Rising threat of cyber-attacks
Partner, Cyber Security, EY India
While some of the country’s premier banks are reeling under the recent cyber-attacks, in one of the financial sector’s biggest data breaches, it’s time for the Indian banking ecosystem to pause and realize the significance of implementing proper security measures to prevent attacks.
The BFSI vertical is expected to witness the highest CAGR during the forecast period because of the increasing adoption of web and mobile applications, which are prone to advanced cyber-attacks.
Cyber-attacks have significantly changed the dynamics of the industry. In the last couple of years we have seen them grow from being ‘just an attack’ to organized state-sponsored attacks since the malicious hackers are constantly discovering and exploiting vulnerabilities.
The digital world does not allow any organization to feel comfortable in the area of cyber security threats. A non-stop, 365, 24/7 state of preparedness is essential. But with this degree of vigilance, it is understandable that some organizations are feeling fatigue in this area, and many ask “when will it be enough?”
The constant bombardment of three to four years of numerous attacks and having to react to cyber events can easily provoke complacency. A strong record in repelling humdrum “typical attacks” (e.g., phishing) and plugging the obvious gaps (e.g., Identity and Access Management functioning effectively) can lead organizations to think they have “solved” the problem of cyber security, when in reality the situation is getting worse.
It is often witnessed that cyber incidents snowball into sensational and dramatic events with massive breaches, systems and sites becoming inoperable, resulting in sudden consumer inconvenience or damage. Large-scale events where millions of account details are stolen, reams of confidential information leaked online, IP stolen and systems damaged are usually under the lens.
However, the sudden nature of this chaos is misleading. Most of these attacks started weeks or months before, when the cyber criminals found their entry point and patiently started to explore, locate valuable assets and make their plans. Furthermore, cyber incidents will not be a one-off, no matter how complex or simple, targeted or accidental they may seem. The early subtle signs and the cumulative impact of repeated attacks must be understood and factored into an organization’s planning and risk appetite.
A new trend has recently emerged — we are not attacked for who we are, but what we can give access to. The challenges faced today have altered expectations, strained resources and caused a paradigm shift in information security. EY’s Global Information Security Survey states that:
-State-sponsored attacks have grown up to 35 per cent in 2015 as compared to 27 per cent in 2014
-Although most of the attacks against major banks and financial institutions occur from a whale of service disruptions but many of the financial services firms, payment card industries and banks have experienced numerous data breaches in recent years
-With an enormous amount of new malware popping up every day, 43 per cent of information security executives feel that they see malware as the top most threat today to their organizations
These facts on the most recent state of cyber security awareness in India Inc. leads to the most critical question that enterprises need to ask themselves:
1. Do we really have confidence in our understanding of the threats/vulnerabilities in the digital world?
2. Have we prioritized cyber security measures around the threat landscape that applies to our organization and business strategy?
3. Do we know how to set your risk appetite to determine the acceptable and unacceptable loss and harm from potential incidents as part of developing your cyber breach response management program?
It is only when the risk appetite is set at a level which the board is comfortable with, and which the organization can achieve, will the digital transformations be sustainable.
Cyber-attacks are not a matter of “if,” but “when.” An organization can consider that it has “enough” cybersecurity only when it is always able to keep within the bounds of the established risk appetite.
However, as its cybersecurity maturity levels increase, it does become easier to demonstrate the value of these investments. Accurate cost assessments for the harm that various cyber-attack scenarios will cause can help justify continued investment and vigilance. Similarly, the better your situational awareness, the easier it is to streamline and prioritize your spending.
As the digital age and the inherent connectivity of people, devices and enterprises continue to open up new playing fields of vulnerabilities, fortifying the enterprise for cyber-resilience is an urgent imperative for organizations.