Current State, Trends and Investment Plans for advancing Cyber Security – A Report on Cyber Security Services – Prepared by CyberInsurify Team.
OVERVIEW
What is in the Report?
1. Corporate governance or compliance is not enough: moving towards a prevention model for Cyber Security.
2. New evolving technologies and their threat anxieties: risk management takes center stage.
3. Putting your money where your risk is: 2017 investment outlook increases focus on People, Process and Technology to drive prevention.
Executive Summary
Adoption of Cyber Security has now become a necessity. In India, companies has expanded their technology budgets to include the external security services but digital transformation has also deepened the need of security solutions.
Companies are showing interest in implementing Cyber Security policies to become compliant in the first phase and more advanced security solutions in the next phase, but like every other company, the challenge has also expanded because of internal lack of awareness and tight budgets.
Although many of the advance solutions will be in focus in the next phase. Managing business risk is on high priority and focusing investments in external threat vectors and reporting, as well as internal threats solutions like end point solutions. As companies evaluating the external cyber security services provider to help them in securing their digital posture, the growing emphasis is on measuring the return on investments and seeing security solutions as a business enabler.
This emphasis on ROI is due to the approach of prevention centric model supported by real time monitoring and risk assessments. With the right set of security solutions for people, processes and technology in place, companies may have a far greater ability to detect anomalous activities and mitigate risks through security and compliance frameworks.
The implications are profound for both companies and security providers: security compliances are no more optional and security risks are not centred only to the business’s limited infrastructure, but also to the new platforms like Cloud, BYOD, Social and IoTs. As a result companies are increasing their investments in security assessments to identify the business risks. Sensitive data protection, real time monitoring and business continuity are on high priority list for 2017 investments plans.
Despite the high level of interest from top executive’s in implementing Cyber Security solutions this year, internal challenges of awareness, budgets and business growth persists. Now the responsibility is on both companies and cyber security services providers to demonstrate that the security investments are also business enablers and provides good ROIs.
Key Takeaways
Cyber Security is no longer a ‘maybe’ option for many of the organizations. Majority of them indicating 2017 plans to invest in Cyber Security under their technology budgets. The focus is now shifting from meeting corporate governance or compliance to manage risk to sensitive data, including detecting Cyber Security Incidents through incident response and identity governance and administration. Indian companies are evaluating the external Cyber Security services provider to secure their digital business.
The most important concern is defining the Cyber Security Policies which will drive the planned security investments in security assessments like vulnerability management and penetration testing’s, security audits and business continuity plans.
The major challenges that have emerged for implementing Cyber Security solutions are the new evolving technologies like mobile, cloud adoption, social platforms and IoTs. The scope of Cyber Security is increasing day by day and needs more focused approach towards risk mitigation and proactive response to the potential breaches.
Even internal lack of awareness and opposition to adopt Cyber Security aspects continues to figure prominently as a challenge to implement the Security program (especially in India). There is a need of Information Security training’s and awareness for employees for successful security programs.
Indian companies are showing the signs of adopting Cyber Security initiatives in their technology expansion plans. However, adoption is happening in companies from all the sectors, sizes and states of India but the number of companies in metro cities are adopting much faster.
Recommendations Summary
Cyber Security Policy
CIOs or CISOs need to ensure that the Cyber Security policy is well defined as per company objectives and integrated with corporate governance.
Implement Top-Down Approach
Top executives must be involved in Cyber Security projects across company for ensuring the proper implementations, right budget allocations and expected return on Investments.
Cyber Security Trainings and Awareness
Companies must plan the yearly calendars for employees Information Security trainings and awareness sessions.
Introduction
Digital transformation is a inevitable and Cybercrime is here to stay. The most important question that many of the enterprises are wrestling with now is not ‘maybe’ but how much and how soon. The answer of all these questions lies in protection of sensitive data and managing the risks in proper ways. In the initial phase of Cyber Security adoption, the enterprises pointed to the lack of awareness and the best approach within their budgets. Now, the question enterprises must contend with is: How do I initiate the Cyber Security program? How do I find out that my data is secure? This new trend of information security is due to the improved prevention capabilities delivered by Cyber Security Services and solutions provider using a risk-centric approach.
Now day’s enterprises are more agile and dynamic. They are expected to perform well financially. Along with more and more innovation in their existing products and services to meet their client’s requirements. And also to ensure the Cyber Safety of their business operations. The list of expectations are long and also facing the security challenges that we wanted to surface.
The crux of all Cyber Security Incidents are that the companies are vulnerable irrespective of their sectors and also it doesn’t matter whether they are SME or Enterprise.
We have seen the two major concerns faced by businesses:
1.The Cyber Attacks are getting more and more sophisticated &
2.The Companies need quick and urgent execution of security tasks.
The Problem is real and confirmed by many survey reports
• Cybercrimes cost India $4 billion (Rs 24,630 crore) in 2013, according to a report commissioned by the Delhi High Court. The global cost of cybercrime was estimated between $375 billion (Rs 2,512,500 crore) and $575 billion (Rs 3,852,500 crore), according to a World Bank 2016 report.
• PwC’s Global Economic Crime Survey 2016: More than one in every four organisations in India are impacted by economic crime.
• KPMG survey: 72% Indian companies faced cyberattack in 2015
• Economic Times: Study Cybercrime in India up 300% in 3 years.
Cyberattacks are no longer a fantasy or hypothetical situation. It has now become a reality which need to be address in a right ways.
It’s a myth that Cyber Security is for tech people in companies and only they can understand the depth of severity to fix themselves. But these people can’t fix the problems in house and need external Cyber Security services.
Therefore anyone who works for a company or helps to run business must read this report.
Top Cyber Security Threats – Big Risk to Company Growth
The companies can face the Cyber-attacks due to top Cyber Threats in their infrastructure and put their business at risk. As a result many companies in India already started their Cyber Security journey. And many more CIOs and CISOs looking for external Cyber Security services to fix their Security postures, as Gartner Report reveals.
If you are planning your company’s Cyber safety and business prospects, then you should read these Top Corporate Cyber Risks. And solutions to keep your assets secure.
You need to understand the existing Cyber Security risks to your company to begin with your Cyber Safety Journey.
Top 10 Critical Corporate Cyber Security Risks and How to Prepare?
1. To understand the reasons of corporate Cyber Security Risks
Most common issues companies are facing in recognizing their jewels. The lack of information about their assets and their vulnerabilities to attack, as Word Economic Forum Report on Partnering for Cyber Resilience Towards the Quantification of Cyber Threats.
The external Cyber-attack vectors are need to understand and accordingly the solutions to mitigate them. Some of the below categories to outline the common external threat vectors.
· Cyber Threats & Incidents
· Data Loss or Theft
· Common exploits
· Compliance/regulatory incidents
· Phishing/Social engineering attacks
· Denial of Service
· Hacktivism
· Executive Threats and many more
2. To understand the Insiders Threat
Today with the exponential increase in data exchange the businesses are more prone to Insider attacks. These Cybercrimes can happen either in ignorance or intentionally. Which may attract bad consequences for their organizations. These are class of threat vectors often not given much importance in organization’s cyber security landscape.
Amongst all breaches, 77% of threat attacks are posed due to Insiders & Privilege Misuse: 2016 Verizon Report
3. To Understand the importance of Cyber Security Training’s and Awareness
Educating employees to learn how to protect company’s information is critical to company Cyber Safety. Now this has become necessary step for companies to conduct information security training and awareness sessions for their employees as part of the Cybersecurity program to reduce the data integrity attacks.
Phishing is the number 1 vector of Cyber attack in 2017 and 43% of financial services respondents cite phishing attacks, as The Global State of Information Security® Survey 2017
4. To understand the Cyber Security basics and baseline Standards
Companies are delaying in patching their systems and applications in their infrastructure for the vulnerabilities surfaced during the security assessments and configurations audits. Which is exposing them to the Cyber-attacks, as McAfee Labs 2017 Threat Predictions Report
5. To understand the Business Continuity and recovery plans
Companies need to be prepared by having a Business Continuity and disaster recovery plan. This plan must outline the emergency response steps to minimize the damage and fail over to their alternative systems for the business continuity. But the statistics shows the companies are not well prepared for the Cyber Incidents as EY – Global Information Security Survey 2016-17, India Report
6. To understand the Cyber Security Budgets, legacy infrastructure and ROI
Companies facing the issues in budget allocations. As they have plans for business growth. So budgets are tight and allocating the budgets to Cyber security is an issue. That’s especially one of the main reasons that incur corporate cyber security risks. Therefore, company must think of Cyber Defense layer to prevent the losses by Cyber attacks. There are shortage of cyber security professionals and retaining them inhouse is a cost to company. The best approach is to plan the Cyber Security objectives and allocate the resources as per the budgets.
Companies are investing a lot in software and hardware for their business operations and productivity. But also facing issues with their legacy infrastructure both software and hardware to maintain with the latest versions. The lifecycle of hardware devices are becoming shorter these days and need to be carefully maintain. Therefore companies should consider their investments in hardware as per their 3-5 years of Cyber Security objectives.
Another bigger challenge for companies is disconnect between their investments on Cyber Security solutions and their utilization. This is a very common scenario where companies are purchasing security solutions and not using them for months. Because of the operational issues or lack of resources.
Source: SANS INSTITUTE – IT Security Spending Trends
We understand that the reality on ground is more complex and implementation of these solutions takes time and human resources. As an outcome, investing on Cybersecurity solutions does not ensure they will be properly used
7. To understand the difference between company governance and Cyber Security
This is another area where companies are facing the business risk due to the confusion between company governance and a cyber security policy. Corporate governance is required to direct and control company by setting up rules, practices and processes. But it is not necessary that these rules also focus on security aspects to protect the company from Cyber-attacks. Cyber Security in companies are shared responsibility of everyone. Every manager should ensure the security systems are in place and utilized properly. As a result CIOs now integrating Cyber Security policies in corporate governance practices to ensure the protection of sensitive data.
8. To understand the continual evolving technologies and their threats
Company’s latest and increasing complex challenge in Cyber Security is due to the rapid developments in mobile technologies, cloud computing, social media and sensor based solutions. With the increasing popularity of IoT solutions the challenges of cybersecurity is also increased exponentially. These developments has drastically increased the technology landscape and further increased the scope of Cyber Security for companies.
In the meantime, companies also started providing flexi working environment to their employees by providing remote working conditions like work from home and “Bring Your Own Device”. Which has created more burden on IT administrators to manage the IT Infrastructure as per the Cyber Security policies.
As per BYOD & Mobile Security 2016 study
· One in five companies faced a mobile security breach, due to malware and malicious WiFi.
· Security threats to BYOD impose heavy burdens on companies IT resources (35 percent) and help desk workloads (27 percent).
9. To understand the importance of Cyber Security Policy
Nowadays Cyber Security policy is must for every company. The increasing frequency of sophisticated Cyber-attacks on companies from various sectors is a big business risk. This is an important task in every company to have a clear Cyber Security policy.
As per PWC report ‘Turnaround and transformation in Cyber Security India’, companies in India are lacking Cyber Security policy.
10. To understand the importance of company’s executives involvement in implementation
Is the executives’ involvement in cybersecurity really that critical? This is common question facing by the top level executives or board of every company. The reason is very simple
When the top executives or board are also involved in Cyber Security implementation projects across company then the policies are developed and critical assets are protected in a proper manner. Otherwise, Cyber security initiatives only focus on regulatory compliances rather preparing proper Cyber defense to block attacks and respond to Cyber Incidents.
Recommendations
Cyber Security Policy is a must for every company to define their objectives and accordingly map the requirements to the resources. It will help to allocate the cyber security budgets and measure the return on investments. This will also help in defining the baseline standards for company’s infrastructure and to implement them.
Cyber Threat vectors can be both external and internal. The companies should be aware of these business risks to plan the mitigation ways. The frequent security assessments or audits are required to identify the vulnerabilities and close the findings as per their severities. The systems are required to be timely patched or upgrade to the latest versions.
Companies must have plans to conduct information security trainings and awareness sessions for their employees. This will help in reducing the social engineering and phishing attacks.
The most important of implementing Cyber Security roadmap of company is using top down approach. So that it should not be assumed that it is only IT issue and not the top management. With increasing developments in new technologies the cyber security scope is going to increase and is a continuous journey.
—————————————
If you have any questions or comments.. Please share.