72 per cent of Indian companies faced cyberattacks in 2015, says KPMG

As the threat of cybercrime looms large over businesses and the general public, KPMG has carried out a cybercrime survey this year to get a pulse of cybercrime in India. The Cybercrime Survey Report 2015 released today by KPMG in India attempts to analyse the preparedness of organisations in India to deal with cybercrime and incidents by unearthing its modus operandi and its extent, besides highlighting preventive measures to deal with this menace. Over 250 respondents from the likes of CIOs, CISOs, CAEs, CROs, COOs and related professionals from across India participated in the survey.

The KPMG in India Cybercrime Survey Report states that 94 per cent respondents indicated that cybercrime is a major threat faced by organisations, but surprisingly only 41 per cent indicated that it forms part of the board agenda.

“The advancement and adoption of technology has enabled criminals to leverage it to carry out crime. Mumbai police has a dedicated cyber police station and is continuously strengthening itself by undertaking trainings to deal with cybercrime cases. It is critical for the citizens, both corporates and individuals, to be aware of cyber risks and not fall prey to the vishing/phishing scams. We are undertaking a drive to educate and create an awareness among citizens with reference to cyberthreats,” said Ahmad Javed – Commissioner of Mumbai Police.

Highlighting the current cybercrime scenario in India, the report shows that 74 per cent respondents believe that the BFSI sector is a top target for cybercrime with 63 per cent indicating these crimes more often than not amount to gross financial loss. Moreover, 83 per cent respondents of the 250+ C-suite executives that participated in the survey indicated that there is usually external involvement in cyberattacks with directors/management being most vulnerable according to 64 per cent. It was also alarming to note that 54 per cent indicated that spend on cyber defences is less than 5 per cent of IT spend.

“The last few years have seen multifold increase in cybercrimes across regions and sectors. Given the proliferation of connected technologies, organisations today face a significant challenge to be resilient against cyberattacks and incidents. It is also important that the management realises that these are no longer a one-time phenomenon. The nature of cybercrime is constantly evolving, specifically with attackers having a solid arsenal of the ever evolving stealth attack. KPMG in India has been at the forefront in helping companies understand cyberthreats and determining better preparedness against cybercrime,” said Mritunjay Kapur, Partner and Head, Risk Consulting, KPMG in India.

“Cybercriminals have understood the potential of an illicit financial gain and have begun executing highly sophisticated technology-driven frauds. These cyberfrauds, by nature, are complex and difficult to detect. Organisations need to strengthen their cyber incident response process along with building strong prevention and detection systems. Cyber forensics therefore is becoming a critical component of fraud investigations.” - Mohit Bahl, Partner and Head Forensics, KPMG in India

The report also analyses the impact and complexity of cybercrime in India. As businesses throw their doors open to technology, they also expose themselves to the risk of cybercrime that can have far reaching damages ranging from financial, reputational, operational and in certain scenarios, can also impact the physical safety of employees and assets, with 47 per cent citing the risk of disruption of business processes and 49 per cent claiming a reputational damage to the organisation. While surveying the potential vulnerable system targets of cybercrime, 65 per cent respondents indicated that email servers are likely targets while 46 per cent stated end user systems. In the case of industries, though financial services and pharmaceuticals are still the favourite target for cyberattacks, the year 2015 has witnessed attacks across industries. Critical infrastructure is being seen as an attractive target for cyberattacks.

According to Atul Gupta Partner at KPMG in India, “People and vendors are one of the many critical yet one of the weakest links in the cyber defence chain. Cyber investigations of large cybercrimes reveal that social engineering has predominantly been one of the preferred methods to extract critical information. In this context, it is vital for CXOs to ensure that cyber risk awareness trainings are periodically imparted to employees and vendors.”

The report with its keen eye for detail and a thorough assessment of cybercrime in India, not only studies the impact of this burgeoning threat but also enumerates the characteristics of a typical cybercriminal and his/her motivation factors. 65 per cent respondents stated that cybercriminals carry out attacks for financial gains while another 46 per cent believe corporate espionage to be the motive.

Cyber risk assessment is not a focus area for several enterprises across functions and people. Their emphasis is only on technology with 74 per cent respondents stating that a detailed annual IT and cyber risk assessment is not carried out.

As the report outlines the steps to designing a robust cyber risk management process, it acknowledges that while organisations play a key role in shoring up their defences, the way that law and order is structured also plays a crucial part in tackling cybercrime.