Sivarama Krishnan, Leader, Cyber Security, PwC India
The digital playground has become a dangerous place to be.
Nation-states, hackers and organised crime syndicates are the cyber security villains that everybody loves to hate. Cyber espionage backed by a nation-state, or multibillion-dollar losses to an organisation due to cyberattacks— this is the stuff of front-page headlines. But while such events may make for eyeball-grabbing news, they’re a veritable nightmare for corporates.
There has been an unprecedented rise in cybercrime rates and associated security breaches. In 2014, the World Economic Forum rated cyberattacks among its top five risks in terms of likelihood, which is expected to increase more rapidly in the coming years, if the right security is not put in place.
Cyber security breaches
Cyber security breaches lead to global negative publicity for the victim firm, loss of shareholder value, reduced profits, and stolen product designs. They cost millions of dollars in breach-mitigation expenses. They impact innovation, service operations information and company strategies, and erode customer trust—which is indispensable to any business.
This year, overall financial losses as a result of cyber incidents increased by 135% over previous year, which is a sharp rise As security incidents grow in frequency, the costs of managing and mitigating breaches are also rising. For companies with revenue worth more than 1 billion USD, we have observed that in 2013, the average financial losses due to security incidents accounted for 3.9 million USD, whereas in 2014, the figure stood at 5.9 million USD. There has been a plethora of new-age cyberattacks, and the innovation in attack vectors is a major contributor to the ever-evolving threat landscape. As incidents continue to proliferate across the globe, it’s becoming clear that cyber risks will never be completely eliminated and will, from time to time, impact organisations.
Cyber security villains
The cyber security villains today are both external as well as internal to the organization. However, we have observed a big shift from outsiders, comprising cyber terrorists, organised crime, hacktivists, competition and nation-states, to insiders, consisting of current employees, former employees, service providers, etc.
Statistically, insider crimes are more costly and damaging than incidents perpetrated by an outsider. As per the responses received to our GSISS 2016 survey, insiders caused nearly 15 security incidents for every 10 caused by outsiders in 2015. Yet, a majority of us are unprepared for such insider threats. They need to be tackled on multiple fronts by adopting a holistic, risk-based cross-functional security effectiveness approach, because the insiders know exactly where to look for the organisation’s most valuable information—its crown jewels, so to speak.
Despite the high-profile security breaches perpetrated by cyber villains last year, the board is often not involved in critical initiatives that determine the effectiveness of the security mechanisms against threats and risks. Statistically, less than 46% of the board understands the costs and benefits of cyber security programmes. The barrage of incidents over the past year has resulted in a lot of discussion about the board’s involvement in the security function. Yet, for all the chatter, organisations clearly have not elevated security to a board-level agenda for discussion. Effective security awareness will not only require adequate funding by the board, but also more involvement and commitment to security maturity.
An effective security programme mantra
Based on the GSISS survey, the top five security challenges faced by organisations are:
- Encryption in storage and in transit (19.7%)
- Identity theft and loss of individual information (19.2%)
- Authentication (18.8%)
- Identity and privileged access management (17.4%)
- Monitoring of access and information use (16.9%)
The challenges arise mainly because many organisations today are largely unsure of what is the right amount of investment in the right mix of solutions for effective security management, and thus also of the return on investment on security. Organisations forgo the alignment of security strategy with business needs. Businesses should identify and invest in the right cyber security practices, ones that are the most relevant to today’s threat landscape, which is evolving every single day in terms of motives, resources and methods. It is the need of the hour to fund processes that integrate predictive, preventive, detective and incident response capabilities that minimise the impact of an attack.
Being resilient to threats requires individuals and organisations to be on their toes to identify/detect threats, and quickly mitigate them to minimise impact by having an effective security monitoring strategy. A right mix of people, practitioners, tools, processes and leadership involvement is the mantra for an effective security programme.
Where is the doorway out of the cyber maze?
We have observed that businesses that have effective security awareness management report significantly lower average financial losses from cyber security incidents. The trick is to understand the sophistication of cyberattacks, symptoms when under attack, right antidote and defence mechanism, time taken to contain the attack, right kind of investments, and so forth.
- Do you want to experience the impact of a cyberattack in a simulated environment and see how it affects customer confidence and company revenue?
- Do you want to observe the benefits of, and return on investment on, cyber solutions in a simulated game environment?
- Are you aware of the different terms, forms of attack and defence solutions in the cyber sphere?
Ashish Bhugra, Manager, Cyber Security, contributed to this article. For more information on our Cyber Security services, you can reach him at firstname.lastname@example.org.