Cybersecurity: Are Indian boards serious enough?

Cybersecurity is no longer a mere technical problem constrained within the hands of the IT team of an organisation, but has become a serious Enterprise issue. For the past two years there has been a sea change in the way cyber threats have evolved especially during the pandemic era. As the cyber-attacks have gone hi-tech today with the criminals themselves using AI -level sophistication and visual learning, there is a bigger possibility of the core control systems of an organisation to be disrupted today than say five years ago.

Mobile phones, IoT and Cloud-based systems have become the new target areas of cyber-attacks. Hackers have become very sophisticated. They form groups called Advanced Persistent Threat gangs or APT gangs backed by nation states and their prime target is sensitive information of big companies. And, not many mobile phones are anti-virus protected. Double Extortion ransomware is on the rise and organisations’ own employees are becoming a threat for its sensitive information and intellectual property.

The hackers are getting lazier and are finding newer ways to attack. First, they took to ransom ware. Then realised it is easy to send a phishing email. Now they are trying Brute Force attacks. During the recent past when thousands of an organisation worked from their homes, Brute Force attacks have become common. Brute Force uses trial and errors to crack pass words.

In the recent cyber-attack on a leading airline of the country, four million user name and passwords were leaked. Similarly, a large Indian online grocery store was attacked and data of 20 million users were leaked. The attack could be on an industrial control system, a nuclear plant, on the ICU system in an hospital.

As today’s cyber-attacks involve paying millions in ransom and severely damage organisational reputation, it is high time that the enterprises consider cybersecurity as a serious risk issue. However, the irony of the fact is that Indian Boards are still not serious about cybersecurity to be considered as a critical enterprise Risk issue. A recent Cyber-insurance survey on 120 Indian organisations conducted by RIMS, the risk management association along with a Global insurance broker, JB Boda Group, highlights this point.

Of the organisations surveyed, more than 59% of the organisations store data or run applications and underlying technology on the cloud; More than 22% run a hybrid model with some application/data reside on-premises and rest on the cloud. 70% of the organisations surveyed handled personally identifiable information (PII), while 38% managed health records. Over 73% have experienced a security breach over the past one year or so. However, these organisations did not have a controlled system to continuously monitor the data. In an era of continuous monitoring 32% of the respondents did not do external penetration testing; 42% of the respondents do not have a cyberthreat intelligence gathering function. Over 59% of the organisations surveyed have not yet implemented a Build Your Own Data (BYOD) policy for their employees and about 20% of them have only partly implemented it for key employees. All the numbers are alarming. Based on our continuous engagement with Indian corporate Boards, the situation there is almost the same as what is being reflected in the survey.

A top-down approach in management communication on Cybersecurity is a Must

There needs to be a complete overhaul on cybersecurity related communication in an organisational hierarchy. So far, a siloed approach has been followed in terms of addressing the issue. Organisations need to break down these silos by bringing in more integration and agility, and work together as a cohesive team. A Top to Bottom approach has to be followed by the organisations in addressing cyber challenges.

Cybersecurity needs to be aligned more closely with the strategic business objectives of an organisation, which is what Risk Management is focussed upon. It needs to be a big discussion in the corporate Board Rooms. So, there has to be a continuous communication from the CEO to his Risk Manager, Business Managers, Managers in safety, physical security, customer satisfaction, sales, finance, HR, marketing, etc to make cybersecurity a relevant risk parameter to watch out for. These managers should be well aware the cyber risks their respective departments face. So, when the CEO sits for a review meeting with these business managers, they should appraise him of the immediate cyber risks on the ground.

The customer relation manager should be aware of risks, specific to his department. A factory manager, should be aware of the cyber risks that would affect his work systems. The same applies for the HR, Sales, Finance functions of an organisation.

The Risk Manager should start the conversation with the cybersecurity officer /CISO by asking the right questions. So far, he has been asking my cyber risks are? The right question has to be – are there any cyber risk that we are exposed to which can put the reputation of the organisation in jeopardy? The firm’s security officer will now be active as he has to think and find out the areas which may impact the reputation. The Risk manager should ask the CISO, here are my top 10 enterprise risk areas. What cyber risks will affect each of these areas?
So, Enterprise Risk Manager (ERM) will report what kinds of cyber-attacks are possible in ERM dash board and Business Managers will report about the possibility of attacks in their respective areas. Furthermore, the organisations need to plan for the contingencies or resources related to cyber security well in advance. The contingency planning has to be part of the critical information infrastructure. Vendors need to be appraised and trained in this direction.

There is severe talent shortage in terms of digital skills for managing cybersecurity and data privacy. We are struck in a scenario where we are unable to attract nor retain quality talent. Also, the focus on accelerating digital business, is outstripping investments in cybersecurity. The Risk Managers/Head of Risks should find ways to mitigate and build in a sense of urgency as the entire function of cybersecurity is to de-risk the business. It is unfortunate today that we are not able to remediate even the identified risk because every risk is constrained by cost, effort, resources and time.

The article has been written by Gopal Krishnan KS, Director of Global Development-South Asia, Risk Management Society (RIMS)

Leave a Reply

Your email address will not be published. Required fields are marked *