While corporations claim of robust security policies in place, the sustained ascendancy of cyber attacks is continuing to put most defense mechanisms out of place. Hence, for specialist information security firms, enterprise security will continue to remain a goldmine as enterprises search for the elusive silver bullet in 2016
By Mohd Ujaley
Whether you trust the voluminous threat report published by security companies, technology giants, research firms and independent organisations quarter after quarter or not, but more or less few things remain common — Cyber attackers are continuously making tactical shifts in their strategy and despite the tall claims made by Sony, Ashley Madison, NSA and other firms who were recently breached that they had robust security systems in place, the fact is that these firms failed to safeguard the critical data and even today there is no silver bullet to security.
Similar is the case in India too. The landscape, here is not very different. Many major cyber security breaches have come to light in the recent past. The most recent case has been the hacking of the official web portal of the Indian Revenue Service (IRS) by suspected Pakistan-based groups who posted the message “Pakistan Zindabad” and “we are team Pak cyber attacker”. In a similar incident, a few months back, the website of the Indian Space Agency’s commercial arm, Antrix Corporation, was hacked. The hackers succeeded in defacing the home page with an article about 300 kids from Cape Town getting American Major League jerseys at cheap prices from China.
Press reports also cited the case of the Oil and Natural Gas Corporation Limited (ONGC) which allegedly lost Rs 197 crore after cyber criminals duplicated the public sector firm’s official e-mail address with minor changes and used it to convince a Saudi Arabia-based client, Aramco, to transfer payments to their account.
These incidents are a grim reminder to the government as well as to businesses that a lot needs to be done when it comes to cyber security. With the government embarking on the creation of digital highways and building of smart cities, the surface for cyber vulnerabilities has also increased as hackers can use the same digital highway and smart platforms to steal vital information.
According to American security giant Symantec’s Internet Security Threat Report, the India landscape is not very different from the global one. In fact, in 2014-15, 60 percent of targeted attacks were aimed at large enterprises and a third (34 percent) were targeted towards small businesses. Email remains a significant attack vector for cyber criminals, but hackers continue to experiment with new attack methods across mobile devices and social networks to reach more people, with less effort.
The report also says that cyber criminals are relying on lucrative and aggressive attack methods like ransomware, which rose globally by 113 percent. India reported the third highest ransomware in Asia, with an average of more than seven attacks every hour. A more vicious crypto-ransomware attack style has evolved which holds a victim’s files, photos and other digital content hostage without masking the attacker’s intention. In India, a staggering 86 percent of all ransomware was crypto-ransomware, claimed the report.
Interestingly, experts say that they have brought awareness among people, enterprises and government departments. As a result, for security companies, the overall market size for enterprise security has increased manifold. “Risk management is a challenge in many geographies but the willingness to address the challenges is not there in many countries. This is not the case with India. In the last five-seven years, we have seen dramatic change in the willingness of Indian companies to address the issue,” says Stephen DuBravac, Executive Vice President, Marketing, Security Weaver.
Growth drivers
From a vertical standpoint, banking & financial services and IT & ITES are the key drivers of the Indian IT security market. In addition, manufacturing especially pharma, engineering design, government including defense are also contributing to overall demand significantly.
Analysts from International Data Corporation (IDC) estimate the India security software market to grow at around 12% in 2016. “Even faster growth is expected in the security services space. On the security appliance side, our estimates indicate growth in higher single digits. The outlook for the overall enterprise security space is quite healthy,” says Vivek Gautam, Research Manager, Software & Services, IDC India. Gautam believes that segments such as network security, end point security including mobile and identity & access management will lead market growth. “Similarly on the services side, we are seeing good uptake of managed security services,” he adds.
Also, in its 2015 report, research firm Gartner predicted that security spending (hardware, software and services) in India was on pace to reach $1.11 billion in 2015, up 8.3 percent from $1.02 billion in 2014 and the firm expected security spending continue to grow in 2016 when revenue was projected to reach $1.23 billion. Security services (that includes consulting, implementation, support and managed security services) revenue accounted for 57 percent of this total revenue in 2014, and this proportion will increase to 60 percent by 2019, Gartner’s Analysts predicted.
Even on the global level, the current macro trends driving the growth of enterprise security business remain same. More and more enterprises are deploying cloud, mobile and social solutions and channels to engage with their end-customers and drive better efficiencies. Some are even going further to enable IoT devices such as smart watches, fitness trackers, Internet-enabled TVs and media players, and so on. As a result of the evolution of mobile, social, cloud and even analytics, enterprises are increasing the importance given to security and risk management technologies and solutions.
On the other hand, the anti-virus market is shrinking for everyone. Even for the key players like Kaspersky Lab and Symantec, the anti-virus market is smaller. Most of the sale depends on the total number of sale of PCs. As more people now prefer to use mobile devices like tablet and smartphones this has decreased the overall demand for anti-virus solutions which has lead to renewed focus on enterprise security, which has always been a goldmine for majority of the security companies.
Says Global CTO of Trend Micro, Raimund Genes, “I can’t speak for others but enterprise market is always a goldmine for us. We have been focusing on this segment since our inception. Most of our revenues come from the enterprise segment. As far as the consumer market is concerned, we focus on them, but the market is smaller.”
Technology trends
According to experts, in 2015, cyber security got heightened attention from businesses and governments alike. Most of the experts we speak with, believed that increasingly business leaders beyond CIOs became concerned about data security in their organisations. As a fall out, the security budgets swelled. Also enterprises started realising that having best-of-breed security products doesn’t mean they can’t be breached. Not only they need to continuously monitor threats, but they also need to be prepared to swiftly respond to contain the severity and length of attacks.
From products or technology perspective, two key trends were noticeable. Firstly, security features are increasingly being architected or embedded into products. For instance, Windows 10 has Windows Hello, a biometric technology that uses fingerprint, iris, and face recognition as an alternative to passwords. Similarly Cisco announced new offerings with embedded security across the network. Secondly the notion of security as a platform, as against series of point products or devices on network, gained traction.
However to the question of why people would need security companies like Symantec at a time when companies such as Microsoft are bringing in embedded security with products, Amit Jasuja, Senior Vice President – enterprise product, Symantec told Express Computer, “Large companies have been doing security since a long time but with the evolution of cloud, smartphone and apps, there are different devices in an enterprise environment. Hence, a company needs a unified security strategy and therefore security companies like Symantec are better placed to serve the enterprise goals.”
Technology shifts such as cloud, mobility, virtualization, BYOD have also impacted the overall enterprise security business in India and globally. As more enterprises adopt digital workplace strategies such as BYOD and consume cloud based services, a pattern of challenges and potential failure modes have begun to emerge.
According to Anmol Singh, Principal Research Analyst, Gartner India, “This is creating pressure on IT security leaders, both in India and globally, to evolve security controls to adapt to the changing business requirements and provide capabilities that bring situational awareness to security events by gathering and analysing a broader set of data, such that the events of relevance that pose significant threat to the organisation are identified and prioritised with greater accuracy.”
Adding to the views of Singh, Vivek Gautam of IDC India says, “Adoption of this new style of IT characterised by cloud, mobility, social, analytics etc, have waned the traditional boundaries of organisations. With more applications being put on cloud and BYOD trends emerging, IT administrators may not always have full visibility and control of security policies and practices being followed by employees and third party providers. For instance, most often information or data traffic from mobile workers don’t even cross corporate networks. All this have added to complexity of managing security and in turn pushed the market growth higher.”
From an enterprise IT demands perspective, the growth in fintech innovation aided by digital business imperatives is disrupting the traditional security approach for the financial industry and raising concerns around balancing security needs with improved user experience and mobility. On the other hand, with an accelerated growth in IoT deployments to support the smart city and smart government initiatives, more government agencies and public sector organisations are adopting a converged security approach that addresses the issues with data exchange and IoT devices. Also, as the critical infrastructure industries such as telecommunication and utilities embark on IoT initiatives, they will be required to address the emerging security challenges with approaches that address OT (Operational Technology) security issues, including dealing with regulatory compliance and performing risk assessments across the OT and IT systems.
In addition, other regulated industries such as healthcare and energy are also looking at acquiring new cyber security skills, vendor products and services to embrace an adaptive security architecture for better protection of their information assets and consumer interests from the emerging threats.
Says Muthu Raja Sankar, MD, Accenture Security, Accenture India, “The healthcare sector, which offers much promise in terms of leveraging technology to benefit people with cost-effective treatments and reaching last-mile penetration, has become a prized target for cyber-attackers. One of the key reasons attributed to this is the inadequate investments made by the sector in cyber security. Stolen medical records are said to hold nearly 10 times the value of stolen credit card data, and in a black market, this information is very lucrative.” He also adds that sectors which are highly dependent on innovation and IP for their sales and revenues will need to have security at the top of their agenda for their very survival.
The road yet to cross
There are many challenges to enterprise security but the most prominent is the lack of skilled security professionals. Shortage of qualified personnel puts pressure on IT departments to recruit, train and retain critical staff. So managing an in-house team of security professionals can be a costly affair, especially for SMEs with limited financial resources. To overcome this, organisations are increasingly relying on managed security services. Such services not only provide access to a trained workforce but are also cost effective. Managed Security Service Providers are able to spread investments in security software, hardware and facilities across multiple clients, which reduces the cost per client.
“Along with the shortage of skilled resources, a lack of proper understanding of complex data flows among applications and systems, interoperability with traditional IT systems, and achieving an appropriate balance between the security needs and user experience are some of the challenges that the enterprise security sector faces today,” states Singh.
Adds Shrikant Shitole, Managing Director- India, Symantec, “Internet security relies on the human element as much as it does on technology. Unintentional causes, such as employees losing devices or accidentally exposing critical data, are still the most common causes of security breaches. The understanding of the CIOs and CXOs as to how security can be built into their IT practices to effectively manage the ecosystem is also limited in many cases.”
According to Shitole, another challenge faced by organisations is of overworked and understaffed security teams that have so far been stitching together “good enough” security point products that were originally not designed to work together. Not only do these practices make an organisation more vulnerable to breaches, but it also increases operational complexities which indicates a need to engage in unified security.
What lies ahead
Gartner believes that contextualised and risk-based adaptive security approaches including online fraud detection and user behavior analytics are some security trends that are going to take the center stage in 2016 as enterprises step-up their efforts to secure new business models emerging from the digital industrial revolution.
Similarly authentication for IoT devices and other smart devices (like wearables) will emerge as a challenge as IoT becomes a reality and forces more changes to the way risk and security teams operate and deliver value to organisations. “We will continue to see the enterprise security market evolving alongside the new requirements evolving from IoT, cloud computing and mobility. We also predict that more and more large scale IoT implementations will require cloud-based security services to operate within acceptable risks in 2016 and beyond,” says Singh.
The importance of cybersecurity is highly strategic today. “Cybersecurity is no longer an issue that concerns IT and security professionals alone, but is also an important topic for boardroom discussions,” states Shitole of Symantec.
In the future, as new devices and new business models backed by technology emerge, expect cybersecurity to be at the center of every discussion.
Did you like the above story? Are you working on any project of your own? Feel free to share your opinion or idea in the comment section below or [email protected]
The article first appeared in print edition of Express Computer magazine, March 2016 issue. Read it here : Express Computer, March, 2016
