Indian economy is facing a tough time. Amidst such an unstable scenario, a serious cyber breach/attack can dent a company’s balance sheet and image in a not-so-good way. As per a study done by Kaspersky Lab and B2B International, a serious incident can cost a large company an average of $649,000; for small and medium-sized companies the bill averages at about $50,000.
But, does that ring any alarm bells for executives sitting at the top? Well, not really. Going by the same report, it estimates that most companies greatly underestimate the extent of the malicious attacks they are prone to on a daily basis. To be more precise, that’s almost 90 percent of the companies underestimating the volume of the new cyber threats. Only 6 percent actually recognise their true scale, with only 4 percent estimating them significantly higher.
An inaccurate assessment of the scope of threat by a company can, in turn, seriously impact the decision making in terms of choosing the right security tools and solutions. A much lower estimate would mean very high chances for the enterprise letting down its guard when devising its security strategy, and adversely impacting its readiness to deal with the threats.
Understanding and acknowledging the opponent’s strength to its full extent can be the first step in fighting this battle. The next step is the realisation that there is no such thing as 100 percent security, and that your security measures are as good as the weakest link. At the risk of sounding clichéd, this mantra can work to help organisations constantly stay on their toes and proactively ward off threats and attacks.
Biztech2.com reached out to three key CISOs across enterprises to find out how each one believes in this mantra in their own individual way. The fact that security is not fool-proof comes out loud and clear. But, with that they further talk about how effective they feel their security measures are, and their readiness to deal with the cyber threats.
Radharishna T., Head-IT & Security, ING-Vysya
In today’s scenario, no company can claim that we are 100 percent prepared for cyber attacks. The fact that these attacks are growing in number and complexity is a great matter of concern. Having said that, we are also proactive in our approach. Besides the technology tools to secure the entire network we also have very stringent security policies that enable us to minimise any such incidents.
What Holds The Key: In the banking industry, the most important thing to secure is the data. All data is precious for us, both from business and reputation maintenance perspectives. The traditional firewall is not enough for this. One needs to step up and have a multi- layer security system in place along with specific policies to secure the data.
BYOD Thoughts: BYOD and mobility have brought newer challenges. We understood that we need to amend the existing policies to support BYOD from a security perspective.
Manish Dave, CISO, Essar
I can say we have adequate control over security, but cannot claim to have everything right. There are always some grey areas, especially in the security context, to be looked at. We need to understand the governance part a little more, wherein we can decide about the implementation of the current policies and monitor how the existing policies are being followed.
What Holds The Key: The web applications which are exposed more than the other business apps should be the ones on top of the priority list. We should not look at external breaches alone as inside-out breaches are more common in the Indian context.
BYOD Thoughts: BYOD and mobility are trends one cannot shy away from. Every organisation will need to accept the BYOD trend in the next two-three years. Being cautious is the key. One has to implement proper policy first and then look for the technology part to implement those policies. In Essar, we have allowed BYOD but in such a manner that company policies are not compromised and at the same time the end user does not feel restricted.
Atul Kumar, CISO, Syndicate Bank
We are prepared for any kind of known attack but cannot say the same for unknown attacks, which don’t have any signature. In fact, none of the banks can claim that they are fully prepared for such unknown attacks. Hence, constant monitoring and being vigilant are absolute necessity.
What Holds The Key: End-to-end security should be the priority for any CISO. There is a need for a proper channel through which the customer interacts with the bank. When a customer is using any third party terminal to access Internet banking, it is very difficult for us to provide ample security to the customer. On our side, we are also constantly upgrading our servers and firewalls in order to be proactive.
BYOD Thoughts: BYOD and mobility are a sort of hype created by vendors. If a bank chooses not to allow its employees to access their core banking applications on their mobile devices, then there is no question of BYOD posing any threat. From bandwidth perspective also, core banking applications cannot be accessed from a mobile device. However, there are companies that allow their employees to access core business applications. But then they should also be aware of the possible implications of a breach.
Dr. Gulshan Rai, Director General, I-CERT and GC (Cyber Laws Group Formulation & Enforcement Division), Department of Information Technology, Govt. of India
The Government is very serious when it comes to cyber security. Looking at the latest invasions on some of the government websites, a working group, including experts in relevant areas, has been constituted specifically for this purpose. It provides full advisory support in implementation of this activity in cyber security arena through analysis of technology trends, identification of thrust areas and preparation of technology development plan.
We certainly believe that the cyberspace is vulnerable to a variety of incidents - accidental or intentional. So we keep a track of all our data that is being exchanged over the cyberspace in order to minimise any misuse by either state or non-state elements. We are also looking at rapid identification, information exchange, investigation and co-ordinated response from various government agencies across India.
The Government of India also understood the need for a unified policy to address the challenges, and came up with the new National Cyber Security Policy 2013. Under the policy, our mission is to provide information infrastructure in the cyberspace along with building capacities to prevent and respond to cyber threats. By strengthening the regulatory framework, we are trying to ensure a secure cyberspace ecosystem.
Your guide to the latest cricket World Cup stories, analysis, reports, opinions, live updates and scores on https://www.firstpost.com/firstcricket/series/icc-cricket-world-cup-2019.html. Follow us on Twitter and Instagram or like our Facebook page for updates throughout the ongoing event in England and Wales.
Updated Date: Feb 03, 2017 00:13:25 IST