36% firms have a strategy in place for IoT: Sudhir Singh Dungarpur, PwC India

According to the PwC’s Global State of Information Security survey, 86% CXOs believe that they are prone to cyber security threats as compared to 64% of them in 2014. Further there is just an increase of 38% in detected information security incidents; and only 47% organizations do have a better ability to detect and mitigate security incident with a security framework in place. Voice&Data interacted with Sudhir Singh Dungarpur, Partner & Advisory TICE Leader, PwC India, and he shares how can businesses stay safe in the always-online world. Excerpts:

Voice&Data: Why is cyber security turning out to be so critical or urgent?

Sudhir Singh: Today, we live in a highly “connected” world, where, internet connectivity is an absolute necessity for everyone and for every walk of life. With our high dependency on mobile and digital applications, the threat of cyber security is up, close and real – for an individual, a business or for the government. Therefore, a proactive approach to protect yourself is absolutely necessary.

This is further validated by our Global State of Information Security survey which brings out that 86% CXOs believe that they are prone to cyber security threats as compared to 64% of them in 2014. Further there is just an increase of 38% in detected information security incidents; and only 47% organizations do have a better ability to detect and mitigate security incident with a security framework in place.

An incident of cyber-attack can expose your unprotected sensitive information such as personal data or your banking details or your intellectual property details from virtually anywhere. This data, if in wrong hands, can be detrimental personally or to any business whether big or small resulting in severe financial losses, reputational damage and exposure of the trade secrets.

Voice&Data: What is the magnitude of cyber-crime on any business’ reputation?

Sudhir Singh: According to Gartner by 2020, 60% of the digital businesses will suffer major service failures due to the inability of their IT security teams to manage digital and cyber risks. Already, service outages due to hacking or loosing critical company information to competition is becoming common.

Our Global State of Information Security survey discovered that less than 36% of the firms have a strategy in place for the Internet of things. As more companies become connected, they will be prone to cyber-attacks. A cyber-attack can potentially cause irreparable damage to the company’s reputation which can turn away the customers, impact their share price or create loss of confidence in shareholders.

Target, a prominent US-based retailer, was a victim of cyber-attack in December of 2013, the time of the year, as you will know, is the biggest holiday shopping time. Target lost nearly 50 million customer credit card details as a result of the cyber breach. Subsequently, they further suffered lawsuits from their customers who had trusted them with their credit card details. Target had to pay out an estimated US $250 million in damages, which impacted their bottom line by 34%. Till today, customers prefer to pay by cash in Target stores and it will take a lot before Target wins back the trust of their customers.

An independent survey has brought out that 46% of the organizations who have had incidents of cyber-attacks, have suffered brand reputation damage. The average financial impact to their brand value ranged from US $184 million to US $332 million. We should note that most firms play down the impact of cyber-attack to protect their brands.  The real and long-term impact to the brand will be far greater than reported.

Voice&Data: Since encryption is being used as a cybercriminal weapon to hold companies’ and individuals’ critical data hostage, what are the best ways to manage cyber security crises?

Sudhir Singh: In our cyber age, the nature of crime has also become innovative and digital. A recent example is “ransomware”, which is used as a tool to hack your critical information and then to encrypt it so that ransom could be demanded. This is only made available or given back when you pay the ransom in bitcoins or in other digital currency. A US-based hospital had to suspend services for 3 days since a cyber-criminal encrypted their patient and other medical records to demand ransom. According to our survey, 42% of the businesses do not have an overall information security strategy. The risk of your data getting into wrong hands is greater.

To protect your organization, you need a combination of powerful data management system and efficient cyber security practices. This will help you manage and monitor the flow of critical data and therefore, shield you from cyber criminals.

Your data management system should enable:

• Regular back-ups of data which can be easily restored in the event of encryption by cyber criminals
• Scan files with suspicious extensions being downloaded on firms’ devices
• Disconnect the network immediately based on alerts to contain the damage
• Keep your applications, software updated with latest patches, security tools, anti-viruses, and firewalls

Voice&Data: In your opinion, how should SMBs and mid-tier companies respond to cyber-crime events?

Sudhir Singh: Today, most small and medium businesses are leveraging technology for communications, marketing, selling, product development amongst other things. They remain attractive targets for cyber-attacks because:

• Their security systems and policies are not as potent or mature as in large enterprises
• They lack awareness about the risk of cyber threats and do not have in-house specialists to deal with cyber-crime
• They have not yet invested in security software and tools

It is difficult for an SMB to invest in expensive security infrastructure or have in-house cyber security experts. But it is important for an SMB to have internally a business continuity plan – and be prepared to deal with any incident with minimal impact to the business.

I would suggest that SMBs should outsource the security management to a competent firm who can provide them the necessary talent, tools and ecosystem. Many service providers have world class security infrastructure and skills to protect and manage cyber risks customized for the SMBs. These solution providers also offer customized pay-as-you-go business terms that would be attractive to the SMBs.

Voice&Data: What is the best way to stay safe in cloud?

Sudhir Singh: IDC predicts that spending on public cloud computing will soar to nearly $70 billion this year, and that the number of new cloud-based solutions will triple over the next four to five years.

With such heavy investment in cloud, one can predict that security will be one of the major concerns for the players who provide and utilize this service. According to our Global State of Information survey, 69% of the firms utilize cloud-based cyber security services. Further, cloud providers have steadily invested in advanced technologies for data protection, privacy and network security. There are various ways to stay safe on the cloud:

• Encrypt and password-enable critical data at upload, download and at storage time while using the cloud (use cloud services that encrypt data)
• Read cloud service providers’ agreement carefully and negotiate customizations as per your need
• Be fully aware of who has access to your data in the cloud and ask for restrictions as appropriate
• Ensure your cloud service provider goes through regular security assessments and is an established/proven player
• Avoid automatic uploads and keep regular back-ups
• Access or entry points to the cloud system be safe and out of reach of malicious programs or cyber criminals