1 / 35

Is cyber security at the heart of your business strategy? Survey by EY India

In this Information Security Survey by EY India, read about the future state of cyber security, optimization of cyber security and how cyber security can help in enabling growth. Download pdf now or visit https://www.ey.com/in/en/services/advisory/advisory---cybersecurity

BhavyaBedha
Télécharger la présentation

Is cyber security at the heart of your business strategy? Survey by EY India

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Is cyber security at the heart of your business strategy? EY Global Information Security Survey (GISS) 2018-19 – India edition

  2. Contents 1 2 3 4 The future state of cybersecurity 08 Protect the enterprise 10 Optimize cybersecurity 16 Enable growth 22 5 6 The results in summary — and action points for improvement 28 Survey methodology 32 EY Global Information Security Survey (GISS) 2018-19 – India edition | 3

  3. Introduction In recent years, we have realized the menace cyber-attackers can create for any organizations operating in this data-driven and connected world. Cyber-attacks are a real threat to society, businesses and governments, all at the same time. Today, cybersecurity has become a boardroom concern for organizations across verticals, revenue bands and geographies due to rising costs of cyberattacks and their broadening scope. Now cyberattacks are not restricted to few sectors, but have far-reaching impact across sectors as witnessed during WannaCry, NotPetya attacks of 2017 and Meltdown, Spectre of 2018. Governments are focused on strengthening their regulations to force data owners to exercise their responsibility to protect the privacy of data. Globally, there has been a 600% rise in the number of cyber-attacks on IoT devices. India was the second most affected country by targeted attacks during last few years, after the USA. Nowadays, attackers are getting increasingly sophisticated with the use of machine learning which increases the sophistication of the attacks, also IoT botnets are used as launch pads to create a domino effect. Organizations need to realize the need to join hands to share data, anticipate the next attack and reduce the impact of cyber attackers. Organizations need to be ready to detect an incident and respond in a timely manner and address the challenge. In EY’s 21st EY Global Information Security Survey (GISS), we discovered that a majority of the companies are focusing on cybersecurity and plan to increase their annual cybersecurity budgets to protect themselves. Cybersecurity needs to be in the DNA of the organization. Companies need to increase cybersecurity budgets now (instead of as a reaction to an attack) and focus on the spend on threat detection and response. This will lower risk profiles significantly. All this is achievable when cybersecurity is made part of the digital transformation and is part of strategic oversight. It is going to be an ongoing process which needs to go hand in hand with the technological enhancements. Rohit Mathur India Advisory Risk Leader 4 | Is cyber security at the heart of your business strategy?

  4. Foreword Welcome to the 21st EY Global Information Security Survey (GISS) exploring the most important cybersecurity issues facing organizations today. This year, we are delighted that more than 230 respondents from across multiple sectors in India have taken the time to participate in our research. EY analysis of the responses from CIOs, CISOs and other executives shows that many organizations are increasing the resources they devote to cybersecurity, but they remain deeply concerned about the scale and severity of the threat. Moreover, the objective for all organizations should be to not only protect the enterprise with good cybersecurity hygiene and basic lines of defense, but also to optimize the response with more advanced tools and strategies. As digital transformation proceeds, cybersecurity must be an enabling function rather than a block to innovation and change. This year’s GISS explores these themes in more detail. By sharing ideas and leading practices, we can improve cybersecurity for all. Pulse of the Survey Majority (70%) of the organizations plan to increase their cybersecurity budgets. 69% of the firms outsource their consultancy-specific information security activities and more than half of the organizations are spending more on cyber analytics. 46% of the management teams have a comprehensive understanding of information security. Organizations see careless/ unaware employees as the biggest vulnerability. Guru Malladi India Risk Technology Leader 1 “Internet Security Threat Report”, Symantec, April 2018 EY Global Information Security Survey (GISS) 2018-19 – India edition | 5

  5. Digitization has a positive impact overall on the country and the governments focus on driving digital inclusion for empowerment has ensured that citizens in even the remotest of places have found their way into the mainstream. However, to ensure such sustained growth we need to strategize adequate cybersecurity protection around our digital initiatives. Cyber-attacks and Cyber fraud has increased exponentially in the last few years and every individual or organization is a target. The need of the hour is to enable and foster a cyber-secure culture and ecosystem. The Government on its part has taken a number of initiatives in this direction; however, the involvement of each citizen and all organizations to make it a collective and coordinated movement is must for the success of cyber secure eco system. Dr. Gulshan Rai National Cyber Security Coordinator, National Security Council, Prime Minister’s Office 6 | Is cyber security at the heart of your business strategy?

  6. The Cyber Security journey of organizations across different verticals has been experiencing a substantial shift, and the Survey offers insights on the same. Attention to Cyber Security at the highest echelons of Government and Enterprises is significantly on the rise. Given that Cyber Risk is now a core Country and Enterprise risk, Industry is stepping up its capabilities and we are witnessing the ecosystem of both Product and Services companies scale up to meet the demand. We need to invest more in Skills Development in all the emerging disciplines of cyber security, and innovation and R&D Budgets for cyber security to gear up our preparedness. Rama Vedashree Chief Executive Officer Data Security Council of India (DSCI) EY Global Information Security Survey (GISS) 2018-19 – India edition | 7

  7. 01 The future state of cybersecurity With the rise in digital movement, there is an exponential increase in data generation as more and more transactions are taking place on digital platforms. The country is facing cybersecurity issues to manage digitalization. This year’s India edition of the EY Global Information Security Survey shows cybersecurity continuing to gain importance on the board’s agenda. Organizations are planning to spend more on cybersecurity, devoting increasing resources to improving their defenses and working harder to embed security-by-design. 8 | Is cyber security at the heart of your business strategy? 8 | Is cyber security at the heart of your business strategy?

  8. It’s not easy ... do you recognize this? However, the survey results also suggest that organizations need to do more. More than three-quarters (81%) of organizations do not yet have a sufficient budget to provide the levels of cybersecurity and resilience they want. Protections are patchy, relatively few organizations are prioritizing advanced capabilities, and cybersecurity too often remains siloed or isolated. 6,95,000 The number of cyber-attacks identified in India between January-June 20182 188 days The challenge is for organizations to progress on three fronts: 1 2 The mean time to identify a data breach in 20173 ►Protect the enterprise: Focus on identifying assets and building lines of defense. 3rd Rank India ranked third after US and China as the most vulnerable country in terms of risk of cyber threats in 20174 ►Optimize cybersecurity: Focus on stopping low-value activities, increasing efficiency and reinvesting the funds in emerging and innovative technologies to enhance existing protection. US$1.7m 3 ►Enable growth: Focus on implementing security- by-design as a key success factor for the digital transformations that most organizations are now going through. The average cost of a data breach in 20175 783% The increase in data theft incidents in 2017 over 20166 These three imperatives must be pursued simultaneously. The frequency and scale of the security breaches all around the world show that too few organizations have implemented even basic security. 1st Rank India tops globally with the highest number of detected spam-bot7 However, even as they seek to catch up, organizations must also move forward, fine-tuning existing defenses to optimize security and support their growth. As the digital transformation agenda forces organizations to embrace emerging technologies and new business models — often at pace — cybersecurity needs to be a key enabler of growth. 2 “India witnessed over 6.95 lakh cyberattacks from Russia, US, others in January-Jun: F-Secure”, Economic Times, November 2018 3 “2018 Cost of Data Breach Study”, IBM Security and Ponemon Institute, July 2018 4 “2018 Cost of Data Breach Study”, IBM Security and Ponemon Institute, July 2018 5 “Data theft increased by 783% in India in 2017”, Business Today, May 2018 6 “Internet Security Threat Report”, Symantec, April 2018 7 “The World’s Worst Botnet Countries”, Spamhaus Project EY Global Information Security Survey (GISS) 2018-19 – India edition | 9

  9. 02 Protect the enterprise A. Governance B. What is at stake? C. Protection D. Breaches 10 | Is cyber security at the heart of your business strategy? 10 | Is cyber security at the heart of your business strategy?

  10. One overarching problem is skill shortages- estimates identify that about three million cyber security professionals are required in the country but the supply is not even one million for now8. Even in the well-resourced sectors, organizations are struggling to recruit the expertise they need. Our analysis suggests that a large number (69%) of organizations are still spending a very limited portion of their overall IT budget for cybersecurity and resilience. They may not even have a clear picture of what and where their most critical information and assets are — nor have adequate safeguards to protect these assets. The lack of availability of knowledgeable professionals is the biggest impediment for organizations across sectors. Diversity is a business imperative. Diverse teams drive better results across the organization. They are more innovative, objective and collaborative. That’s critical in cybersecurity where every day is a fight to stay a step ahead of the attackers. Industry bodies in India have undertaken few measures to encourage women to consider cybersecurity careers. That is why it is important for most organizations to continue to zero in on the very basics of cybersecurity. They should first identify the key data and intellectual property (the “crown jewels”), then review the cybersecurity capabilities, access-management processes, and other defenses, and finally upgrade the shield that protects the company. ? In this chapter, we look at the four vital components of protecting the enterprise: Questions that organizations must consider: 1. Governance: • ►What are our most valuable information assets? Organizations should address the extent to which cybersecurity is an integral part of the strategy of the organization, and whether there is enough funding for the necessary investment in defense. • Where are our most obvious cybersecurity weaknesses? • What are the threats we are facing? • ►Who are the potential threat actors? • ►Have we already been breached or compromised? 2. What is at stake? • How does our protection compare with our competition? What do organizations fear the most and how do they regard the biggest threats they are facing? • ►What are our regulatory responsibilities, and do we comply with them? 3. Protection: The maturity of the cybersecurity of an organization and the most common vulnerabilities are key. 4. Breaches: How breaches are identified and the way in which organizations respond are critical issues. 8 “IBM India says cyber security a gold mine for jobs”, Times of India, May 2018 EY Global Information Security Survey (GISS) 2018-19 – India edition | 11

  11. A. Governance Is cybersecurity part of the strategy? And is it in the budget? More than half (56%) of the organizations are considering protection of the organization as an integral part of their strategy and plans. Digital transformation compounds to the problem as in some cases it becomes difficult to define the perimeter of the organization. The borderless nature of today’s organization makes it difficult to gather a clear visibility about what lies within and what lies outside the perimeter of the organization. If sufficient budgets aren’t allocated, organizations could severely expose themselves to cyber threats. The good news is that cybersecurity budgets are on the rise. Around two-thirds (70%) of the organizations plan to increase their cybersecurity budgets. This year How organizations’ total cybersecurity budget is set to change in 12 months: This year Next year TIffy Issac Increased by more than 25% 7% 12% Partner Cybersecurity, EY Increased between 15% and 25% 16% 27% Increased between 5% and 15% 34% 30% Stayed approximately the same (between +5% and -5%) 40% 28% Decreased between 5% and 15% 3% 3% 44% of organizations do not consider information security as an influencer for their business strategy and plans 57% Have seen an increase in their budget this year 70% Foresee an increase in their budget next year 41% Say that less than 2% of their total IT headcount work solely in cybersecurity Sector insights According to our survey, to better protect against emerging threats 25%-50% of additional funding is required over existing security budget by all (100%) of telecom organizations, most (92%) of technology organizations, and majority (58%) of power and utilities organizations. However, 75% of the organizations in the consumer products and retail have identified that more than 50% of the additional funding over existing security is required. 12 | Is cyber security at the heart of your business strategy?

  12. B. What is at stake? What is the biggest fear? And what are the biggest threats? What is most valuable? It can be noted that customer information, financial information and strategic plans make up the top three most valuable information that organizations would like to protect. Disruptive innovations and the digital transformation of businesses and governments are exponentially enhancing cyber-risks not just in the financial services sector but across industries. Owing to which, it is critical to lay greater impetus on addressing the response gap -- which is the difference between the abilities of the attackers and the response capabilities of organization. While newer technologies like AI, Blockchain are gaining ground in helping companies put better defence mechanisms, it’s important to note that these are not substitute for the traditional building blocks of security i.e. hardening, effective patch & vulnerability management. As digital transformation gains ground and enterprises increasingly ramp up digital capabilities, cybersecurity strategy must match steps with the business. Board member information and R&D information follow closely after the top three listings. Supplier information lands at the 10th place in the list highlighting the requirement to protect the supply chain. What are the biggest threats? Most successful cyber breaches contain “malware” as the starting point followed by “phishing”. Attacks focused on disruption rank in third place on the list, followed by attacks with a focus on stealing money. Although there has been quite a lot of discussion about insider threats and state-sponsored attacks, the fear for internal attacks shows up as number eight on the list, natural disasters rank bottom of the list. Burgess Cooper Partner Cybersecurity, EY Top 10 most valuable information to cyber criminals Top 10 biggest threats to organizations 1 1 Customer information (17%) Malware (22%) 2 2 Financial information (13%) Phishing (15%) Strategic plans (12%) Cyberattacks (to disrupt) (15%) 3 3 Board member information (11%) Cyberattacks (to steal money) (11%) 4 4 5 5 R&D information (11%) Cyberattacks (to steal IP) (10%) Customer passwords (10%) Fraud (8%) 6 6 7 7 Intellectual property (9%) Spam (7%) 8 8 M&A information (6%) Internal attacks (5%) Non-patented IP (5%) Espionage (4%) 9 9 Supplier information (5%) Natural disasters (3%) 10 10 17% Of organizations say their biggest number fear is the loss of customers’ information 22% See malware as the biggest threat 3% Rank natural disasters as a threat EY Global Information Security Survey (GISS) 2018-19 – India edition | 13

  13. C. Protection What are the riskiest vulnerabilities? How mature is cybersecurity? Vulnerabilities increase when it comes to third parties. 20% of organizations have taken basic steps to protect against threats coming through third parties; 18% are aware of the risks through self-assessments or other certifications while globally the awareness is slightly higher with 36% of companies being aware of the risks through self-assessments; and 10% through independent external assessments. Hackers have time and again proven their ability to penetrate deep inside organizations and to launch sophisticated strikes as well as covert campaigns. The last year saw some of the most intriguing cases of cyber threats coming to life. Hackers continue to play on the gullibility of users and have found newer means of stealing information. However, 17% of organizations still rate their internal third-party management process as non-existent for security management in terms of maturity. Vidur Gupta Partner Cybersecurity, EY Vulnerabilities with the most increased risk exposure over the past 12 months 32% Of organizations see careless/unaware employees as the biggest vulnerability Careless or unaware employees 32% Outdated 21% security controls 19% Unauthorized access 46% Have no program – or an informal program – for one or more of the following: Related to cloud- computing use 8% Related to 8% smartphones/tablets • Threat intelligence • Vulnerability identification • Breach detection • Incidence response • Data protection • Identity and access management Related to social 8% media Related to the internet of things 4% Sector insights According to our survey, 87% of the organizations in the technology sector and 70% of the organizations in the telecom sector have put careless employees as the most likely source of attack, with the fear of losing their most valuable information, i.e., customers PII (Personal Identifiable Information) due to employee un-awareness. 14 | Is cyber security at the heart of your business strategy?

  14. D. Breaches How are breaches identified? How do organizations respond? Organizations agreed that the biggest motivator for them to step up their cybersecurity practices or spend more money would be sort of breach or incident that caused very negative impacts. Organisations need to understand that a cyber- attack or a data breach today does not only mean financial impact- it can seriously damage brands, erode customer confidence, violate compliance mandates and weaken the ability to generate revenue. With such high stakes, organisations need to make cybersecurity an integral part of the corporate DNA, focus on a cybersecurity program that is in line with the business strategy and upscale their protection and mitigation efforts. According to the survey, 39% of respondents perceived that a breach where no harm was caused would not lead to higher spending. In contrast to this, globally, almost 63% of the organizations feel that they may not increase their security spend if the breach did not lead to any perceived harm. 84% of the organizations believe total financial damage related to information security incident is zero. Among organizations that have been hit by an incident over the past year, only 13% say the compromise was discovered by their security center. Jaspreet Singh Partner Cybersecurity, EY Breaches discovered by: 17% Of organizations report a list of breaches in their information security reports 77% Increased their cybersecurity budget after a breach impacted the organization 6% 11% 12% 60% Had no incidents (or don’t yet know about them), in contrast, to 46% of the global organizations 59% 13% Have not had a significant incident SOC Business function Other Third party Sector insights According to our survey, 84% of the organizations in the consumer products and retail, do not have a functional SOC which reflects that majority of the companies are unable to detect the occurrence of a cyber-attack. EY Global Information Security Survey (GISS) 2018-19 – India edition | 15

  15. 03 Optimize cybersecurity A. The status today B. Investment priorities C. In-house or outsourced D. Reporting 16 | Is cyber security at the heart of your business strategy? 16 | Is cyber security at the heart of your business strategy?

  16. At the moment, there is significant room for improvement. According to our survey, 17% of the Indian organizations (compared to only 10% global organizations) say their information security function currently fully meets their needs — and many are worried that vital improvements are not yet underway. This year’s India survey suggests that 69% of organizations are likely to be able to detect a sophisticated cyber-attack on their organization. On the other hands, global survey suggests that 77% of organizations are seeking to move beyond putting basic cybersecurity protections in place to fine-tuning their capabilities. While 69% of the organizations say their information security function is at least partially meeting their needs and 70% of the organizations agree that their information security function needs improvement. These organizations are continuing to work on their cybersecurity essentials, but they are also rethinking their cybersecurity framework and architecture to support the business more effectively and efficiently. Part of that effort is considering and implementing artificial intelligence, robotic process automation, analytics and more to increase the security of their key assets and data. ? Cybercriminals are raising their game, and the price of failure is high. In one recent attack, an Indian bank lost 944 million rupees (US$13.5m) after hackers installed malware on its ATM server that enabled them to make fraudulent withdrawals from cash machines9. In this chapter, we look at the four vital components of protecting the enterprise: Questions these organizations must focus on include: 1. The status today: • What is our cybersecurity strategy — what are our “crown jewels”? To what extent is an organization’s information security function currently able to meet its cybersecurity needs? • What is our tolerance and appetite for risk? • Are there any low-value activities we could do more quickly or more cheaply? 2. Investment priorities: Where is investment needed to update capabilities to the standard required? • How could technologies such as robotic process automation, artificial intelligence and data analytics tools help us? 3. In-house or outsourced? • Where do we need to strengthen our capabilities further? What is the best way to develop new cybersecurity capabilities and who should take the lead? • What can we stop doing, and how do we invest the resources we free up? 4. Reporting: How well is the organization able to evaluate its own capabilities and report back to key stakeholders? 9 “https://in.reuters.com/article/cyber-heist-india/cosmos-bank-loses-13-5-million-in-cyber-attack-idINKBN1KZ1J9 EY Global Information Security Survey (GISS) 2018-19 – India edition | 17

  17. A. The status today Is the information security function currently meeting the organization’s needs? How serious is the shortfall? Major challenges faced by the organizations that limit the value- addition by information security function includes lack of skilled resources (29%); followed by budget constraints (23%), lack of quality tools for managing information security (18%) and others. New technologies are being introduced every day, often outpacing the ability to properly assess the associated risks. There is a need for bolder strategies and innovation in cybersecurity, but the challenge remains in the preparation and in building a response to the security risks we have not faced yet. Organizations ability to test their skill in a simulation of how a skilled and motivated cyber threat actor would target an organization can play an important role in preparing for the next wave of threats. Does the information security function meet the organization’s needs? 1% 12% 14% Mini Gupta Partner Cybersecurity, EY 56% 17% Of organizations have information security functions that fully meet their needs 53% Are spending more on cyber analytics 17% Partially and plans to improve Fully meets needs 28% Would be unlikely to detect a sophisticated breach, in contrast to 38% of the global organizations To be improved Partially but no plans to improve Does not meet needs Sector insights According to our survey, 43% of the organizations in technology sector, 44% of the organizations in media sector and 50% of the organizations in power and utilities sector have less than 2% of fulltime cybersecurity employees. 18 | Is cyber security at the heart of your business strategy?

  18. B. Investment priorities Where are the gaps? Where are resources needed most urgently? Better incident-response planning and execution is one important area where more organizations now need to optimize their capabilities. Forensics is a particular area of weakness and this undermines organizations’ ability to understand what has gone wrong and to improve protections. It doesn’t matter if threat actors use a unique zero day or not. What matters is how fast a successful breach is spotted and how well an organization reacts. This can be a crucial factor in every organization’s journey and help them carefully address cybersecurity capability gaps. Kartik Shinde Partner Cybersecurity, EY Priorities for improvement when a breach occurs: How organizations perform 79% 78% 74% 73% 67% 54% 46% 33% 27% 26% 22% 21% Identification of breach Crisis Communication internally Communication externally Forensics Returning to business as usual management Well Not well 21% Of organizations have cyber insurance that meets their needs <10% Believe they are mature on: • Data protection • Governance and organization • Network security • Operations • Policy and standard framework • Threat and vulnerability management Sector insights According to our survey, almost 75% of the organizations in the power and utilities sector have reported an absence of adequate or formal programs for threat intelligence, vulnerability identification, breach detection, incident response. EY Global Information Security Survey (GISS) 2018-19 – India edition | 19

  19. C. In-house or outsourced? How do organizations improve their capabilities quickly? What should they do for themselves and where do they need to look outside for help? Which of the following security functions are you performing in-house or are you outsourcing? While digital transformation is the catalyst for the proliferation of more services, experiences and benefits to customers, it also brings more risks along with increased revenues. Innovative developments and new business models provide additional entry points for cyber-attacks, while emerging technologies, such as the internet of things (IoT), blockchain, Artificial Intelligence bring along new threat vectors which organisations need to identify, build protection capabilities from the beginning and continue to innovate. Security monitoring 72% 28% 38% Vulnerability assessment 62% 55% Self-phishing 45% Vendor 73% risk management 27% Identity and 80% access management 20% Data 79% Prashant Choudhury Partner Cybersecurity, EY protection/DLP 21% One-time exercises (e.g., setting up ISMS) 58% 42% Consultancy-specific information security activities 31% 69% 69% Of organizations outsource their consultancy-specific information security activities Which functions of your security operations centre are outsourced? Real-time network security 60% monitoring 40% 68% Incident investigation 68% Of organizations have in-house function for incident investigation 33% 45% Digital and malware forensics 55% Threat intelligence collection 43% and feeds 57% 50% Threat intelligence analysis 50% Cybersecurity exercise creation and delivery 60% 40% Vulnerability exercise creation 44% and delivery 56% 36% Penetration testing 64% In-house Outsourced 20 | Is cyber security at the heart of your business strategy?

  20. D. Reporting Is the organization gathering information on cybersecurity capabilities and incidents? How is this being reported to stakeholders? According to survey, 21% of the Indian organizations say their information security reporting currently fully meets their expectations. However, only 15% of the global organizations believe their information security reporting currently fully meets their expectations. 16% Of organizations cite the number of attacks in their information security reports Effectiveness of the organization’s information security reports 5% Set out the financial impact of each breach 15% 21% 7% 18% Report on areas for improvement 56% I do not receive reports Reports do not meet expectations Reports meet some expectations Reports meet all my expectations EY Global Information Security Survey (GISS) 2018-19 – India edition | 21

  21. 04 Enable growth A. Strategic oversight B. Leadership C. Digitization D. Emerging technologies 22 | Is cyber security at the heart of your business strategy? 22 | Is cyber security at the heart of your business strategy?

  22. Based on this year’s survey, however, only a small number of organizations are concerned about the vulnerabilities to which emerging technologies are now exposing them. This is worrisome — not least because these technologies are also available to attackers. - Security researchers have also pointed to the potential for artificial intelligence to be used in developing malware. Organizations are going through a process of digital transformation. The nature of each transformation varies depending on the organization, but they will all have one or more of the following components: online sales/support to customers, supply chain integrations, application of robotic process automation, artificial intelligence, blockchain and analytics, business model disruption, and workplace innovation. But there is also good news. Many organizations now regard emerging technologies as a high priority for cybersecurity spending. That includes cloud, which is a much more established technology for most organizations, but also areas such as robotic process automation, machine learning, and artificial intelligence — and even the Internet of Things. Nonetheless, in most cases organizations do not yet intend to spend more on protecting themselves in these areas. In India, cybersecurity analytics is marked out for additional spending by a clear majority of organizations. Whereas, cloud is the additional key spending area for global organizations. Organizations are now convinced that looking after cyber risk and building in cybersecurity from the start are imperative to success in the digital era. The focus now should also be on how cybersecurity will support and enable enterprise growth. The aim? To integrate and embed security within business processes from the start and build a more secure working environment for all. Security-by- design should be key principle as emerging technologies move center stage. To achieve these goals, organizations will need an innovative cybersecurity strategy rather than responding in a piecemeal and reactive way. The customer experience must be a key consideration. ? FIn this chapter, we look at the four vital components of making cybersecurity part of the growth strategy: Questions organizations must ask during their digital transformation: 1. Strategic oversight: • Is our entire supply chain secure? To what extent do boards charged with pursuing digital transformation appreciate the need to build cybersecurity into their growth strategies? • How do we design and build new channels that are secure by design? • Where does cybersecurity fit into our digital transformation-enabled business model? 2. Leadership: • Could strong privacy and data protection be a potential competitive differentiator? Who are digital organizations asking to take the lead on cybersecurity, and how is accountability delivered? • How focused on cybersecurity is our board as it pursues its digital ambitions for the organization? 3. Digitalization • How are our most senior executives taking ownership of and showing leadership on cybersecurity? As organizations make greater use of digital technologies, how much does this increase cybersecurity vulnerabilities? • Do we have sufficient focus on cybersecurity in our entire eco-system? 4. Emerging technologies: Where are organizations increasing investment in cybersecurity to build security-by-design? EY Global Information Security Survey (GISS) 2018-19 – India edition | 23

  23. A. Strategic oversight Does the organization have structures that make cybersecurity a key element of the board’s strategic planning? Is good governance in place? Around 62% of organizations say their senior leadership has a comprehensive understanding of security or is taking positive steps to improve their understanding. 19% Of organizations say that information security fully influences business strategy plans on a regular basis Does the board/executive management team have a comprehensive understanding of information security to fully evaluate cyber risks and preventive measures? 44% Say that security influences business strategy plans somewhat or not at all 16% 2% 46% 32% Yes Limited No, and no plans to improve No, but trying to improve Sector insights According to our survey, 75% of the organizations in the consumer products and retail sector and 80% of the organizations in the automotive and transportation sector believe that their board/executive management do not have comprehensive understanding of information security to fully evaluate the cyber risks the company is facing and measures deployed to mitigate them. 24 | Is cyber security at the heart of your business strategy?

  24. B. Leadership Who is ultimately accountable for cybersecurity? How do they show the leadership that drives leading practices across the organization? The ultimate responsibility for information security is increasingly held at the most senior levels of the company. In India, 46% of the organization’s stated that the person directly responsible for security is a board member or from executive management. Globally, four in 10 organizations (40%) say that the person with ultimate responsibility is a member of the board or executive management. As security becomes a key enabler of growth, this proportion is likely to increase. Right now, smaller organizations are more likely to have information security accountability at board level than larger organizations. 54% Of organizations say that the person directly responsible for information security is not a board member Does the board/executive management team have a comprehensive understanding of information security to fully evaluate cyber risks and preventive measures? 16% 2% 46% 32% Yes Limited No, and no plans to improve No, but trying to improve Sector insights According to our survey, 90% of the organizations in the consumer products and retail sector do not have a direct representation for information security at the board level. EY Global Information Security Survey (GISS) 2018-19 – India edition | 25

  25. C. Digitalization As organizations pursue transformation, how does it increase their risk profile? What threats do new technologies pose? Risks associated with growing use of mobile devices 8% Of organizations say that smartphones have most increased their weaknesses Poor user awareness and behavior 27% The loss of a smart device 20% Hijacking of devices 11% Organized cyber criminals sell hardware with Trojans or backdoors already installed 10% 8% Network engineers cannot patch vulnerabilities fast enough 4% Are most concerned about the Internet of Things Hardware interoperability issues of devices 8% Devices do not have the same software running on them 8% 8% Other Risks associated with growing use of mobile devices Lack of skilled resources 13% Identifying suspicious traffic over the network 11% Finding hidden or 10% unknown zero-day attacks Ensuring that the implemented security controls are meeting the requirements of today 10% Knowing all your assets 9% Keeping the high number of IoT connected devices updated with the latest version of software 8% Tracking the access to data in your organization 8% Managing the growth in access points to your organization 7% Lack of executive awareness or support 6% Defining and monitoring the perimeters of your business's ecosystem 5% Other 13% 26 | Is cyber security at the heart of your business strategy?

  26. D. Emerging technologies Where to prioritize investment from a cybersecurity perspective? How to promote security-by-design? Priorities for cybersecurity investment this year Spending compared to last year 54% 51% Cloud computing 12% Cloud computing 4% 34% 46% 53% 34% Cybersecurity analytics 12% Cybersecurity analytics 6% 41% 54% 38% 34% Mobile computing 17% Mobile computing 6% 46% 60% 24% 29% Internet of things 32% Internet of things 20% 44% 52% 15% 31% Robotic process automation 37% Robotic process automation 19% 48% 50% 16% 28% Machine learning 38% Machine learning 18% 46% 54% 22% 34% Artificial intelligence 29% Artificial intelligence 12% 49% 55% 20% 17% Biometrics 27% Biometrics 22% 61% 53% 20% 15% Blockchain 46% Blockchain 32% 34% 53% HighPriority LowPrioirity Medium priority More Less Same Securing cloud infrastructure remains as a high priority area for respondents in India. 54% or organizations are focussing on this aspect compared with 51% last year. Further, technologies such as Artificial Intelligence and Machine Learning continue to be focus areas for security investment. Investments security of mobile computing and Blockchain have gained traction as compared to the previous year. EY Global Information Security Survey (GISS) 2018-19 – India edition | 27

  27. 05 The results in summary — and action points for improvement 28 | Is cyber security at the heart of your business strategy? 28 | Is cyber security at the heart of your business strategy?

  28. Protect the enterprise Summary Next steps Investments in cybersecurity increas- ing but not at par with the rise in cyber-attacks in the country. Cybersecurity needs to be in the DNA of the organization, start by mak- ing it an integral part of the business strategy. Governance Malware and phishing underpin a large number of successful attacks, the GISS shows that organizations see them as the biggest threats. Build awareness around phishing and malware — become “click-smart”. Technology can help with phishing/ malware email simulations. What is at stake? Organizations are potentially connect- ed with thousands of third parties; they are therefore more dependent on the security measures taken by those third parties. Focus the security strategy and pro- gram on the entire eco-system of the organization: what threats will hurt us because of the lack of security at our third parties? Do we want to continue working with unsecure third parties? How can we help them? simulations. Protection Most organizations increase their cybersecurity budget after they have experienced a breach impacting them. In most cases, breaches are not identi- fied by the organization. Increase cybersecurity budgets now (instead of after the attack) and focus on the spend on threat detection and response. This will lower risk profiles significantly. Breaches EY Global Information Security Survey (GISS) 2018-19 – India edition | 29

  29. Optimize cybersecurity Summary Next steps Most organizations have cybersecurity functions that do not fully meet their needs; more than half of the organiza- tions are investing in analytical capa- bilities as a first step. Consider investments in analytical capabilities, especially when this en- hances threat detection and improves awareness in the boardroom. The status today Investments are required in Identity and access management and report- ing function. For many organizations, forensics is a potential green field. It may be difficult to quickly build up forensic capabilities in house. Instead look to build a relationship with an outside vendor with these capabilities; have them available for when a breach occurs. Investment priorities Majority of organizations are currently outsourcing cybersecurity functions, including functions of their security operations centers. Focus on where investment will be most effective, balancing the resourc- es available in-house with the capabili- ties of external suppliers. In house or outsourced Most organizations are not satisfied with their reporting on security opera- tions or security breaches. Be more open around security opera- tions (what we have done, where the gaps are, where we have breakdowns); this will help boost understanding of the threats and encourage the organi- zation to take appropriate action. Reporting 30 | Is cyber security at the heart of your business strategy?

  30. Enable growth Summary Next steps Strategic oversight needs improve- ment. The executive management in five of 10 organizations has limited or no understanding of cybersecurity. This is a huge step forward; put cy- bersecurity at the heart of corporate strategy. Strategic oversight Currently, in three of 10 organiza- tions, board members are taking ulti- mate responsibility for cybersecurity. Cybersecurity must be an ongoing agenda item for all executive and non- executive boards. Look to find ways to encourage the board to be more actively involved in cybersecurity. Leadership The threats related to the use of smart phones, the Internet of Things and operational technology are not yet well understood. Only a small number of organizations name these areas as high risk areas. Focus on cybersecurity as part of digital transformation strategy. The success of many digital projects will depend on establishing trust with customers. Digitalization The GISS shows many organizations are thinking about how emerging technologies can help with further op- timizing cybersecurity. However, the investments in emerging technology are not increasing. Continue the focus on emerging tech- nologies. Cyber criminals are also in- vesting here, in artificial intelligence, for example. Resist the temptation to scale back investment in these key technology areas. Emerging technologies EY Global Information Security Survey (GISS) 2018-19 – India edition | 31

  31. 06 Survey methodology The 21st edition of EY Global Information Security Survey 2018-19 – India Report, captures the responses of over 230 C-suite leaders and information security and IT executives/ managers, representing many of the world’s largest and most recognized global organizations. The research was conducted between April-July 2018. 32 | Is cyber security at the heart of your business strategy? 32 | Is cyber security at the heart of your business strategy?

  32. Respondents by number of employees Respondents by position Less than 500 CIO/IT Director 26% 30% 501-1000 12% CISO 23% 1001-5000 28% C-Suite 5% 5001-10000 11% CRO 2% 10001-15000 6% 15001-20000 3% Internal Audit Director 0% 20001-25000 1% Others 40% More than 25000 12% Respondents by total annual revenue (in US$) Respondents by industry sector cluster Less than US$10 million TMT 32% 30% Government and Public Sector and Health US$10 million to US$100 million 31% 30% US$100 million to US$1 billion Consumer & Mobility 21% 18% US$1 billion to US$10 billion Financial Services 12% 15% US$10 billion or more Energy 4% 6% Respondents by primary industry 1% 1% 3% 3% 3% 3% 5% 5% 5% 6% 8% 8% 9% 16% 21% Banking & Capital Markets Professional Firms & Services Telecommunications Life Sciences Insurance Media & Entertainment Technology Government & Public Sector Consumer Oil & Gas Power & Utilities Products & Retail Real Estate Hospitality & Construction Health Mining & Metals Automotive & Transportation EY Global Information Security Survey (GISS) 2018-19 – India edition | 33

  33. Contacts: Rohit Mathur Risk Advisory Leader, EY Email: Rohit.Mathur@in.ey.com Kartik Shinde Partner – Cyber Security, EY Email: Kartik.Shinde@in.ey.com Guru Malladi Partner – Advisory, EY Email: Guru.Malladi@in.ey.com Mini Gupta Partner – Cyber Security, EY Email: Mini.Gupta@in.ey.com Murali Rao Partner – Cyber Security, EY Email: Murali.Rao@in.ey.com Prashant Choudhary Partner – Cyber Security, EY Email: Prashant.Choudhary@in.ey.com Burgess Cooper Partner – Cyber Security, EY Email: Burgess.Cooper@in.ey.com Tiffy Isaac Partner – Cyber Security, EY Email: Tiffy.Isaac@in.ey.com Jaspreet Singh Partner – Cyber Security, EY Email: Jaspreet.Singh@in.ey.com Vidur Gupta Partner – Partner – Cyber Security, EY Email: Vidur.Gupta@in.ey.com 34 | Is cyber security at the heart of your business strategy?

  34. EY offices Ahmedabad 2nd floor, Shivalik Ishaan Near C.N. Vidhyalaya Ambawadi Ahmedabad - 380 015 Tel: + 91 79 6608 3800 Fax: + 91 79 6608 3900 Delhi NCR Golf View Corporate Tower B Sector 42, Sector Road Gurgaon - 122 002 Tel: + 91 124 464 4000 Fax: + 91 124 464 4050 Kolkata 22 Camac Street 3rd Floor, Block ‘C’ Kolkata - 700 016 Tel: + 91 33 6615 3400 Fax: + 91 33 6615 3750 3rd & 6th Floor, Worldmark-1 IGI Airport Hospitality District Aerocity, New Delhi - 110 037 Tel: + 91 11 4731 8000 Fax + 91 11 4731 9999 Mumbai 14th Floor, The Ruby 29 Senapati Bapat Marg Dadar (W), Mumbai - 400 028 Tel: + 91 22 6192 0000 Fax: + 91 22 6192 1000 Bengaluru 6th, 12th & 13th floor “UB City”, Canberra Block No.24 Vittal Mallya Road Bengaluru - 560 001 Tel: + 91 80 4027 5000 + 91 80 6727 5000 + 91 80 2224 0696 Fax: + 91 80 2210 6000 4th & 5th Floor, Plot No 2B Tower 2, Sector 126 NOIDA - 201 304 Gautam Budh Nagar, U.P. Tel: + 91 120 671 7000 Fax: + 91 120 671 7171 5th Floor, Block B-2 Nirlon Knowledge Park Off. Western Express Highway Goregaon (E) Mumbai - 400 063 Tel: + 91 22 6192 0000 Fax: + 91 22 6192 3000 Ground Floor, ‘A’ wing Divyasree Chambers # 11, O’Shaughnessy Road Langford Gardens Bengaluru - 560 025 Tel: +91 80 6727 5000 Fax: +91 80 2222 9914 Hyderabad Oval Office, 18, iLabs Centre Hitech City, Madhapur Hyderabad - 500 081 Tel: + 91 40 6736 2000 Fax: + 91 40 6736 2200 Pune C-401, 4th floor Panchshil Tech Park Yerwada (Near Don Bosco School) Pune - 411 006 Tel: + 91 20 4912 6000 Fax: + 91 20 6601 5900 Chandigarh 1st Floor, SCO: 166-167 Sector 9-C, Madhya Marg Chandigarh - 160 009 Tel: +91 172 331 7800 Fax: +91 172 331 7888 Jamshedpur 1st Floor, Shantiniketan Building Holding No. 1, SB Shop Area Bistupur, Jamshedpur – 831 001 Tel: +91 657 663 1000 BSNL: +91 657 223 0441 Chennai Tidel Park, 6th & 7th Floor A Block, No.4, Rajiv Gandhi Salai Taramani, Chennai - 600 113 Tel: + 91 44 6654 8100 Fax: + 91 44 2254 0120 Kochi 9th Floor, ABAD Nucleus NH-49, Maradu PO Kochi - 682 304 Tel: + 91 484 304 4000 Fax: + 91 484 270 5393 EY Global Information Security Survey (GISS) 2018-19 – India edition | 35

  35. Ernst & Young LLP EY | Assurance | Tax | Transactions | Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. Ernst & Young LLP is one of the Indian client serving member firms of EYGM Limited. For more information about our organization, please visit www.ey.com/in. Ernst & Young LLP is a Limited Liability Partnership, registered under the Limited Liability Partnership Act, 2008 in India, having its registered office at 22 Camac Street, 3rd Floor, Block C, Kolkata - 700016 © 2019 Ernst & Young LLP. Published in India. All Rights Reserved. EYIN1902-003 ED None This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither EYGM nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor. JS ey.com/in @EY_India EY|LinkedIn EY India EY India careers ey_indiacareers

More Related