India of today is moving towards a digital future with dreams of smart cities, efficient road networks and wider communication channels but India Inc seems to be dodging or oblivious to the fact that these new dreams require fortification or protection.
By Anirban Ghoshal
With the rising threat of cyber security breaches and information leaks, spend on security has become one of the most important heads under a corporate’s yearly budget. However, a study conducted by PricewaterhouseCoopers (PwC), shows—though business loss due to information leaks showed an increase of 20%—Indian firms have cut their cyber security spend by 17%.
According to the study, the average cost of a security incident for Indian companies has more than doubled from $194 in 2013 to $414 in 2014 and there has been a 20% increase in the average losses as a consequence. But Indian companies have reduced the average security spending from $4.8 million in 2013 to $4 million in 2014.
The frequency of attacks have also increased imposing financial and non-financial threats to the firms. The annual survey of security, IT and business executives in India found that the total number of security incidents detected was over 1 million this year, which translates to 2,800 attacks per day contributing to rising y-o-y incident cost.
Interestingly, these numbers do not represent the total number of incidents. Many organisations in India continue to be unaware of such attacks, while some others do not report detected incidents for strategic reasons or because the attack is being investigated as a matter of national security. On the global front the numbers are steeper with an average financial loss attributed to cyber security incidents standing at $2.7 million, 34% more than in 2013. A recent study by the Centre for Strategic and International Studies noted that the difficulties in estimating financial impact but stated that the annual cost of cyber crime to the global economy ranges from $375 billion to as much as $575 billion.
“Cyber security is no longer an issue that concerns only IT and security professionals. The impact has extended to the C-suite and boardroom. It is now a persistent business risk. Awareness and concern about such security incidents and threats are a priority for the consumers as well,” said Sivarama Krishnan, executive director and leader—India Cyber Security, Governance Risk and Compliance Services, PwC India. “At the heart of organisational security is the human parameter. Organisations in India need to increase engagement levels with employees to manage this better,” he added.
Cyber attacks are more of a concern for India because there has been increased instances of compromises caused by organised crime. One in five (22%) respondents in India experienced security breaches caused by organised crime groups, much higher than the global average of 15%, the PwC report showed. And these kind of attacks are mostly motivated by financial gain as a successful cyber attack can fetch millions.
Insiders still remain the most common causes of cyber attacks or date leaks, the report said. Firms that were targeted cited current and former employees as the most common causes of incidents. Loss of data through associations with customers and vendors also contribute to a reasonable chunk of incidents caused by insiders and the lack of effective mechanisms to manage risks to data stemming from third parties is largely responsible too, it said.
According to the report, board level leadership was also an obstacle in enhancing overall strategic effectiveness of the organisation when it came to cyber threats. While only 49% of firms believe that their board is maneuvering them towards better security, only 39% believe that their board actively participates in reviewing current security and privacy risks.
This shows that organisations have not elevated information security to a board level issue.