Companies need to deal with the enemy inside the gates
The Economic Times
National Leader and Risk Advisory Partner, EY India
Organisations today face cyber threats that are not just external, but also internal, as attackers figure out ways to compromise sensitive data, including IP and critical infrastructure, companies need to do a lot more to protect against them, Nitin Bhatt, national leader & risk advisory partner, EY India, told ET's Neha Alawadhi in an interview.
How is the risk landscape in Indian enterprises changing?
With companies embracing mobility, bring your own device, cloud, social media, collaboration and Internet of Things (IoT) technologies, attackers have an enhanced digital attack surface at their disposal, resulting in huge security and data privacy risks.
Many big breaches start small - the organisation's partner is attacked first, which then enables the attacker to compromise the organisation. The attacker profile has evolved as well. Attackers now include malicious insiders, organised criminal networks and rogue nations - all generally in search of valuable data and IP.
In many cases, the intent is not to steal data but to paralyse systems till such time as a ransom is paid to the attackers. Ransomware-related attacks are growing exponentially in India.
How effective is Indian enterprises' response?
Not very effective. In fact, over the last five years, the response gap - which is the difference between the abilities of the attackers versus the capabilities of the security stack -has been increasing.
While cyber budgets are increasing in India, still, Indian companies invest only 5-7% of their IT budgets on cyber security, as opposed to US companies that invest 15-20%. There are three pillars of security - prevention, detection and incident response. Most companies do not balance their investments across all three pillars.
What kind of cyber-attack trends are organisations seeing these days?
In an increasing trend, organisations that are compromised through a cyber-attack are not the ultimate target. In such cases, the attackers abuse an organisation's infrastructure to launch attacks against third parties. The organisation is either used as a conduit to land into its business partner's network or its IT resources are leveraged to launch an attack against the ultimate target.
Exfiltration of intellectual property from a research oriented organisation to foreign countries is another trend. For example, in a targeted attack, several prominent listed companies with large market capitalisation were targeted weeks prior to the disclosure of their audited annual results in an attempt to gain unauthorised access to stock price sensitive information.
What can companies do to achieve cyberresilience?
Firstly, organisations should have the right security governance and architecture to protect their crown jewels. Putting their systems through best-in-class attack-and-penetration tests, timely threat intelligence, and ensure security posture of companies in their partner ecosystem, and employees and contractors are aware of their responsibilities for managing security risks.
Organisations should also run periodic tests to ensure some users in the company are not misusing their access privileges. There is also a need to leverage data analytics to uncover suspicious user-behaviour patterns that could be a precursor to an incident.
Finally, they should have a robust incident response strategy in place that ensures business continuity even if their critical assets get corrupted or paralysed.