyber risks

More than a third of the Indian respondents (37%) cited budget constraints and lack of skilled resources (39%) as obstacles. The survey underscores the importance of reporting to enhance executive awareness and support. More than three-fourth of the respondents indicated that they do not evaluate the financial impact of every significant breach and those that have had a cyber breach in the last year, more than half (57%) have no idea of the financial damage incurred.

Challenges of the digital ecosystem and connected devices

On the impact of the Internet of Things (IoT), the report states that organizations are struggling with the huge number of devices that will become part of their networks, challenges related to the size of data traffic and the expanding ecosystem of business partners.  The most important information security challenges of IoT were identified as finding hidden or zero-day attacks (50%), identifying suspicious traffic over the network (44%) and ensuring that implemented security controls are meeting the requirements of the day (40%).

On the growing use of mobile devices such as laptops, tablets, and smartphones, more than half (55%) see poor user awareness as the most significant risk, followed by (41%) loss of device which leads to loss of information and identity.

Among information security priorities over the next 12 months, business continuity and disaster recovery which are at the heart of an organization’s ability to react to an attack – was rated by respondents as their top priority (63%), along with data leakage and data loss protection (60%).  Although 43% plan to spend more on business continuity in the coming year and  37% plan to spend more on data leakage, there is also considerable focus on higher spends on security awareness and training of employees, vendors and business partners, cloud computing and threat and vulnerability management (38%).