Are Indian advice serious enough?

Cybersecurity is no longer just a technical issue confined to the hands of an organization’s IT team, but has become a serious business issue. Over the past two years, there has been a sea change in the way cyber threats have evolved, especially during the pandemic era. As cyberattacks have become high-tech today, with criminals themselves utilizing AI-level sophistication and visual learning, there is a greater possibility that an organization’s core control systems are disrupted today than five years ago.

Mobile phones, IoT and cloud-based systems have become new targets for cyber attacks. Hackers have become very sophisticated. They form groups called Advanced Persistent Threat Gangs or Nation-State Backed APT Gangs and their primary target is sensitive corporate information. And few cell phones are protected against viruses. Double Extortion ransomware is on the rise and employees of organizations are becoming a threat to their sensitive information and intellectual property.

Pirates are getting lazier and finding new ways to attack. First, they took ransoms. Then realized that it is easy to send a phishing email. Now they are trying Brute Force attacks. In recent years, when thousands of organizations were working from home, brute force attacks became common. Brute Force uses trial and error to crack passwords.

In the recent cyberattack against a major airline in the country, four million usernames and passwords were leaked. Similarly, a major Indian online grocery store was attacked and the data of 20 million users was leaked. The attack could be on an industrial control system, a nuclear power plant, on the intensive care system in a hospital.

As today’s cyberattacks involve the payment of millions of ransoms and seriously damage the reputation of the organization, it is high time that companies consider cybersecurity as a serious risk issue. However, the irony is that Indian boards are still not serious about cybersecurity being considered a critical business risk issue. A recent cyber insurance survey of 120 Indian organizations conducted by RIMS, the risk management association and a global insurance broker, JB Boda Group, highlights this point.

Of the organizations surveyed, more than 59% of organizations store data or run applications and underlying technologies in the cloud; Over 22% are running a hybrid model with some applications/data residing on-premises and backed by the cloud. 70% of organizations surveyed managed personally identifiable information (PII), while 38% managed health records. More than 73% have experienced a security breach in the past year or so. However, these organizations lacked a controlled system to continuously monitor the data. In the era of continuous monitoring, 32% of respondents have not performed external penetration testing; 42% of respondents do not have a cyber threat intelligence collection function. More than 59% of the organizations surveyed have not yet implemented a Build Your Own Data (BYOD) policy for their employees and around 20% of them have only partially implemented it for key employees. All the figures are alarming. Based on our continued engagement with Indian corporate boards, the situation there is almost the same as reflected in the survey.

A top-down approach in management communication on cybersecurity is a must

There needs to be a complete overhaul of communication related to cybersecurity in an organizational hierarchy. So far, a siled approach has been followed to resolve the issue. Organizations need to break down these silos by bringing more integration and agility, and working together as a cohesive team. A top-down approach should be followed by organizations to address cyber challenges.

Cybersecurity needs to be more closely aligned with an organization’s strategic business goals, which is what risk management focuses on. There must be a great discussion in the boardrooms. Thus, there must be continuous communication from the CEO to his Risk Manager, his Business Managers, his Managers in security, physical security, customer satisfaction, sales, finance, HR, marketing, etc. to make cybersecurity a relevant risk parameter to monitor. These managers should be well aware of the cyber risks that their respective departments face. So when the CEO attends a review meeting with these business leaders, they need to assess him on the immediate cyber risks on the ground.

The customer relationship manager must be aware of the risks specific to his department. A plant manager must be aware of the cyber risks that would affect his work systems. The same goes for the HR, Sales, Finance functions of an organization.

The Risk Manager should start the conversation with the CISO/CISO by asking the right questions. So far he asked me what are my cyber risks? The right question must be: is there a cyber risk that we are exposed to that could jeopardize the reputation of the organization? The corporate security officer will now be active as they need to think through and discover areas that can impact reputation. The risk manager should ask the CISO, here are my top 10 business risk areas. What cyber risks will affect each of these areas?
Thus, Enterprise Risk Manager (ERM) will flag the types of possible cyber attacks in the ERM dashboard and business leaders will flag the possibility of attacks in their respective domains. Additionally, organizations need to plan for cybersecurity-related contingencies or resources well in advance. Contingency planning must be part of the critical information infrastructure. Salespeople need to be assessed and trained accordingly.

There is a severe talent shortage in terms of digital skills to manage cybersecurity and data privacy. We are hit with a scenario where we are unable to attract or retain quality talent. Additionally, the focus on accelerating digital business outpaces investments in cybersecurity. Risk Managers/Risk Owners need to find ways to mitigate and create a sense of urgency because the whole function of Cyber ​​Security is to reduce risk to the business. It is unfortunate today that we are not able to remediate even the identified risk, because each risk is limited by cost, effort, resources and time.

The article was written by Gopal Krishnan KS, Director of Global Development for South Asia, Risk Management Society (RIMS)