61% of Indian organizations placed outdated information security architecture and controls as the most important reason for increasing exposure to risk
While India is spending more on cybersecurity each year, organizations are still not confident of their ability to sense, resist and respond to cyber threats says a latest survey by EY, the global professional services organization. The report, titled Path to cyber resilience: Sense, Resist, React: EY’s 19th Global Information Security Survey 2016-17, was released here today by Dr. Gulshan Rai, National Cybersecurity Coordinator, National Security Council, Prime Minister’s Office, Government of India.
Now in its 19th year, the EY Survey is based on responses from 1,735 global C-suite executives, including 124 CXOs from India. 69% of Indian respondents reported an increase in their cybersecurity budgets over the last 12 months and almost three-fourths expect budgets to increase further in the next year. Despite the increased investments, 75% of the Indian respondents say that their cybersecurity function does not fully meet the organization’s needs. These findings are in line with the global trend where more than half of the respondents reported increased budgets on cybersecurity, but 86% are still not confident of their cybersecurity function.
Speaking on the occasion, Dr. Gulshan Rai said: “We are at the cusp of a cybersecurity paradigm shift and it is imperative that for the overall national security we join hands to share, evaluate and acquire threat intelligence and develop a robust operational framework to use this with security technologies. We will need immense focus to encourage technological innovations in cyber security to secure national critical infrastructure from cyber criminals.”
According to the survey, outdated information security architecture and controls has most increased risk exposure for India over the last 12 months, with as many as 61% of the respondents citing this aspect as their topmost vulnerability. Careless or unaware employees is their second-most important concern (58%), while vulnerabilities related to mobile computing, social media and cloud computing also feature prominently as contributing to enhanced risk exposure for corporate India. Among threats, the majority (54%) believe that cyber-attacks are primarily targeted at defacing/disrupting organizations or towards stealing intellectual property or data (51%), followed by fraud (48%).
Says Nitin Bhatt, EY India’s Risk Advisory Leader, “Disruptive innovations and the digital transformation of businesses and governments are exponentially enhancing cyber-risks. What is worrisome is that the response gap – which is the difference between the abilities of the attackers and the capabilities of organizations is increasing as well, leading to this lack of confidence in the cybersecurity function.”
The survey highlights that while respondents are more confident of their ability to predict and detect a cyber-attack with 52% saying that they would be able to do so, but not enough attention is being given to building basic, yet essential capabilities. More than half of the respondents (55%) do not have a formal, threat intelligence program, while 44% do not have a vulnerability identification capability. Further, more than a third (33%) do not have a security operations center (SoC), which serves as a continuous monitoring mechanism. More than half (52%) would not increase their cybersecurity spending after experiencing a breach which did not appear to do any harm, which the report highlights as a matter of concern, observing that ‘cyber criminals often making test attacks or lie dormant after a breach.’
“The need of the hour is for organizations to review if their security governance and architecture is adequate to protect their crown jewels. Since cyber resilience cannot be achieved by buying “security-in-a-box,” organizations need to focus on gathering periodic threat intelligence, enhancing their threat-hunting and breach-detection capabilities, and institutionalizing a robust incident-response framework,” said Nitin Bhatt, EY India’s Risk Advisory Leader.
