India lags adequate cyber incident response strategies: EY India

Corporate India's incident response mechanisms to tackle cybercrime risks remains low, states EY’s Fraud Investigation & Dispute Services report.

The report highlighted that a majority (about two third) of businesses were unable to detect a cyber incident in real time due to insufficient understanding of the motive behind the attack. Almost 89% stated a need to enhance cyber laws, 55% said laws need to be strengthened, and 34% said they need to be more clear.

Arpinder Singh, Partner and National Leader, Fraud Investigation & Dispute Services, EY India says, “The shift to a digital economy has also uncovered vulnerabilities in many organizations and highlighted the need to build strong cyber strategies. The ability to foresee and remediate future threats will separate the better prepared organization from the rest.”

Some key highlights of the EY report include:

* Inside threats on the rise: One fifth of the respondents asserted that employees are one of the weakest links in an organization’s defence mechanisms. Most companies tend to put in a concentrated effort to mitigate external threats, but the impact of insider threats is undermined. Organizations should realize that insider threats could pose a significant risk to their proprietary information and it’s important to strike a balance in managing both internal as well as external risks to protect critical assets.

* Social media – the big cybercrime vector: Almost all respondents (90%) identified social media as a big risk, possessing a high probability of being used to identify and target key individuals in organizations. A mobile workforce, increased sharing of personal and professional information on social media channels, and gaps in protecting this information could evolve as a significant cyber hazard. Emerging techniques such as phishing or spoofing can make unsuspecting employees even more vulnerable.

* Cyber specialists are critical to deal with incidents: 72% of the respondents believe their company’s IT security teams do not have enough specialists to deal with cybercrime incidents, directing companies to invest in quality staff who can tackle these concerns. Only 40% of the respondents believe their techniques around proactive monitoring of cybercrime are adequate and 44% stated having robust data protection programs.

*  Increased investments required in investigation capabilities: Less than half of the respondents surveyed are planning to increase cybersecurity spends, indicating that incident response is still not on the priority list. Organizations need to understand that the quantum of losses suffered because of a cyber breach will continue to escalate in the future, and there is a heightened need to make investments in building robust cyber diagnostic programs, provide remediation approach, cyber threat intelligence and incident response.

Brijesh Singh, Inspector General - Cyber, Maharashtra said, “The threat from cybercrime is multi-dimensional, targeting citizens, corporates and the government at an alarming rate. Increased public awareness and regulatory initiatives such as ‘Digital India’ have directed organizations to invest in setting up cybersecurity measures in line with the nation’s objectives. Equipping companies with innovative strategies and tools will be paramount going forward.”

Amit Jaju, Executive Director, Fraud Investigation & Dispute Services, EY India, said, “Cyber criminals have been exploiting the lack of real-time response by organizations triggered by an incident to their advantage. This calls for the implementation of a robust cyber defense strategy, supplemented by a diagnostic program and incident response mechanism.”