Is cyber security at the heart of your business strategy? EY Global Information Security Survey (GISS) 2018-19 – India edition
Contents
1 The future state of cybersecurity 08 2 Protect the enterprise 10 3 Optimize cybersecurity 16 4 Enable growth 22 5 6 Survey methodology 32
The results in summary — and action points for improvement
28
EY Global Information Security Survey (GISS) 2018-19 – India edition
|
3
Introduction In recent years, we have realized the menace cyber-attackers can create for any organizations operating in this data-driven and connected world. Cyber-attacks are a real threat to society, businesses and governments, all at the same time. Today, cybersecurity has become a boardroom concern for organizations across verticals, revenue bands and geographies due to rising costs of cyberattacks and their broadening scope. Now cyberattacks are not restricted to few sectors, but have far-reaching impact across sectors as witnessed during WannaCry, NotPetya attacks of 2017 and Meltdown, Spectre of 2018. Governments are focused on strengthening their regulations to force data owners to exercise their responsibility to protect the privacy of data. Globally, there has been a 600% rise in the number of cyber-attacks on IoT devices. India was the second most affected country by targeted attacks during last few years, after the USA. Nowadays, attackers are getting increasingly sophisticated with the use of machine learning which increases the sophistication of the attacks, also IoT botnets are used as launch pads to create a domino effect. Organizations need to realize the need to join hands to share data, anticipate the next attack and reduce the impact of cyber attackers. Organizations need to be ready to detect an incident and respond in a timely manner and address the challenge. In EY’s 21st EY Global Information Security Survey (GISS), we discovered that a majority of the companies are focusing on cybersecurity and plan to increase their annual cybersecurity budgets to protect themselves. Cybersecurity needs to be in the DNA of the organization. Companies need to increase cybersecurity budgets now (instead of as a reaction to an attack) and focus on the spend on threat detection and response. This will lower risk profiles significantly. All this is achievable when cybersecurity is made part of the digital transformation and is part of strategic oversight. It is going to be an ongoing process which needs to go hand in hand with the technological enhancements.
Rohit Mathur India Advisory Risk Leader
4
|
Is cyber security at the heart of your business strategy?
Foreword Welcome to the 21st EY Global Information Security Survey (GISS) exploring the most important cybersecurity issues facing organizations today. This year, we are delighted that more than 230 respondents from across multiple sectors in India have taken the time to participate in our research. EY analysis of the responses from CIOs, CISOs and other executives shows that many organizations are increasing the resources they devote to cybersecurity, but they remain deeply concerned about the scale and severity of the threat. Moreover, the objective for all organizations should be to not only protect the enterprise with good cybersecurity hygiene and basic lines of defense, but also to optimize the response with more advanced tools and strategies. As digital transformation proceeds, cybersecurity must be an enabling function rather than a block to innovation and change. This year’s GISS explores these themes in more detail. By sharing ideas and leading practices, we can improve cybersecurity for all.
Pulse of the Survey Majority (70%)
of the organizations plan to increase their cybersecurity budgets.
69% of the firms
outsource their consultancy-specific information security activities and more than half of the organizations are spending more on cyber analytics.
46% of the
management teams have a comprehensive understanding of information security.
Organizations see careless/ unaware employees as the biggest vulnerability.
Guru Malladi India Risk Technology Leader
1
“Internet Security Threat Report”, Symantec, April 2018
EY Global Information Security Survey (GISS) 2018-19 – India edition
|
5
Digitization has a positive impact overall on the country and the governments focus on driving digital inclusion for empowerment has ensured that citizens in even the remotest of places have found their way into the mainstream. However, to ensure such sustained growth we need to strategize adequate cybersecurity protection around our digital initiatives. Cyber-attacks and Cyber fraud has increased exponentially in the last few years and every individual or organization is a target. The need of the hour is to enable and foster a cyber-secure culture and ecosystem. The Government on its part has taken a number of initiatives in this direction; however, the involvement of each citizen and all organizations to make it a collective and coordinated movement is must for the success of cyber secure eco system. Dr. Gulshan Rai National Cyber Security Coordinator, National Security Council, Prime Minister’s Office
6
|
Is cyber security at the heart of your business strategy?
The Cyber Security journey of organizations across different verticals has been experiencing a substantial shift, and the Survey offers insights on the same. Attention to Cyber Security at the highest echelons of Government and Enterprises is significantly on the rise. Given that Cyber Risk is now a core Country and Enterprise risk, Industry is stepping up its capabilities and we are witnessing the ecosystem of both Product and Services companies scale up to meet the demand. We need to invest more in Skills Development in all the emerging disciplines of cyber security, and innovation and R&D Budgets for cyber security to gear up our preparedness. Rama Vedashree Chief Executive Officer Data Security Council of India (DSCI)
EY Global Information Security Survey (GISS) 2018-19 – India edition
|
7
01 The future state of cybersecurity With the rise in digital movement, there is an exponential increase in data generation as more and more transactions are taking place on digital platforms. The country is facing cybersecurity issues to manage digitalization. This year’s India edition of the EY Global Information Security Survey shows cybersecurity continuing to gain importance on the board’s agenda. Organizations are planning to spend more on cybersecurity, devoting increasing resources to improving their defenses and working harder to embed security-by-design.
8
|
Is cyber security at the heart of your business strategy?
However, the survey results also suggest that organizations need to do more. More than three-quarters (81%) of organizations do not yet have a sufficient budget to provide the levels of cybersecurity and resilience they want. Protections are patchy, relatively few organizations are prioritizing advanced capabilities, and cybersecurity too often remains siloed or isolated.
The challenge is for organizations to progress on three fronts:
1 2 3
P ► rotect the enterprise: Focus on identifying assets and building lines of defense.
It’s not easy ... do you recognize this? 6,95,000 The number of cyber-attacks identified in India between January-June 20182
188 days The mean time to identify a data breach in 20173
3rd Rank
O ► ptimize cybersecurity: Focus on stopping low-value activities, increasing efficiency and reinvesting the funds in emerging and innovative technologies to enhance existing protection.
India ranked third after US and China as the most vulnerable country in terms of risk of cyber threats in 20174
E ► nable growth: Focus on implementing securityby-design as a key success factor for the digital transformations that most organizations are now going through.
The average cost of a data breach in 20175
US$1.7m
783% The increase in data theft incidents in 2017 over 20166
These three imperatives must be pursued simultaneously. The frequency and scale of the security breaches all around the world show that too few organizations have implemented even basic security. However, even as they seek to catch up, organizations must also move forward, fine-tuning existing defenses to optimize security and support their growth. As the digital transformation agenda forces organizations to embrace emerging technologies and new business models — often at pace — cybersecurity needs to be a key enabler of growth.
1st Rank India tops globally with the highest number of detected spam-bot7
2
“ India witnessed over 6.95 lakh cyberattacks from Russia, US, others in January-Jun: F-Secure”, Economic Times, November 2018
3
“ 2018 Cost of Data Breach Study”, IBM Security and Ponemon Institute, July 2018
4
“ 2018 Cost of Data Breach Study”, IBM Security and Ponemon Institute, July 2018
5
“ Data theft increased by 783% in India in 2017”, Business Today, May 2018
6
“ Internet Security Threat Report”, Symantec, April 2018
7
“ The World’s Worst Botnet Countries”, Spamhaus Project
EY Global Information Security Survey (GISS) 2018-19 – India edition
|
9
02 Protect the enterprise A. Governance B. What is at stake? C. Protection D. Breaches
10
|
Is cyber security at the heart of your business strategy?
Our analysis suggests that a large number (69%) of organizations are still spending a very limited portion of their overall IT budget for cybersecurity and resilience. They may not even have a clear picture of what and where their most critical information and assets are — nor have adequate safeguards to protect these assets. That is why it is important for most organizations to continue to zero in on the very basics of cybersecurity. They should first identify the key data and intellectual property (the “crown jewels”), then review the cybersecurity capabilities, access-management processes, and other defenses, and finally upgrade the shield that protects the company.
?
Questions that organizations must consider:
• W ► hat are our most valuable information assets? • Where are our most obvious cybersecurity weaknesses? • What are the threats we are facing? • W ho are the potential threat actors?
One overarching problem is skill shortages- estimates identify that about three million cyber security professionals are required in the country but the supply is not even one million for now8. Even in the well-resourced sectors, organizations are struggling to recruit the expertise they need. The lack of availability of knowledgeable professionals is the biggest impediment for organizations across sectors. Diversity is a business imperative. Diverse teams drive better results across the organization. They are more innovative, objective and collaborative. That’s critical in cybersecurity where every day is a fight to stay a step ahead of the attackers. Industry bodies in India have undertaken few measures to encourage women to consider cybersecurity careers.
In this chapter, we look at the four vital components of protecting the enterprise: 1. Governance: Organizations should address the extent to which cybersecurity is an integral part of the strategy of the organization, and whether there is enough funding for the necessary investment in defense.
• H ave we already been breached or compromised?
2. What is at stake?
• How does our protection compare with our competition?
What do organizations fear the most and how do they regard the biggest threats they are facing?
• W hat are our regulatory responsibilities, and do we comply with them?
3. Protection: The maturity of the cybersecurity of an organization and the most common vulnerabilities are key.
4. Breaches: How breaches are identified and the way in which organizations respond are critical issues.
8
“IBM India says cyber security a gold mine for jobs”, Times of India, May 2018
EY Global Information Security Survey (GISS) 2018-19 – India edition
|
11
A. Governance
Is cybersecurity part of the strategy? And is it in the budget? More than half (56%) of the organizations are considering protection of the organization as an integral part of their strategy and plans. The good news is that cybersecurity budgets are on the rise. Around two-thirds (70%) of the organizations plan to increase their cybersecurity budgets. This year How organizations’ total cybersecurity budget is set to change in 12 months: This year
Next year
7%
12%
Increased between 15% and 25%
16%
27%
Increased between 5% and 15%
34%
30%
Stayed approximately the same (between +5% and -5%)
40%
28%
Decreased between 5% and 15%
3%
3%
Increased by more than 25%
Digital transformation compounds to the problem as in some cases it becomes difficult to define the perimeter of the organization. The borderless nature of today’s organization makes it difficult to gather a clear visibility about what lies within and what lies outside the perimeter of the organization. If sufficient budgets aren’t allocated, organizations could severely expose themselves to cyber threats. TIffy Issac Partner Cybersecurity, EY
44%
57%
70%
41%
of organizations do not consider information security as an influencer for their business strategy and plans
Have seen an increase in their budget this year
Foresee an increase in their budget next year
Say that less than 2% of their total IT headcount work solely in cybersecurity
Sector insights According to our survey, to better protect against emerging threats 25%-50% of additional funding is required over existing security budget by all (100%) of telecom organizations, most (92%) of technology organizations, and majority (58%) of power and utilities organizations. However, 75% of the organizations in the consumer products and retail have identified that more than 50% of the additional funding over existing security is required.
12
|
Is cyber security at the heart of your business strategy?
B. What is at stake? What is the biggest fear? And what are the biggest threats? What is most valuable? It can be noted that customer information, financial information and strategic plans make up the top three most valuable information that organizations would like to protect.
Disruptive innovations and the digital transformation of businesses and governments are exponentially enhancing cyber-risks not just in the financial services sector but across industries. Owing to which, it is critical to lay greater impetus on addressing the response gap -- which is the difference between the abilities of the attackers and the response capabilities of organization. While newer technologies like AI, Blockchain are gaining ground in helping companies put better defence mechanisms, it’s important to note that these are not substitute for the traditional building blocks of security i.e. hardening, effective patch & vulnerability management. As digital transformation gains ground and enterprises increasingly ramp up digital capabilities, cybersecurity strategy must match steps with the business. Burgess Cooper Partner Cybersecurity, EY
Board member information and R&D information follow closely after the top three listings. Supplier information lands at the 10th place in the list highlighting the requirement to protect the supply chain. What are the biggest threats? Most successful cyber breaches contain “malware” as the starting point followed by “phishing”. Attacks focused on disruption rank in third place on the list, followed by attacks with a focus on stealing money. Although there has been quite a lot of discussion about insider threats and state-sponsored attacks, the fear for internal attacks shows up as number eight on the list, natural disasters rank bottom of the list.
Top 10 most valuable information to cyber criminals
Top 10 biggest threats to organizations
1
Customer information (17%)
1
Malware (22%)
2
Financial information (13%)
2
Phishing (15%)
3
Strategic plans (12%)
3
Cyberattacks (to disrupt) (15%)
4
Board member information (11%)
4
Cyberattacks (to steal money) (11%)
5
R&D information (11%)
5
Cyberattacks (to steal IP) (10%)
6
Customer passwords (10%)
6
Fraud (8%)
7
Intellectual property (9%)
7
Spam (7%)
8
M&A information (6%)
8
Internal attacks (5%)
9
Non-patented IP (5%)
9
Espionage (4%)
10 Supplier information (5%)
10 Natural disasters (3%)
17%
22%
3%
Of organizations say their biggest number fear is the loss of customers’ information
See malware as the biggest threat
Rank natural disasters as a threat
EY Global Information Security Survey (GISS) 2018-19 – India edition
|
13
C. Protection
What are the riskiest vulnerabilities? How mature is cybersecurity? Vulnerabilities increase when it comes to third parties. 20% of organizations have taken basic steps to protect against threats coming through third parties; 18% are aware of the risks through self-assessments or other certifications while globally the awareness is slightly higher with 36% of companies being aware of the risks through self-assessments; and 10% through independent external assessments. However, 17% of organizations still rate their internal third-party management process as non-existent for security management in terms of maturity.
Vulnerabilities with the most increased risk exposure over the past 12 months
Hackers have time and again proven their ability to penetrate deep inside organizations and to launch sophisticated strikes as well as covert campaigns. The last year saw some of the most intriguing cases of cyber threats coming to life. Hackers continue to play on the gullibility of users and have found newer means of stealing information. Vidur Gupta Partner Cybersecurity, EY
Careless or unaware employees
32%
32%
Outdated security controls
21%
Of organizations see careless/unaware employees as the biggest vulnerability
Unauthorized access
19%
Related to cloudcomputing use
8%
Related to smartphones/tablets
8%
Related to social media
8%
Related to the internet of things
4%
46% Have no program – or an informal program – for one or more of the following: •• Threat intelligence •• Vulnerability identification •• Breach detection •• Incidence response •• Data protection •• Identity and access management
Sector insights According to our survey, 87% of the organizations in the technology sector and 70% of the organizations in the telecom sector have put careless employees as the most likely source of attack, with the fear of losing their most valuable information, i.e., customers PII (Personal Identifiable Information) due to employee un-awareness.
14
|
Is cyber security at the heart of your business strategy?
D. Breaches
How are breaches identified? How do organizations respond? Organizations agreed that the biggest motivator for them to step up their cybersecurity practices or spend more money would be sort of breach or incident that caused very negative impacts. According to the survey, 39% of respondents perceived that a breach where no harm was caused would not lead to higher spending. In contrast to this, globally, almost 63% of the organizations feel that they may not increase their security spend if the breach did not lead to any perceived harm. 84% of the organizations believe total financial damage related to information security incident is zero. Among organizations that have been hit by an incident over the past year, only 13% say the compromise was discovered by their security center.
Organisations need to understand that a cyberattack or a data breach today does not only mean financial impact- it can seriously damage brands, erode customer confidence, violate compliance mandates and weaken the ability to generate revenue. With such high stakes, organisations need to make cybersecurity an integral part of the corporate DNA, focus on a cybersecurity program that is in line with the business strategy and upscale their protection and mitigation efforts. Jaspreet Singh Partner Cybersecurity, EY
Breaches discovered by:
6% 11%
17%
77%
Of organizations report a list of breaches in their information security reports
Increased their cybersecurity budget after a breach impacted the organization
12% 59% 13%
60% Had no incidents (or don’t yet know about them), in contrast, to 46% of the global organizations
Have not had a significant incident SOC Business function Other Third party
Sector insights According to our survey, 84% of the organizations in the consumer products and retail, do not have a functional SOC which reflects that majority of the companies are unable to detect the occurrence of a cyber-attack.
EY Global Information Security Survey (GISS) 2018-19 – India edition
|
15
03 Optimize cybersecurity A. The status today B. Investment priorities C. In-house or outsourced D. Reporting
16
|
Is cyber security at the heart of your business strategy?
This year’s India survey suggests that 69% of organizations are likely to be able to detect a sophisticated cyber-attack on their organization. On the other hands, global survey suggests that 77% of organizations are seeking to move beyond putting basic cybersecurity protections in place to fine-tuning their capabilities. These organizations are continuing to work on their cybersecurity essentials, but they are also rethinking their cybersecurity framework and architecture to support the business more effectively and efficiently. Part of that effort is considering and implementing artificial intelligence, robotic process automation, analytics and more to increase the security of their key assets and data.
?
Questions these organizations must focus on include:
• What is our cybersecurity strategy — what are our “crown jewels”? • What is our tolerance and appetite for risk? • Are there any low-value activities we could do more quickly or more cheaply? • How could technologies such as robotic process automation, artificial intelligence and data analytics tools help us? • Where do we need to strengthen our capabilities further? • What can we stop doing, and how do we invest the resources we free up?
At the moment, there is significant room for improvement. According to our survey, 17% of the Indian organizations (compared to only 10% global organizations) say their information security function currently fully meets their needs — and many are worried that vital improvements are not yet underway. While 69% of the organizations say their information security function is at least partially meeting their needs and 70% of the organizations agree that their information security function needs improvement. Cybercriminals are raising their game, and the price of failure is high. In one recent attack, an Indian bank lost 944 million rupees (US$13.5m) after hackers installed malware on its ATM server that enabled them to make fraudulent withdrawals from cash machines9.
In this chapter, we look at the four vital components of protecting the enterprise: 1. The status today: To what extent is an organization’s information security function currently able to meet its cybersecurity needs?
2. Investment priorities: Where is investment needed to update capabilities to the standard required?
3. In-house or outsourced? What is the best way to develop new cybersecurity capabilities and who should take the lead?
4. Reporting: How well is the organization able to evaluate its own capabilities and report back to key stakeholders?
9
“https://in.reuters.com/article/cyber-heist-india/cosmos-bank-loses-13-5-million-in-cyber-attack-idINKBN1KZ1J9
EY Global Information Security Survey (GISS) 2018-19 – India edition
|
17
A. The status today
Is the information security function currently meeting the organization’s needs? How serious is the shortfall? Major challenges faced by the organizations that limit the valueaddition by information security function includes lack of skilled resources (29%); followed by budget constraints (23%), lack of quality tools for managing information security (18%) and others. Does the information security function meet the organization’s needs?
1% 12% 14%
New technologies are being introduced every day, often outpacing the ability to properly assess the associated risks. There is a need for bolder strategies and innovation in cybersecurity, but the challenge remains in the preparation and in building a response to the security risks we have not faced yet. Organizations ability to test their skill in a simulation of how a skilled and motivated cyber threat actor would target an organization can play an important role in preparing for the next wave of threats. Mini Gupta Partner Cybersecurity, EY
56% 17%
17%
53%
Of organizations have information security functions that fully meet their needs
Are spending more on cyber analytics
Partially and plans to improve Fully meets needs To be improved Partially but no plans to improve Does not meet needs
28% Would be unlikely to detect a sophisticated breach, in contrast to 38% of the global organizations
Sector insights According to our survey, 43% of the organizations in technology sector, 44% of the organizations in media sector and 50% of the organizations in power and utilities sector have less than 2% of fulltime cybersecurity employees.
18
|
Is cyber security at the heart of your business strategy?
B. Investment priorities
Where are the gaps? Where are resources needed most urgently? Better incident-response planning and execution is one important area where more organizations now need to optimize their capabilities. Forensics is a particular area of weakness and this undermines organizations’ ability to understand what has gone wrong and to improve protections.
It doesn’t matter if threat actors use a unique zero day or not. What matters is how fast a successful breach is spotted and how well an organization reacts. This can be a crucial factor in every organization’s journey and help them carefully address cybersecurity capability gaps. Kartik Shinde Partner Cybersecurity, EY
Priorities for improvement when a breach occurs: How organizations perform 78%
74%
67%
79%
73% 54%
33%
Identification of breach Well
26%
27%
22%
Crisis management
Communication internally
46%
Communication externally
21%
Forensics
Returning to business as usual
Not well
21%
<10%
Of organizations have cyber insurance that meets their needs
Believe they are mature on: •• Data protection
•• Operations
•• Governance and organization
•• Policy and standard framework
•• Network security
•• Threat and vulnerability management
Sector insights According to our survey, almost 75% of the organizations in the power and utilities sector have reported an absence of adequate or formal programs for threat intelligence, vulnerability identification, breach detection, incident response.
EY Global Information Security Survey (GISS) 2018-19 – India edition
|
19
C. In-house or outsourced?
How do organizations improve their capabilities quickly? What should they do for themselves and where do they need to look outside for help? Which of the following security functions are you performing in-house or are you outsourcing? 72%
Security monitoring
28% 38%
Vulnerability assessment
62% 55%
Self-phishing
45%
Vendor risk management Identity and access management Data protection/DLP
73% 27% 80% 20% 79% 21%
One-time exercises (e.g., setting up ISMS)
58% 42%
Consultancy-speciďŹ c information security activities
31% 69%
Real-time network security monitoring
68%
33% 45%
Digital and malware forensics
55%
Threat intelligence collection and feeds
43% 57% 50% 50%
Threat intelligence analysis Cybersecurity exercise creation and delivery
40%
Vulnerability exercise creation and delivery
60%
44% 56% 36%
Penetration testing
64% In-house
|
60%
40%
Incident investigation
Outsourced
Is cyber security at the heart of your business strategy?
69% Of organizations outsource their consultancy-specific information security activities
Which functions of your security operations centre are outsourced?
20
While digital transformation is the catalyst for the proliferation of more services, experiences and benefits to customers, it also brings more risks along with increased revenues. Innovative developments and new business models provide additional entry points for cyber-attacks, while emerging technologies, such as the internet of things (IoT), blockchain, Artificial Intelligence bring along new threat vectors which organisations need to identify, build protection capabilities from the beginning and continue to innovate. Prashant Choudhury Partner Cybersecurity, EY
68% Of organizations have in-house function for incident investigation
D. Reporting
Is the organization gathering information on cybersecurity capabilities and incidents? How is this being reported to stakeholders? According to survey, 21% of the Indian organizations say their information security reporting currently fully meets their expectations. However, only 15% of the global organizations believe their information security reporting currently fully meets their expectations. Effectiveness of the organizationâ&#x20AC;&#x2122;s information security reports
Of organizations cite the number of attacks in their information security reports
5%
15%
21%
16%
7%
Set out the financial impact of each breach
18% Report on areas for improvement
56%
I do not receive reports Reports do not meet expectations Reports meet some expectations Reports meet all my expectations
EY Global Information Security Survey (GISS) 2018-19 â&#x20AC;&#x201C; India edition
|
21
04 Enable growth A. Strategic oversight B. Leadership C. Digitization D. Emerging technologies
22
|
Is cyber security at the heart of your business strategy?
Organizations are going through a process of digital transformation. The nature of each transformation varies depending on the organization, but they will all have one or more of the following components: online sales/support to customers, supply chain integrations, application of robotic process automation, artificial intelligence, blockchain and analytics, business model disruption, and workplace innovation. Organizations are now convinced that looking after cyber risk and building in cybersecurity from the start are imperative to success in the digital era. The focus now should also be on how cybersecurity will support and enable enterprise growth. The aim? To integrate and embed security within business processes from the start and build a more secure working environment for all. Security-bydesign should be key principle as emerging technologies move center stage. To achieve these goals, organizations will need an innovative cybersecurity strategy rather than responding in a piecemeal and reactive way. The customer experience must be a key consideration.
?
Questions organizations must ask during their digital transformation:
• Is our entire supply chain secure?
Based on this year’s survey, however, only a small number of organizations are concerned about the vulnerabilities to which emerging technologies are now exposing them. This is worrisome — not least because these technologies are also available to attackers. - Security researchers have also pointed to the potential for artificial intelligence to be used in developing malware. But there is also good news. Many organizations now regard emerging technologies as a high priority for cybersecurity spending. That includes cloud, which is a much more established technology for most organizations, but also areas such as robotic process automation, machine learning, and artificial intelligence — and even the Internet of Things. Nonetheless, in most cases organizations do not yet intend to spend more on protecting themselves in these areas. In India, cybersecurity analytics is marked out for additional spending by a clear majority of organizations. Whereas, cloud is the additional key spending area for global organizations.
FIn this chapter, we look at the four vital components of making cybersecurity part of the growth strategy: 1. Strategic oversight:
• How do we design and build new channels that are secure by design?
To what extent do boards charged with pursuing digital transformation appreciate the need to build cybersecurity into their growth strategies?
• Where does cybersecurity fit into our digital transformation-enabled business model?
2. Leadership:
• Could strong privacy and data protection be a potential competitive differentiator?
Who are digital organizations asking to take the lead on cybersecurity, and how is accountability delivered?
• How focused on cybersecurity is our board as it pursues its digital ambitions for the organization?
3. Digitalization
• How are our most senior executives taking ownership of and showing leadership on cybersecurity?
As organizations make greater use of digital technologies, how much does this increase cybersecurity vulnerabilities?
• Do we have sufficient focus on cybersecurity in our entire eco-system?
4. Emerging technologies: Where are organizations increasing investment in cybersecurity to build security-by-design?
EY Global Information Security Survey (GISS) 2018-19 – India edition
|
23
A. Strategic oversight
Does the organization have structures that make cybersecurity a key element of the boardâ&#x20AC;&#x2122;s strategic planning? Is good governance in place? Around 62% of organizations say their senior leadership has a comprehensive understanding of security or is taking positive steps to improve their understanding. Does the board/executive management team have a comprehensive understanding of information security to fully evaluate cyber risks and preventive measures?
19% Of organizations say that information security fully influences business strategy plans on a regular basis
44%
16% 2%
Say that security influences business strategy plans somewhat or not at all
46% 32%
Yes Limited No, and no plans to improve No, but trying to improve
Sector insights According to our survey, 75% of the organizations in the consumer products and retail sector and 80% of the organizations in the automotive and transportation sector believe that their board/executive management do not have comprehensive understanding of information security to fully evaluate the cyber risks the company is facing and measures deployed to mitigate them.
24
|
Is cyber security at the heart of your business strategy?
B. Leadership
Who is ultimately accountable for cybersecurity? How do they show the leadership that drives leading practices across the organization? The ultimate responsibility for information security is increasingly held at the most senior levels of the company. In India, 46% of the organizationâ&#x20AC;&#x2122;s stated that the person directly responsible for security is a board member or from executive management. Globally, four in 10 organizations (40%) say that the person with ultimate responsibility is a member of the board or executive management. As security becomes a key enabler of growth, this proportion is likely to increase. Right now, smaller organizations are more likely to have information security accountability at board level than larger organizations.
54% Of organizations say that the person directly responsible for information security is not a board member
Does the board/executive management team have a comprehensive understanding of information security to fully evaluate cyber risks and preventive measures?
16% 2%
46% 32% Yes Limited No, and no plans to improve No, but trying to improve
Sector insights According to our survey, 90% of the organizations in the consumer products and retail sector do not have a direct representation for information security at the board level.
EY Global Information Security Survey (GISS) 2018-19 â&#x20AC;&#x201C; India edition
|
25
C. Digitalization
As organizations pursue transformation, how does it increase their risk profile? What threats do new technologies pose? Risks associated with growing use of mobile devices Poor user awareness and behavior
27%
The loss of a smart device
20%
Hijacking of devices
Of organizations say that smartphones have most increased their weaknesses
11%
Organized cyber criminals sell hardware with Trojans or backdoors already installed Network engineers cannot patch vulnerabilities fast enough
10% 8%
Hardware interoperability issues of devices
8%
4%
Devices do not have the same software running on them
8%
Are most concerned about the Internet of Things
Other
8%
Risks associated with growing use of mobile devices Lack of skilled resources
13%
Identifying suspicious trafďŹ c over the network
11%
Finding hidden or unknown zero-day attacks
10%
Ensuring that the implemented security controls are meeting the requirements of today
10%
Knowing all your assets
9%
Keeping the high number of IoT connected devices updated with the latest version of software
8%
Tracking the access to data in your organization
8%
Managing the growth in access points to your organization Lack of executive awareness or support DeďŹ ning and monitoring the perimeters of your business's ecosystem Other
26
|
8%
Is cyber security at the heart of your business strategy?
7% 6% 5% 13%
D. Emerging technologies
Where to prioritize investment from a cybersecurity perspective? How to promote security-by-design? Priorities for cybersecurity investment this year Cloud computing
12%
Cybersecurity analytics
12%
Mobile computing
54% 34% 34% 54%
Machine learning ArtiďŹ cial intelligence Biometrics Blockchain
High Priority
Low Prioirity
38%
17%
46%
24% 32%
Internet of things Robotic process automation
Spending compared to last year
15% 16%
48%
38% 46%
22% 29% 20% 27% 20% 34%
Cybersecurity analytics Mobile computing
51%
4%
46% 53%
6%
41% 34%
6%
60% 29% 20%
Internet of things
44%
37%
Cloud computing
49%
53% 46%
Medium priority
Robotic process automation
19%
Machine learning
18%
ArtiďŹ cial intelligence Biometrics Blockchain
More
50%
28% 54% 34%
12%
55%
17% 22% 15%
Less
52%
31%
61%
32%
53%
Same
Securing cloud infrastructure remains as a high priority area for respondents in India. 54% or organizations are focussing on this aspect compared with 51% last year. Further, technologies such as Artificial Intelligence and Machine Learning continue to be focus areas for security investment. Investments security of mobile computing and Blockchain have gained traction as compared to the previous year.
EY Global Information Security Survey (GISS) 2018-19 â&#x20AC;&#x201C; India edition
|
27
05 The results in summary â&#x20AC;&#x201D; and action points for improvement
28
|
Is cyber security at the heart of your business strategy?
Protect the enterprise
Governance
What is at stake?
Protection
Breaches
Summary
Next steps
Investments in cybersecurity increasing but not at par with the rise in cyber-attacks in the country.
Cybersecurity needs to be in the DNA of the organization, start by making it an integral part of the business strategy.
Malware and phishing underpin a large number of successful attacks, the GISS shows that organizations see them as the biggest threats.
Build awareness around phishing and malware — become “click-smart”. Technology can help with phishing/ malware email simulations.
Organizations are potentially connected with thousands of third parties; they are therefore more dependent on the security measures taken by those third parties.
Focus the security strategy and program on the entire eco-system of the organization: what threats will hurt us because of the lack of security at our third parties? Do we want to continue working with unsecure third parties? How can we help them? simulations.
Most organizations increase their cybersecurity budget after they have experienced a breach impacting them. In most cases, breaches are not identified by the organization.
Increase cybersecurity budgets now (instead of after the attack) and focus on the spend on threat detection and response. This will lower risk profiles significantly.
EY Global Information Security Survey (GISS) 2018-19 – India edition
|
29
Optimize cybersecurity
The status today
Investment priorities
In house or outsourced
Reporting
30
|
Summary
Next steps
Most organizations have cybersecurity functions that do not fully meet their needs; more than half of the organizations are investing in analytical capabilities as a first step.
Consider investments in analytical capabilities, especially when this enhances threat detection and improves awareness in the boardroom.
Investments are required in Identity and access management and reporting function. For many organizations, forensics is a potential green field.
It may be difficult to quickly build up forensic capabilities in house. Instead look to build a relationship with an outside vendor with these capabilities; have them available for when a breach occurs.
Majority of organizations are currently outsourcing cybersecurity functions, including functions of their security operations centers.
Focus on where investment will be most effective, balancing the resources available in-house with the capabilities of external suppliers.
Most organizations are not satisfied with their reporting on security operations or security breaches.
Be more open around security operations (what we have done, where the gaps are, where we have breakdowns); this will help boost understanding of the threats and encourage the organization to take appropriate action.
Is cyber security at the heart of your business strategy?
Enable growth
Strategic oversight
Leadership
Digitalization
Emerging technologies
Summary
Next steps
Strategic oversight needs improvement. The executive management in five of 10 organizations has limited or no understanding of cybersecurity.
This is a huge step forward; put cybersecurity at the heart of corporate strategy.
Currently, in three of 10 organizations, board members are taking ultimate responsibility for cybersecurity.
Cybersecurity must be an ongoing agenda item for all executive and nonexecutive boards. Look to find ways to encourage the board to be more actively involved in cybersecurity.
The threats related to the use of smart phones, the Internet of Things and operational technology are not yet well understood. Only a small number of organizations name these areas as high risk areas.
Focus on cybersecurity as part of digital transformation strategy. The success of many digital projects will depend on establishing trust with customers.
The GISS shows many organizations are thinking about how emerging technologies can help with further optimizing cybersecurity. However, the investments in emerging technology are not increasing.
Continue the focus on emerging technologies. Cyber criminals are also investing here, in artificial intelligence, for example. Resist the temptation to scale back investment in these key technology areas.
EY Global Information Security Survey (GISS) 2018-19 â&#x20AC;&#x201C; India edition
|
31
06 Survey methodology The 21st edition of EY Global Information Security Survey 2018-19 â&#x20AC;&#x201C; India Report, captures the responses of over 230 C-suite leaders and information security and IT executives/ managers, representing many of the worldâ&#x20AC;&#x2122;s largest and most recognized global organizations. The research was conducted between April-July 2018.
32
|
Is cyber security at the heart of your business strategy?
Respondents by number of employees
Respondents by position CIO/IT Director
30%
CISO
23%
C-Suite
5%
CRO
2%
Internal Audit Director
0%
Others
40%
Less than 500
26%
501-1000
12%
1001-5000
28%
5001-10000
11%
10001-15000
6%
15001-20000
3%
20001-25000
1%
More than 25000
12%
Respondents by industry sector cluster
Respondents by total annual revenue (in US$)
US$10 million to US$100 million
31%
Government and Public Sector and Health
30%
US$100 million to US$1 billion
21%
Consumer & Mobility
18%
US$1 billion to US$10 billion
12%
Financial Services
15%
US$10 billion or more
Energy
6%
5%
6%
8%
8% Banking & Capital Markets
30%
Media & Entertainment
TMT
Insurance
32%
Automotive & Transportation
Less than US$10 million
4%
5%
9%
16%
21% Consumer Products & Retail
Real Estate Hospitality & Construction
5%
Government & Public Sector
Power & Utilities
3%
Technology
Oil & Gas
3%
Life Sciences
3%
Telecommunications
3%
Professional Firms & Services
1%
Health
1% Mining & Metals
Respondents by primary industry
EY Global Information Security Survey (GISS) 2018-19 â&#x20AC;&#x201C; India edition
|
33
Contacts: Rohit Mathur Risk Advisory Leader, EY Email: Rohit.Mathur@in.ey.com
Kartik Shinde Partner – Cyber Security, EY Email: Kartik.Shinde@in.ey.com
Guru Malladi Partner – Advisory, EY Email: Guru.Malladi@in.ey.com
Mini Gupta Partner – Cyber Security, EY Email: Mini.Gupta@in.ey.com
Murali Rao Partner – Cyber Security, EY Email: Murali.Rao@in.ey.com
Prashant Choudhary Partner – Cyber Security, EY Email: Prashant.Choudhary@in.ey.com
Burgess Cooper Partner – Cyber Security, EY Email: Burgess.Cooper@in.ey.com
Tiffy Isaac Partner – Cyber Security, EY Email: Tiffy.Isaac@in.ey.com
Jaspreet Singh Partner – Cyber Security, EY Email: Jaspreet.Singh@in.ey.com
Vidur Gupta Partner – Partner – Cyber Security, EY Email: Vidur.Gupta@in.ey.com
34
|
Is cyber security at the heart of your business strategy?
EY offices Ahmedabad 2nd floor, Shivalik Ishaan Near C.N. Vidhyalaya Ambawadi Ahmedabad - 380 015 Tel: + 91 79 6608 3800 Fax: + 91 79 6608 3900 Bengaluru 6th, 12th & 13th floor “UB City”, Canberra Block No.24 Vittal Mallya Road Bengaluru - 560 001 Tel: + 91 80 4027 5000 + 91 80 6727 5000 + 91 80 2224 0696 Fax: + 91 80 2210 6000 Ground Floor, ‘A’ wing Divyasree Chambers # 11, O’Shaughnessy Road Langford Gardens Bengaluru - 560 025 Tel: +91 80 6727 5000 Fax: +91 80 2222 9914 Chandigarh 1st Floor, SCO: 166-167 Sector 9-C, Madhya Marg Chandigarh - 160 009 Tel: +91 172 331 7800 Fax: +91 172 331 7888 Chennai Tidel Park, 6th & 7th Floor A Block, No.4, Rajiv Gandhi Salai Taramani, Chennai - 600 113 Tel: + 91 44 6654 8100 Fax: + 91 44 2254 0120
Delhi NCR Golf View Corporate Tower B Sector 42, Sector Road Gurgaon - 122 002 Tel: + 91 124 464 4000 Fax: + 91 124 464 4050
Kolkata 22 Camac Street 3rd Floor, Block ‘C’ Kolkata - 700 016 Tel: + 91 33 6615 3400 Fax: + 91 33 6615 3750
3rd & 6th Floor, Worldmark-1 IGI Airport Hospitality District Aerocity, New Delhi - 110 037 Tel: + 91 11 4731 8000 Fax + 91 11 4731 9999
Mumbai 14th Floor, The Ruby 29 Senapati Bapat Marg Dadar (W), Mumbai - 400 028 Tel: + 91 22 6192 0000 Fax: + 91 22 6192 1000
4th & 5th Floor, Plot No 2B Tower 2, Sector 126 NOIDA - 201 304 Gautam Budh Nagar, U.P. Tel: + 91 120 671 7000 Fax: + 91 120 671 7171
5th Floor, Block B-2 Nirlon Knowledge Park Off. Western Express Highway Goregaon (E) Mumbai - 400 063 Tel: + 91 22 6192 0000 Fax: + 91 22 6192 3000
Hyderabad Oval Office, 18, iLabs Centre Hitech City, Madhapur Hyderabad - 500 081 Tel: + 91 40 6736 2000 Fax: + 91 40 6736 2200 Jamshedpur 1st Floor, Shantiniketan Building Holding No. 1, SB Shop Area Bistupur, Jamshedpur – 831 001 Tel: +91 657 663 1000 BSNL: +91 657 223 0441
Pune C-401, 4th floor Panchshil Tech Park Yerwada (Near Don Bosco School) Pune - 411 006 Tel: + 91 20 4912 6000 Fax: + 91 20 6601 5900
Kochi 9th Floor, ABAD Nucleus NH-49, Maradu PO Kochi - 682 304 Tel: + 91 484 304 4000 Fax: + 91 484 270 5393
EY Global Information Security Survey (GISS) 2018-19 – India edition
|
35
Ernst & Young LLP EY | Assurance | Tax | Transactions | Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. Ernst & Young LLP is one of the Indian client serving member firms of EYGM Limited. For more information about our organization, please visit www.ey.com/in. Ernst & Young LLP is a Limited Liability Partnership, registered under the Limited Liability Partnership Act, 2008 in India, having its registered office at 22 Camac Street, 3rd Floor, Block C, Kolkata - 700016 Š 2019 Ernst & Young LLP. Published in India. All Rights Reserved. EYIN1902-003 ED None This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither EYGM nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor. JS
ey.com/in @EY_India
EY|LinkedIn
EY India
EY India careers
ey_indiacareers