As disruptive innovations and new business models transform organisations and communities around the world, their sustainability is threatened by a plethora of cyber risks.
We are already witness to one of the largest cyber attacks in recent times, with "WannaCry" impacting public and private enterprises across the world.
Indeed, criminals and nation states are increasingly attacking the technology assets of individuals, organisations and governments, stealing and selling valuable information, and in an alarming trend, paralysing infrastructure.
India ranks third globally as a source of malicious activities and its enterprises are the sixth most targeted by cybercriminals. Cyber resilience, therefore, is a critical boardroom imperative.
With governments and enterprises increasingly leveraging the internet for mission-critical applications, cyber security continues to remain an urgent imperative in an increasingly digital world.
Unfortunately, India Inc.'s response to cyber risks has not been robust. India ranks third globally as a source of malicious activities and its enterprises are the sixth most targeted by cybercriminals. Cyber resilience, therefore, is a critical boardroom imperative. The key challenge, however, for Indian firms is that most of them still view cyber security as an "IT issue."
There are three high-level components of cyber resilience
A. Sense: The ability of organisations to predict and detect cyber threats. This includes investing in threat intelligence.
B. Resist: These are the mechanisms that serve as the corporate shield to cyber-attacks. Their development involves as assessment of an organisation's cyber risk appetite.
C. React: If 'Sense' fails (the organisation did not see the threat coming) and there is a breakdown in 'Resist' (control measures were not strong enough), organisations need to be ready to react with incident response capabilities and mechanisms to manage the crisis.
While significant progress has been made in adopting technologies to strengthen the corporate shield over the last several years, a lot more needs to be done to strengthen cyber resilience.
Cyber attacks are not a matter of "if" but "when." In fact, it is likely that many companies may already have been breached, but not all of them may be aware.
In a recent EY survey, 75% of the respondents said their cyber security function did not fully meet their organisation's needs. While 61% attributed this to outdated security architecture and controls, 58% were concerned about careless or malicious employees and business partners.
What can organisations do to better protect themselves?
1. Implement "security 101" practices: Despite significant spends on state-of-the-art security tools, many organisations fail to maintain basic hygiene in processes such as software updates and patch management. In addition, companies often fail to implement processes that prevent the use of pirated software. Doing so is critical to prevent attacks such as WannaCry.
2. Activate your defences: Maturity levels are still low in many critical control areas, and improving them would be a significant step forward for any organisation. Organisations need to conduct effectiveness exercises and leverage cognitive analytics to strengthen their defence mechanisms.
2. Take an unorthodox approach: Cyber security needs to be smarter as well as stronger, with a soft-resilience approach. This means that on sensing a threat, there are mechanisms to absorb the attack and reduce its velocity.-Minimising the impact and extent of the damage is key.
3. Be ready to sacrifice: Technologies today, make it possible to sacrifice portions of information or operations in the interests of protecting the larger network. If configured as per an organisation's risk appetite, this can be triggered as an automated response. For instance, when an organisation's Security Operations Centre detects a high-level threat, the system owner receives an alert and the system is shut down to prevent the threat from spreading.
4. Drive change through leadership: Executive leadership and support is critical for effective cyber resilience. Unlike the Sense and traditional Resist activities, which can be seen as the domain of the CISO or CIO, cyber resilience requires senior executives to actively take part and lead the `React' phase.
Cyber attacks are not a matter of "if" but "when." In fact, it is likely that many companies may already have been breached, but not all of them may be aware.