The state of cyber resilience
Organizations have learned, over decades, to defend themselves and respond better to cybercrime, moving from basic measures and ad hoc responses to sophisticated, robust and formal processes. This need has been affirmed by recent events such as the demonetization drive, coupled with the corresponding push to adopt digital technology, heightened focus on e-governance and digital governance, breach of sensitive defense data and the outburst of cybercrime.
The results of our latest global survey of 1,735 CXOs, out of whom 124 were from India, suggest steps for organizations to enhance their cyber resilience .
Sense is the ability of organizations topredict and detect cyber threats.Organizations need to use cyber threatintelligence and active defense to predictwhat threats or attacks are heading intheir direction and detect them when theydo, before the attack is successful. Theyneed to know what will happen, and needsophisticated analytics to detect earlywarningsignals.
Resist mechanisms are basically thecorporate shield to cyber-attacks. Itbegins with assessing an organization’srisk appetite, followed by establishing thefollowing three lines of defense:
- First line of defense: Executing control measures in its day-to-day operations.
- Second line of defense: Deployingmonitoring functions such as internalcontrols, establishing legal, riskmanagement and cybersecurityprocesses.
- Third line of defense: Establishing astrong internal audit department.
If Sense fails (the organization did not seethe threat coming) and there is a breakdownin Resist (control measures were not strongenough), organizations need to be ready todeal with the disruption, ready with incidentresponse capabilities and mechanisms tomanage the crisis. They also need to beready to preserve evidence in a forensicallysound way and then investigate the breachin order to satisfy critical stakeholders— customers, regulators, investors, lawenforcement agencies and the public, anyof whom might bring claims for loss or noncompliance.They also need to be preparedto bring the organization back to businessas usual as quickly as possible, learn fromwhat happened, and adapt and reshape theorganization to improve cyber resiliencegoing forward.
Let us not get blindsided and think that cyber agility automatically results in a positive answer to the main boardroom question of “Are we cyber resilient?”
A high level of confidence?
Organizations have improved their ‘Sense’ capabilities significantly in recent years. However, our survey indicates that many organizations lack basic cyber security systems and processes. This is evidenced by the below findings:
- 33% of organizations in India do not have a SOC, compared to 44% globally
- 55% do not have, or have only an informal, threat intelligence program
- 44% do not have, or have only an informal, vulnerability identification capability
In addition, there are four specific areas that need special attention:
A breach has occurred, but there appears to be no harm
Of the organizations polled in our survey, 52% would not increase their cybersecurity spending after experiencing a breach which did not appear to do any harm. In most cases, there was harm being done, but there was no immediate evidence found to support that. Cyber criminals often conduct “test attacks,” lie dormant after a breach, or use a breach as a diversionary tactic to throw organizations off the trail of what they are really up to.
Securing your ecosystem
This is a major area of risk that is often overlooked, as evidenced by the following findings:
- 68% will not increase their cybersecurity spending in the event that a supplier is attacked — even though a supplier is a direct route for an attacker into the organization.
- 58% will not increase their cybersecurity spending in the event that a major competitor was attacked — although cyber criminals often attack other, similar organizations following a successful cyberattack.
The impact of the Internet of Things (IoT)
The explosion in the number of connected devices is going to put more pressure on the sense capabilities of an organization:
- A number of organizations are concerned about their ability to know all their assets (40%), how they are going to keep these devices bug free (37%), how they will be able to patch vulnerabilities fast enough (40%) and about their ability to manage the growth in the number of access points to their organization (29%).
- Organizations doubt that they are going to be able to continue to identify suspicious traffic over their networks (44%), track who has access to their data (28%) or be able to find hidden and unknown “zero-day attacks” (50%).
- Many organizations expect difficulties with regard to monitoring the perimeter of their ecosystems (23%).
Information sharing and collaboration are on the rise
Our survey revealed the following:
- 26% of our responders’ SOCs collaborate and share data with others in the same industry.
- 44% of our responders’ SOCs collaborate and share data with other public SOCs. While this is a positive development, in absolute terms, this is relatively low number due to the low SOC implementation in India.
The atmosphere today will lead regulators, stakeholders, business partners and even customers to want to know more about your cybersecurity.
In our recent survey, more than half (61%) the responders said that their outdated information security controls or architecture were one of the biggest areas of vulnerability. 75% of responders said that their cybersecurity function did not fully meet their organization’s needs. We answer the critical question of where should organizations focus to better resist today’s attacks.
Activate your defenses
Our survey reveals that 35% of responders have had a recent significant cybersecurity incident, which shows that there is still more work to be done to strengthen the corporate shield. Maturity levels are still low in many critical areas.
Percentage of survey respondents who would rate the following information security management processes within their organizations as mature:
- Software security: 22%
- Security monitoring: 8%
- Incident management: 8%
- Identity and access management: 9%
- Network security: 11%
Budgets increase every year, but is it enough?
Cybersecurity budgets have seen year on year increases, with 69% of responders saying that their budgets increased over the last 12 months and 73% saying that their budgets will increase over the coming 12 months. 48% of the responders spent less than INR7 crore per annum in total (which includes people, process and technology) while only 28% claim to be spending between INR7 crore and INR14 crore per annum on cybersecurity.
However, organizations say that more funding is needed, with 40% citing budget constraints as a challenge and 37% of responders saying they need up to 50% increase in budget.
The role of leadership
Our survey has reported that 41% of responders say that there is a lack of executive awareness and support which is challenging the effectiveness of an organization’s cybersecurity mechanisms.
The importance of reporting
Among our survey respondents, 49% say that those responsible for information security do not have a seat on the board. In this scenario, the board has to rely on reporting instead.
- Only 8% have a mature metrics and reporting management process.
- Only 30% of reporting processes show where improvements were needed in the organization’s information security.
- 76% of organizations do not evaluate the financial impact of every significant breach and of those that have had a cyber-incident in the past one year, more than half (57%) have no idea what the financial damage has been or could be.
Despite of the quality of reporting being so low, it is surprising that only 38% of respondents think their boards are not fully knowledgeable about the risks the organization is taking and the measures that are in place.
Executive leadership and support is critical for effective cyber resilience.
Business Continuity Management (BCM) has been at the heart of an organization’s ability to react to a threat, attack or other disruption for many years. Again, this year, 63% of organizations rated it their joint top priority, alongside data leakage/data loss prevention. Security testing (e.g., attack and penetration) and privileged access management were ranked third and fourth, respectively. Security Information and Event Management (SIEM), together with SOCs, were ranked 5th, with 52% of the responders saying that they will spend more in these two areas over the coming 12 months, followed by security awareness and training.
There is also focus on other React capabilities.
Adapt: By looking at the threat horizon and threat actors, the resilient organization needs to be flexible and agile to adapt its business processes and protection mechanisms.
Reshape: This is the re-engineering required to improve both the resilient and operational mechanisms for an increasingly secure and sustainable organization.
When reacting to an attack, the board must show leadership
The key is to communicate and lead the communications before traditional news media and social media take over. Too many organizations are still unprepared in this respect.
- 32% do not have an agreed upon communications strategy or plan in place in the event of a significant attack
In the first seven days after an attack:
- 32% say they would make a statement to the media
- 39% would notify regulators and compliance organizations
- 46% would not notify customers, even when it is customer data that has been compromised
- 56% would not notify suppliers, even when it is supplier data that has been compromised
Leading the recovery of the organization
- Only 3% of responders have made a significant change to their organization’s strategy and plans after a cyber-risk assessment
- Only 22% say that they have fully considered the information security implications of their organization’s current strategy and plans
Asking tougher questions and closing the gaps
Our survey revealed how much organizations like to rely upon themselves to test or manage their own cybersecurity. In the recovery phase, it may be worthwhile to consider whether this should continue. Currently, the following is true:
- 82% conduct self-phishing assessments
- 42% do their own vulnerability assessment
- 71% conduct their own incident investigation
- 72% do their own threat intelligence analysis
Overall, considerable improvement is still needed from a React perspective
Our survey also found gaps that need to be addressed. Despite careless employees, phishing and malware being such major and known threats, only 26% have an incident response plan that would help them recover from malware and employee misbehavior.