While India Inc. is spending more on cyber security each year, organizations are still not confident of their ability to sense, resist and respond to cyber threats, says a latest survey by Ernst & Young, the global professional services organization. The report, titled Path to cyber resilience: Sense, Resist, React: EY’s 19th Global Information Security Survey 2016-17, was released here today by Dr. Gulshan Rai, National Cyber security Coordinator, National Security Council, Prime Minister’s Office, Government of India.
Now in its 19th year, the EY Survey is based on responses from 1,735 global C-suite executives, including 124 CXOs from India. 69% of Indian respondents reported an increase in their cyber security budgets over the last 12 months and almost three-fourths expect budgets to increase further in the next year. Despite the increased investments, 75% of the Indian respondents say that their cyber security function does not fully meet the organization’s needs. These findings are in line with the global trend where more than half of the respondents reported increased budgets on cyber security, but 86% are still not confident of their cyber security function.
Speaking on the occasion, Dr. Gulshan Rai said: “We are at the cusp of a cyber security paradigm shift and it is imperative that for the overall national security we join hands to share, evaluate and acquire threat intelligence and develop a robust operational framework to use this with security technologies. We will need immense focus to encourage technological innovations in cyber security to secure national critical infrastructure from cyber criminals.”
Increasing risk exposure
According to the survey, outdated information security architecture and controls has most increased risk exposure for India Inc over the last 12 months, with as many as 61% of the respondents citing this aspect as their topmost vulnerability. Careless or unaware employees is their second-most important concern (58%), while vulnerabilities related to mobile computing, social media and cloud computing also feature prominently as contributing to enhanced risk exposure for corporate India. Among threats, the majority (54%) believe that cyber-attacks are primarily targeted at defacing/disrupting organizations or towards stealing intellectual property or data (51%), followed by fraud (48%).
Says Nitin Bhatt, EY India’s Risk Advisory Leader, “Disruptive innovations and the digital transformation of businesses and governments are exponentially enhancing cyber-risks. What is worrisome is that the response gap - which is the difference between the abilities of the attackers and the capabilities of organizations is increasing as well, leading to this lack of confidence in the cybersecurity function.”
The survey highlights that while respondents are more confident of their ability to predict and detect a cyber-attack with 52% saying that they would be able to do so, but not enough attention is being given to building basic, yet essential capabilities. More than half of the respondents (55%) do not have a formal, threat intelligence program, while 44% do not have a vulnerability identification capability. Further, more than a third (33%) do not have a security operations center (SoC), which serves as a continuous monitoring mechanism. More than half (52%) would not increase their cybersecurity spending after experiencing a breach which did not appear to do any harm, which the report highlights as a matter of concern, observing that ‘cyber criminals often making test attacks or lie dormant after a breach.’
“The need of the hour is for organizations to review if their security governance and architecture is adequate to protect their crown jewels. Since cyber resilience cannot be achieved by buying “security-in-a-box,” organizations need to focus on gathering periodic threat intelligence, enhancing their threat-hunting and breach-detection capabilities, and institutionalizing a robust incident-response framework,” said Nitin Bhatt, EY India’s Risk Advisory Leader.
According to the Indian respondents, management and governance issues (42%), followed by lack of quality tools for managing information security and lack of executive awareness and support (41%) were seen as the main challenges for information security operations as compared to lack of budgets (61%) and skilled resources (56%) globally. 38% of the Indian respondents say that boards are not fully knowledgeable about cyber risks
More than a third of the Indian respondents (37%) cited budget constraints and lack of skilled resources (39%) as obstacles. The survey underscores the importance of reporting to enhance executive awareness and support. More than three-fourth of the respondents indicated that they do not evaluate the financial impact of every significant breach and those that have had a cyber breach in the last year, more than half (57%) have no idea of the financial damage incurred.
Challenges of the digital ecosystem and connected devices
On the impact of the Internet of Things (IoT), the report states that organizations are struggling with the huge number of devices that will become part of their networks, challenges related to the size of data traffic and the expanding eco-system of business partners. The most important information security challenges of IoT were identified as finding hidden or zero-day attacks (50%), identifying suspicious traffic over the network (44%) and ensuring that implemented security controls are meeting the requirements of the day (40%).
On the growing use of mobile devices such as laptops, tablets and smartphones, more than half (55%) see poor user awareness as the most significant risk, followed by (41%) loss of device which leads to loss of information and identity.
Among information security priorities over the next 12 months, business continuity and disaster recovery which are at the heart of an organization’s ability to react to an attack – was rated by respondents as their top priority (63%), along with data leakage and data loss protection (60%). Although 43% plan to spend more on business continuity in the coming year and 37% plan to spend more on data leakage, there is also considerable focus on higher spends on security awareness and training of employees, vendors and business partners, cloud computing and threat and vulnerability management (38%).