- Arts & Entertainment
- All Stories
Preparing for a Cyber Attack
Bangalore, May 19, 2017
As disruptive innovations and new business models transform organizations and communities around the world, their sustainability is threatened by a plethora of cyber risks.
We are already witness to one of the largest cyber-attacks recently with “WannaCry” impacting the lives of many individuals and enterprises. Indeed, criminals and nation states are increasingly attacking the technology assets of individuals, organizations and governments, stealing and selling valuable information, and, in an alarming trend, paralyzing critical infrastructure.
With governments and enterprises increasingly leveraging the internet for mission-critical cyber security continues to remain a top imperative across the world.
Unfortunately, India Inc.’s response to cyber risks has not been robust. India ranks third globally as a source of malicious activities and its enterprises are the sixth-most targeted by cybercriminals. Cyber resilience is a critical boardroom imperative. The key challenge for Indian companies is that most view cybersecurity as an “IT issue”. Consequently, cyber risks do not get appropriate top management attention. This needs to change. The cyber threat landscape continues to evolve and presents new challenges to organizations every day. In response, organizations have learned over decades to defend themselves and respond better, moving from basic measures and ad hoc responses to sophisticated, robust and formal processes.
Following is an overview of the evolution of the threat landscape for cyber security.
There are three high level components of cyber resilience:
a. Sense: Sense is the ability of organizations to predict and detect cyber threats. This can be done by simply investing in cyber intelligence
b. Resist: Resist mechanisms are basically the corporate shield to cyber-attacks. It begins with assessing an organization’s risk appetite
c. React: If Sense fails (the organization did not see the threat coming) and there is a breakdown in Resist (control measures were not strong enough), organizations need to be ready to deal with the disruption, ready with incident response capabilities and mechanisms to manage the crisis
Significant progress has been made in taking measures to strengthen corporate shield. In the last two to three years, we have also seen organizations focus more on their Sense capabilities. Most organizations, however, are lagging behind in preparing their reaction to a breach. Focus on cyber risks, not only on cyber security.
A recent EY survey said:
· 75% of responders said that their cybersecurity function did not fully meet their organization’s needs
· More than half (61%) the responders said that their outdated information security controls or architecture were one of the biggest areas of vulnerability
· 54% believe that cyber-attacks are primarily targeted at disrupting or defacing the organization’s websites or other digital assets, while they also believe that theft of IP or data continues to be an important risk
· Surprisingly, only 58% of the survey respondents from India fear that the next attack will be to their employees’ carelessness or complicity, compared with 78% of global responders who consider this to be a likely source of attack
Finally, the question remains- Where should organizations focus to better resist today’s attacks?
Activate your defences: The survey revealed that 35% of responders have had a recent significant cybersecurity incident, which shows that there is still more work to be done to strengthen the corporate shield. Maturity levels are still low in many critical areas, and improving them would be a significant step forward for any organization.
Take an unorthodox approach: In the face of today’s unpredictable and unprecedented cyber threats, a fail-safe approach can no longer be the only option. The new aim should be to design a system that is safe-to-fail. Future cybersecurity needs to be smarter as well as stronger, with a soft-resilience approach. This means that on sensing a threat, there are mechanisms that have been designed to absorb the attack, reduce the velocity and impact of it, and accept the possibility of partial system failure as a way to limit damage to the whole.
From protection to sacrifice: Technologies today make it possible to sacrifice portions of information or operations in the interests of protecting the larger network. If configured correctly to the organization’s risk appetite, this can be performed as an automated response.
The role of leadership: Executive leadership and support is critical for effective cyber resilience. Unlike the Sense and traditional Resist activities, which can be seen as the domain of the CISO or CIO, cyber resilience requires senior executives to actively take part and lead the ‘React’ phase.
The importance of reporting: According to the survey, 49% say that those responsible for information security do not have a seat on the board. In this scenario, the board has to rely on reporting instead. Based on this response, it may seem like boards are not fully informed of one of the greatest threats to their organizations today.
Anticipating, and now actively defending against, cyber-attacks is the only way to be ahead of cyber criminals. It’s not a matter of ‘if’ you are going to suffer a cyberattack, it’s a matter of ‘when’ (and most likely you already have).
Nitin Bhatt is the National Head and Partner, EY Risk Advisory-India. He has over 20 years of global consulting experience in the areas of corporate governance, risk management and business.