India Inc unsure about responding cyber threats
Despite increasing the investment on cyber security every year, India Inc is not confident of their ability to sense, resist and respond to cyber threats.
Almost 69 per cent of Indian respondents reported an increase in their cyber security budgets over the last 12 months and almost three-fourths expect budgets to increase further in the next year, says a survey by EY, the global professional services organisation. The survey was based on responses from 1,735 global C-suite executives, including 124 CXOs from India.
Despite the increased investments, 75 per cent of Indian respondents say that their cyber security function does not fully meet the organisation’s needs. These findings are in line with the global trend where more than half of the respondents reported increased budgets on cyber security, but 86 per cent are still not confident of their cyber security function.
According to the survey, outdated information security architecture and controls have increased risk exposure for India Inc in the last 12 months, with as many as 61 per cent of the respondents citing this aspect as their topmost vulnerability. Careless or unaware employees is their second-most important concern (58 per cent), while vulnerabilities related to mobile computing, social media and cloud computing also feature prominently as contributing to enhanced risk exposure for corporate India.
Among threats, 54 per cent believe that cyber-attacks are primarily targeted at defacing/disrupting organisations or towards stealing intellectual property or data 51 per cent, followed by fraud 48 per cent.
“Disruptive innovations and the digital transformation of businesses and governments are exponentially enhancing cyber-risks. What is worrisome is that the response gap - which is the difference between the abilities of the attackers and the capabilities of organisations is increasing as well, leading to this lack of confidence in the cyber security function,” Nitin Bhatt, EY India’s Risk Advisory Leader.
The respondents find that not enough attention is being given to building basic, yet essential capabilities to predict and detect a cyber-attack. More than half of the respondents (55 per cent) do not have a formal, threat intelligence programme, while 44 per cent do not have a vulnerability identification capability. Further, more than a third (33 per cent) do not have a security operations centre (SoC), which serves as a continuous monitoring mechanism.
Organisations are struggling with the huge number of devices that will become part of their networks, challenges related to the size of data traffic and the expanding eco-system of business partners. On the growing use of mobile devices such as laptops, tablets and smartphones, more than half (55 per cent) see poor user awareness as the most significant risk, followed by (41 per cent) loss of device which leads to loss of information and identity.
Among information security priorities over the next 12 months, business continuity and disaster recovery was rated by respondents as their top priority, along with data leakage and data loss protection. Companies want to spend more on business continuity, data leakage and training of employees, vendors and business partners.
Sangeetha G.