India is well on the way to digitisation helped along by consumer adoption of mobile devices and technologies, availability of high speed internet, and a strong push from the Government. Unfortunately, this comes at the cost of cybersecurity. With the country becoming a favourite target of cyber criminals, it is imperative that Indian enterprises and institutions secure themselves against cyber attackers who are becoming smarter and bolder with days.
Although most business organisations have made some provision for security, it usually exists as a complex maze of vendors and solutions that rarely integrate or even communicate with each other. Managing overall security in such an environment is challenging, expensive and not fully effective. What Indian organisations need to aim for is an integrated security solution that is open, automated and simple.
Despite escalating threats, confidence in security technology is riding high in Indian organizations. In 2016, 69 percent of CISOs and security operations professionals in India said that their security infrastructure is very up to date and is constantly upgraded with the best technologies available; in the previous year, this figure stood at 61 percent. Note that the number is also significantly higher than the 58 percent of respondents in the global Cisco 2017 Security Capabilities Benchmark Study who said the same thing.
Only 26 percent of respondents from India, compared to 37 percent globally, said that they replaced or upgraded their security technologies on a regular cadence but were not equipped with the latest and greatest tools.
Despite being equipped with the right solutions to detect threats and minimize their impact, security professionals in India find it a challenge to fulfil their agenda. Contrary to the global situation where budget is the primary constraint, in India, budget is no longer a key issue, having slipped to the joint 8th position in 2016, from 2nd place in the previous year. In 2016, the biggest barrier to adoption was organizational culture and attitude to security, closely followed by compatibility issues with legacy systems, and certification requirements and competing priorities in equal measure. Lack of knowledge about advanced security processes and technology was in fifth place.
In 2016, 30 percent of security professionals in India said that organisational culture and attitude to security was the biggest barrier to adopting the latest security technology and processes. This is sharply up from the 2015 figure of 21 percent, when organizational culture issues ranked a low 9th among 10 obstacles. Incompatible legacy systems came 2nd, named by 28 percent of respondents. Last year, this was the top barrier, named by 36 percent of security professionals in India. Globally too, incompatible legacy systems were voted the 2nd biggest barrier in 2016 after budget constraints.
Although they realize the importance of securing the business, Indian organisations seem to view security as an impediment to business growth, which creates some amount of resistance to adoption. The presence of a large number of disconnected legacy security solutions makes it hard to implement a cohesive security policy. Having to meet the certification requirements of so many solutions is another challenge. Last but not least,organisations find it hard to stay abreast of the rapid advancement in security processes and technology.
Ironically, too many point solutions can increase an organization’s vulnerability to attack if they don’t communicate and integrate with each other. Unfortunately, most security professionals in India, like their counterparts in other countries, have a tendency to juggle products from many vendors. This opens up gaps in time and space that cyber criminals can exploit, and prevents organisations from presenting a seamless defense to attack.
A sizeable majority of companies – 56 percent of the total – use more than 5 vendors, and 69 percent use 6 or more products; these proportions are very similar to the global figures, which stand at 55 percent and 65 percent respectively. However, when it comes to using a very large number of vendors and products, Indian organisations are ahead of their global counterparts – about 19 percent use 21 or more vendors and almost 30 percent of companies have at least 26 security products, compared to 10 percent and 17 percent respectively, globally.
A cause for concern is that the strong security infrastructure of Indian organisations is not translating into strong governance. The reasons include incompatibility of solutions, unavailability of trained staff, and a lack of knowledge about the latest advances in security processes. Only 63 percent of alerts are investigated, of which 39 percent are deemed legitimate. Finally, only 47 percent of legitimate alerts are remedied. This is only marginally better than the global performance – globally, 56 percent of security alerts are investigated, of which 28 percent are legitimate. Only 46 percent of legitimate alerts are remedied.
The following hypothetical example illustrates the seriousness of the issue.
If an organisation in India records 5,000 alerts every day:
- It investigates 3,150 alerts (63 percent) and ignores 1,850 (37 percent).
- Of the 3,150 alerts that are investigated, about 1,229 (39 percent) are found to be legitimate, while 1,921 (61 percent) are not.
- Of the 1,229 legitimate alerts, the organization remedies only 578 (47 percent) and does not remedy the remaining 651 (53 percent) alerts.
It is worrying that approximately 1 in 3 security alerts go uninvestigated. Organizations must introspect to understand what types of alerts are ignored and why. Do these alerts signal relatively trivial threats that might only spread spam, for instance, or do they pertain to much more serious issues such as a possible ransomware attack or critical damage to a network? Clearly, there is a need to raise the level of investigation. However, given the large number of alerts a typical organization receives every day, it would not be possible for an already burdened security team to investigate them all manually. The solution is to use automation and properly integrated security solutions to probe and analyse a greater area of the threat landscape.
The fact that Indian organisations ignore so many threats each day creates doubts about their ability to sustain in the long term. For instance, could these uninvestigated threats snowball in to a problem that impacts business performance, customer satisfaction, or corporate reputation? During the study, respondents from all over the world said that even small network outages or minor security breaches could make a long term impact on the company’s bottom line. Even minor incidents, where it is easy to pinpoint and quarantine the systems that are affected, must be viewed with seriousness because of the stress they put on the organisation.
A big part of that stress falls on the security team, which has to control the damage following a breach. Our study shows that network outages can last quite long. 38 percent of outages in India lasted between 1 and 8 hours; 13 percent lasted 9 to 16 hours; and a similar proportion of outages went on for 17 to 24 hours. These figures are quite similar to the global situation.
Besides downtime, the proportion of systems impacted is an important metric in any breach. From the responses it appears that 30 percent, or 1 outage in every 3 impacted between 11 and 30 percent of an organisation’s systems, and 32 percent of outages impacted between 31 and 50 percent of systems.
The effects of breaches aren’t limited to outages. Breaches also mean the loss of money, time, and reputation. Security teams who believe they will dodge this bullet are ignoring the reality of the data. As our study shows, almost two-thirds of organisations have had to cope with public scrutiny following a security breach. Given the attackers’ range of ability and tactics, the question isn’t if a security breach will happen, but when?
Security breaches do much more than cause downtime. 62 percent of organisations in India, compared to 49 percent worldwide, have faced public scrutiny because of it. 32 percent of organisations said the breach was made public by third parties. 39 percent of organisations disclosed the breach because it was required by law, while 44 percent did so voluntarily. In these times of instant global communication and public activism, news of a breach cannot be suppressed for long. Even if a company does not disclose the breach voluntarily or under regulatory compulsion, it will come to light when a regulator, media channel or consumer activist broadcasts it.
Organisations must be careful not to become complacent about their security systems. As the recent WannaCry and Petya ransomware attacks show, cybercrime is continually evolving in capability and ambition. Those who have escaped attack until now must not assume their defenses are watertight. They must learn from the experience of organisations that suffered a breach and were forced to amend their security strategy and solutions.
An outage is only one part of the damage caused by a breach. There are several more serious consequences such as financial and reputational loss, that organisations should try their best to avoid.
Worldwide, and also in India, respondents named operations as the function most likely to be affected. The figure for India, at 40 percent, was only slightly higher than the 36 percent reported globally. What this says is that across industries and countries, a security breach poses a real threat to business as usual.
After operations, regulatory scrutiny and brand reputation are most likely to be impacted, named by 33 percent and 32 percent of respondents respectively. Customer retention and finances are next, named by 28 percent of security professionals in India.
In a highly competitive market such as India, no organization can afford disruption of key functions. Security professionals must therefore raise their organisations’ defenses against possible attack and also have a plan to get the business back on its feet quickly, should the worst happen.
No organization that plans to grow and achieve success wants to be in a position of having critical departments affected by security breaches. Security professionals should view the survey results with an eye toward their own organisations, and ask themselves – if my organization suffers this kind of loss from a breach, what happens to the business down the road?
Direct impact apart, companies also face the prospect of significant opportunity loss. 43 percent of security professionals in India said their organisations lost business opportunities because of attacks in 2016. It should concern them that the global number is much lower at 23 percent. Of the organisations that lost business opportunity, 35 percent said the loss was less than 20 percent; 35 percent said it was between 20 and 39 percent; 17 percent said it was somewhere between 40 and 59 percent; while 8 percent suffered a bigger loss of 60 to 79 percent.
Similarly, a significant proportion of Indian companies, 41 percent to be precise, lost revenue due to attack. 46 percent of these organisations lost less than 20 percent of revenue, 18 percent lost between 20 and 39 percent, and 16 percent lost between 40 and 59 percent.
Security breaches also erode organisation’s ability to win or retain customers. 35 percent of organisations lost customers on this account. 41 percent of them lost less than 20 percent of customers, and an equal 20 percent lost 20 to 39 percent as well as 40 to 59 percent of customers.
The study shows that a security breach can leave a deep and long lasting impact on an organization. Since every company is likely to face one at some point, it is important to prepare well in advance for that eventuality. Top management should continually review their company’s preparedness to withstand attack, and bolster defenses by focusing attention and resources on the areas that are most vulnerable.
When a breach occurs, it is important to stay positive and use the incident as an opportunity to assess weaknesses and improve defenses. 94 percent of security professionals in Indian organisations that had managed public scrutiny due to a security breach said it drove improvements in their organisations. Of these, 50 percent said the incident increased security awareness training among employees, 49 percent said it led to an increase in investment in training of security staff, and about 47 percent said it increased enforcement of data protection laws and regulations. In 43 percent of organisations, a breach resulted in the establishment of a compliance/ risk management office and also the formation of a team specialising in security. Interestingly 39 percent of organisations separated the security team from the IT department and the same proportion hired or created the role of chief information security officer/ chief security officer.
How can Indian organisations overcome constraints such as culture and legacy technology, to achieve their security goals? One way is to out source services from specialist providers.
In 2016, on average, 43 percent of Indian organisations relied on third party vendors, of which 62 percent out sourced advice and consulting services, and 58 percent out sourced threat intelligence. The most popular reason for outsourcing was to save cost, cited by 62 percent of security professionals, followed by the desire to make a more timely response to incidents, cited by 60 percent of respondents. One third of the respondents said that lack of internal resources, including software and manpower, was the main constraint.
With security becoming a factor of success, organisations should expect their security preparedness and policies to come under the scrutiny of important stakeholder groups. Their response to these concerns can impact their ability to defend themselves as well as influence the perception and confidence of these stakeholders.
In the study, 89 percent of security professionals in India expected scrutiny from clients and customers, 88 percent said it would come from business partners, and 87 percent believed it would come from regulators and executive leadership.
Trust versus cost
Indian security professionals are united in wanting the best protection for their organizations, but differ on how to get it.
Many want to buy the best-of-breed solutions from their respective vendors because they trust them. Others, however, prefer the cost effective integrated architecture option. While both these considerations are important, decision makers must also take into account simplicity of implementation.
More security professionals in India prefer buying the best-of-breed solutions to the enterprise architecture approach; globally, the choice was evenly split between the two; in contrast to the global situation, where trust drives preference for the best-of-breed solutions, and cost drives preference for the architected approach in almost equal measure, in India, trust is the primary reason why security professionals choose one or the other.
70 percent of organisations selecting the best-of-breed solutions said they did so because they trusted them, while 20 percent named cost as the reason. In the case of the enterprise architecture approach, trust was the decisive factor for 43 percent of organizations, while it was cost for 40 percent.
The fact is that organisations need to deploy both options in the right measure to maximize benefit as well as make security simpler and more effective. The integrated enterprise architecture approach helps security professionals understand what is happening at every stage of defense, to reduce the operational space open to attack. It is simple, scalable, and open enough to accommodate best-of-breed solutions where required. Last but not least, the enterprise architecture approach is automated to enable faster threat detection.
It is clear from the findings of the study that security is not simply a matter of amassing the right tools. How organisations put those tools and technologies to work will determine the strength of their defense against cybercrime.
Unfortunately, both in India and worldwide, companies continue to face constraints such as organizational culture issues, incompatible legacy solutions and talent shortage, that prevent them from leveraging their security infrastructure to the fullest.
These constraints hinder security adoption and increase organisations’ vulnerability to attack. The study presents ample evidence of the impact of breaches and should convince security professionals to strengthen processes and protocols.
Breaches result in more than just downtime; they can inflict serious damage to rob organisations of business opportunity, revenue and customers. Unfortunately, it is impossible to prevent breaches altogether and therefore every organization must work pro-actively on the assumption that some day, it too will come under attack. Even organizational constraints cannot be totally eliminated. Security professionals simply need to accept this and do their best to constantly update their knowledge about advanced security processes and technology to adopt the same in their organisations.
Executive leadership is very important to build a supportive culture and attitude towards cybersecurity so that the organisation can protect its data, business and people. Although having the latest technology and tools inspires confidence, it does not automatically translate to better security. The study indicates that security departments in Indian organisations are grappling with multiple vendors and a number of legacy products, whose incompatibility is the second biggest obstacle to security, after organisational culture. As mentioned at the outset, simple, effective security tools and an integrated approach to security is the need of the hour.