Breaches, stringent compliance requirements, a false sense of security and lack of skilled manpower mark the challenges for C-level executives in large enterprises
Top concerns: Lack of skilled cyber security professionals; SMEs not prepared to pre-empt and manage cyber-attacks and data breach; Humans remain the most common threat to security of businesses.
India over the past year has seen a sharp increase in the incidence of data breach and cyber-attacks across sectors and company sizes. While the large organizations have been able to contain the damage in most cases by pre-empting attacks on their systems through resilient security systems, in other cases the media has got the whiff of it first. Additionally, the smaller enterprises are the ones who have emerged to suffer the most from irredeemable loss to data and reputation.
Here are some of the key challenges faced by SMEs and C-level executives this year:
Small to mid-market trending business challenges as of 2018:
1. Hackers are aware of the complacent nature of small businesses when it comes to cybersecurity. They understand that small businesses invest little-to-no money on improving their cybersecurity situation. Ultimately, it gives an easy opportunity for attackers to exploit.
2. Larger organizations typically have a robust defence system that is difficult to compromise or breach. However, many larger organizations have systems interconnected with small or mid-size businesses. When hackers compromise the security system of SMEs, they can then easily penetrate into the defence systems of larger organizations.
3. Data breaches can often mean doom for small and medium-size businesses. As a result, they are more vulnerable to ransomware attacks because they are highly likely to pay the ransom to save their data and their company from doom.
Business challenges trending amongst cyber SMEs as of 2018:
1. IoT has most definitely added convenience to hectic schedules. However, it has also opened new doors for cyberattacks. It is imperative for employers to now ensure that all IoT devices are set up correctly and there’s no room for a network breach.
2. Humans remain the biggest and most common security threat to businesses of all sizes or industries. There are many cases of employees abusing their privilege access, harming the company’s security layers in the process and resulting in a huge loss. According to a 2016 survey conducted by Ponemon Institute, 22% of businesses blamed cyberattacks on insiders. Moreover, the same survey also revealed that 56% of businesses reported that the attacks were either by new joiners or employees leaving the company.
3. The flexibility and scalability that the cloud offers makes this technology more compelling to small and mid-size businesses. However, huge concerns still exist for SMEs when it comes to the security challenge associated with the cloud technology. Although cloud technology is getting more and more secure, new and bigger vulnerabilities, loose ends make for security concerns.
4. App consumers are now being tracked through the use of ultrasonic tones. These tones are almost completely silent and can't be picked up by the human ear, but there are apps in your phone that are always listening for them. The technology is called ultrasonic cross-device tracking, and works by emitting high-frequency tones across ads and billboards, web pages, and across retail outlets, etc. Apps with access to the phone’s microphone can pick up these tones and build a profile about your viewership details and in some cases even the websites you’ve visited.
Challenges for C-level executives between 2017 and 2018:
1. Getting compromised and the media catching it first: Till date, reputation loss due to data breaches proves to be one of the top concerns for C-level execs across all multi-national organisations. Ian McClarty, CIO, PhoenixNAP Global IT Services says that the hope is to “'catch' this breach in a reasonable time to limit and mitigate so that we can notify the victims/public through a controlled message”.
2. GDPR introduction to Europe: The hottest topic till date amongst most cyber security developments in Europe is the introduction of GPDR. A significant change to how personal data is being and will be stored is yet to determine how companies will interpret guidelines on the data they keep based on having a ‘legitimate interest’ vs. that of requiring explicit ‘consent’.
3. Having a false sense of security: Given threat profiles for cybersecurity and the need to protect intellectual property and financial assets etc., there is no single investment or method that allows one to ‘check the box’ and be rid of cyber risks. End-to-end visibility of one’s technology footprint—from device to application destination—is a key capability required to enable success in understanding security positions and identifying new attacks.
4. Lack of cyber security skills amongst employees: People within a firm, till date, tend to be the highest risk factor across all organizations. With the ever-changing landscape of cyber and information security regulations, C-level execs are finding it increasingly difficult to monitor, advise and implement security guidelines for their employees. Phishing, shared WI-Fi, the GDPR regulations, etc. all are proving to be pain areas for ExCo members as most employees are still not aware of the threats involved.
The author is Partner, National Leader-Cyber Risk Services, Deloitte India