Managing Cyber Risks in an Interconnected World

by March 18, 2015 0 comments

The information security budgets in Indian companies have declined by 17 per cent even as business loss from security breaches increased by 20 per cent in 2014. This is just one of the key findings in PwC’s ‘State of the Information Security Survey-India 2015’

This survey was conducted as part of PwC’s Global State of Information Security Survey 2015. It is based on the responses from over 350 C-suite executives, vice presidents and directors of IT and information security, across 17 industries. Around 30% of the respondents had annual gross revenues of over 1 billion USD, and another 30% had revenues between 100 million USD and 1 billion USD. Almost a third of our respondents were small enterprises with annual gross revenues of less than 100 million USD, making it an inclusive survey with a distributed respondent base. Here are the key findings:
Cyber risks: Endangering the present
Media reports of security incidents have become as common as the weather forecast, and over the past 12 months, virtually every industry sector across the globe has been confronted by some kind of cyber threat. A recent report by FireEye Labs and CyberSquared Inc’s Threat Connect Intelligence Research Team (TCIRT) uncovered cyber espionage activities by an Islamabad based group targeting Indian companies. It appears that the group initiated the `Bitterbug’ malware that spread through documents, compromising organisations in India. Recently, computer systems at the Eastern Naval Command in Visakhapatnam, where the indigenous nuclear submarine Arihant has been undergoing sea trials, were breached by Chinese hackers. Reports of breaches of DRDO computer systems resulting in the leak of sensitive files also surfaced in the recent past.
Financial service companies continue to be primary targets. A survey of 46 global securities exchanges conducted by the International Organisation of Securities Commissions (IOSCO) and the World Federation of Exchanges found that 53% had experienced a cyber attack. According to a report by Arbor Networks, there has been a significant increase in attacks on financial organisations in India, up from last year’s 15% to 34% this year. Other critical infrastructure providers are also prone. In India, an NTRO analysis revealed that in recent years, the Stuxnet worm had infected computers at critical infrastructure facilities such as the Gujarat and Haryana electricity boards and an ONGC offshore oil rig.
The Computer Emergency Response Team of India (CERT-In), the nodal agency for combating hacking and phishing as well as fortifying security-related defences of the country’s internet domain, has categorised the severity of the Heartbleed virus as high, fearing it can compromise personal data in India as well. While telcos in India are advocating faster adoption of the ‘internet of things’ (IOT), they are also besieged with the challenge of securing an ecosystem of devices that interconnects information, operational and consumer technologies. Increased focus among regulators around the world
Cyber security services: Expanding market
In the wake of increased incidents and heightened regulations, corporations and government agencies are struggling to safeguard their data and networks; a push that is catalysing the growth of cyber security solutions and technologies. Gartner predicts that the global IT security spending will increase 7.9% to reach 71.1 billion USD in 2014, and grow an additional 8.2% to reach 76.9 billion USD in 2015. It estimates that India’s security market size will jump to 1 billion USD in 2015. In India, consulting, implementation, support and managed security services comprise 55% of the market.
Financial losses increase pace
As security incidents become more frequent, the costs of managing and mitigating breaches also rise. The global annual estimated reported average financial loss attributed to cyber security incidents was 2.7 million USD, 34% more than in 2013. In India, it rose to 1.2 million USD, almost 20% more than the previous year. Rise in the average cost of incidents is primarily a consequence of today’s more sophisticated compromises, often extending beyond IT to other areas of the business. As with the total number of incidents, the global loss due to cyber crime cannot be calculated as many attacks do not get reported and the value of certain types of information, intellectual property in particular, is difficult to ascertain. A recent study by the Centre for Strategic and International Studies noted the difficulties in estimating financial impact but stated that the annual cost of cyber crime to the global economy ranges from 375 billion USD to as much as 575 billion USD.

Employee caution is important
Cyber incidents that garner the most attention are compromises caused by nation states, organised crime and competitors and are among the least frequent. That’s of little comfort, however, considering that our survey results show that these attacks are also among the fastest growing threats. In-line with global trends, this year in India, we found a two-fold increase in the number of respondents who say they have been compromised by nation-states. The security incidents attributed to competitors, some of whom may be backed by nation-states, doubled from last year’s figure to a whopping 40%. The reason for this increase may be that companies are discovering that, as information is increasingly being stored in digital formats, it is easier, cheaper, and quicker to steal IP and trade secrets than to develop capabilities themselves. The rise in cyber-crimes attributed to nation-states and competitors is concurrent with an increase in theft of intellectual property and other types of sensitive information.

likely-sources This year saw a 46% jump in cases of theft of ‘soft’ intellectual property, which includes information on processes and institutional knowledge. However, fewer than 19% said that ‘hard’ intellectual property, such as strategic business plans, deal documents and sensitive financial documents were stolen. Increased instances of compromises caused by organised crime One in five (22%) respondents in India claims to have experienced security breaches caused by organised crime groups, much higher than the global average of 15%. Organised crime groups are typically motivated by financial gain. A successful cyber-attack can get millions of payment card records that can be quickly monetised.
Percentage of respondents with security controls
Only 48% say that they have performed risk assessments on third party vendors and just 50% have an inventory of all third parties that handle personal data of employees and customers. Moreover, only 15% considered outsourcing and vendor oversight to be a major security challenge in the foreseeable future. This indicates a need for greater rigour in managing information security risks stemming from partners and suppliers, and a thorough risk assessment of relationships with suppliers. Only 50% respondents say that they have a cross- organisational team that regularly convenes to discuss, coordinate and communicate information security issues. Further, only 54% have an employee security awareness training programme, down from last year’s 56%. Compared to last year’s 61%, fewer respondents (56%) require their employees to complete training on privacy policy and practices.

Social media
Social media is no longer optional for enterprises. The ambiguity in calculating the return on social media investments, coupled with the difficulty in understanding the applications of social media in business and leveraging them to generate a profit stream has led to a slow adoption.  However, more and more Indian companies are now adopting them, albeit cautiously. Over 58% of Indian respondents already have a social media security strategy in place and another 27% have identified it as a top priority for the next 12 months. The fact that over 27% of respondents understand that social media is a major security challenge, highlights that business have taken cognisance of the threats linked with a hasty adoption of social media.

One area that organisations are increasingly focusing on is enterprise mobility, which enables employees, partners and customers to access and work on the organisation’s technology platforms through any secure enabler (laptops, tablets or smartphones). MDM and MAM solutions help in device control and are essential safeguards to counter threats to the individual’s or the organisation’s mobile devices. Although, globally there has been a decline in the deployment of MDM, India has seen an 11% increase in the use of such solutions, which is in line with the growing smartphone penetration in the country and the BYOD trend. Indian companies are taking measures to tackle threats from mobility. For instance, over 54% respondents already have a security strategy for mobile devices and more than 57% have a security strategy for BYOD.  However, there is plenty of room for improvement.
Analytics and big data
Although there are threats linked to the adoption of analytics for decision-making, as long as organisations understand the value of collected data and ensure that the sanctity of data is maintained, they can combine the collected data to reveal trends as well as the causal relationships between business drivers. Further, big data analytics can be used to strengthen the existing security monitoring tools. Over 47% of our respondents have utilised big data analytics to model for and identify information security incidents and over 57% of those who have employed big data analytics, claim that it has helped them detect more incidents.
Cloud services
Cloud services, with the ability to reduce the burden of investing huge capital in IT infrastructure and reducing the time to market for organisations, are clearly on the ascendency. Although almost 68% of our respondents use cloud services in the form of Software as a Service (SaaS), Platform as a Service (PaaS) or Infrastructure as a Service (IaaS), organisations have largely been skeptical of migrating to the cloud. The concerns over data security and privacy, compliance to regulations and the difficulty in calculating actual profits earned by using cloud services have prevented organisations from leveraging cloud services. The strategy should envision not only the migration of existing technology and processes but also the integration of legacy systems with the cloud.
Cyber risk management
Organisations in India have been focused on perimeter security. It is only now that there are visible signs of organisations moving from the asset and technology centered paradigm for information security to comprehensive cyber-risk management. The future of cyber-security in India will involve a tripartite model wherein the government, the organisation and the individual work in tandem to secure information and information assets in a concerted unified manner. This will require enhanced collaboration and communication of security posture among individuals, executives and industry organisations, as well as potential future improvements in legal exposure and assistance in regulatory compliance. The first step for all organisations will be to align security spending with the organisation’s strategic assets. In India, 12% respondents do not allocate security spending to the most profitable lines of business. Currently, only 56% report that they have a programme to identify sensitive assets, and about 65% have taken the effort to inventory the collection, transmission, and storage of sensitive data for employees as well as customers.
Strategic security spending also demands that businesses identify and invest in cyber-security practices that are most relevant to today’s advanced attacks. It is essential to fund processes that fully integrate predictive, preventive, detective, and incident-response capabilities to minimise impacts. Effective security will also require a certain amount of knowledge about the existing as well as potential adversaries, including their motives, resources and methods of attack. This will not happen without a budget for threat analysis and monitoring, as well as a commitment of time and resources for collaborating with government agencies, peers, law enforcement, and other third parties to gain an understanding of the leading cyber-security practices. In the current environment of proliferating threats, risk-based security practices should be the primary component of an organisation’s overall enterprise risk management framework.

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.