Most enterprises are embarking on a journey of digitization as they have begun to realize its benefits for their customers.
Let us first look at what digitization or what I prefer to call – digital transformation is. It is leveraging digital technologies to create transformational changes in the way businesses operate. Big data and analytics, mobility, social, and Internet of Things are four main pillars on which the digital transformation of an enterprise rests. While these technologies are critical for an organization to embark on the digital transformation journey, these same technologies pose a grave security threat.
For example, according to Gartner by 2020 there will be 20.4 billion things that will be connected. They will not just be connected but will be transacting, and in the process will connect to multiple systems in a wide area environment. This makes the connected world vulnerable to attacks and breaches. So as we move in the digital transformation journey, we have to ensure that security is on top of the agenda and is integral to any transformation that we bring about.
Businesses have every reason to be concerned about the rising threat level facing organizations today; rarely a week goes by without security hitting the headlines around the world.
The global scale of the recent cyber-attacks showed the astonishing speed at which even the most unsophisticated of attacks can spread around the world. These remind us that every business today – from the smallest sole trader through to SMEs and large multinational corporations – needs to get to grips with managing the security of their IT estate, as well as their people and processes.
India has been witnessing a spurt in the number of cyber security threat incidents. In the first half of 2017 more than 27,000 threat incidents were reported as per a report by Cert-In. Most recently the WannaCry and Petya ransomware attacks renewed our focus on cyber security. Threats do not necessarily require technologically advanced tools, but may be very damaging by simply exploiting known weaknesses.
For most enterprises security is now center stage. It was not so long back when security was more of an IT-driven area which included some firewalls, perimeter security, and certain policies. Today organizations are realizing the challenges of the dynamic environment and therefore security is now not only IT, CISO-led but is closely driven by the C-suite. In fact security is not only the responsibility of the IT/security teams alone, but of everyone in the organization – board, CEO, employees, connected suppliers, connected dealers, pretty much everyone.
In a typical cyber security threat situation, an organization’s first reaction is denial. It is estimated that 95 percent of enterprises have had some sort of security incident in the last 2 years and those 5 percent who say that their systems have never been breached are either in a state of denial or in a state of ignorance.
Some enterprises may think that we are fully secured and cyber-attacks may not happen to us as we have firewalls, policies etc. However, such notions are fast disappearing and organizations as well as people at large have begun to realize this and are becoming aware of the impending risks and its cost. Such attacks not only have a direct impact on the company’s operations, and therefore cost and profitability but also have a major negative impact on its brand value and future business.
Some of the organizations we have been working with are now at a stage where they have moved from box-led solutions to a completely managed security services solution and there is a strong realization that this is an expert’s job and hence needs experts to solve it rather than attempting a do-it-yourself approach.
I am finding a great deal of interest in our customers around security operations services. Typically SOC operations depend on tools, platforms, people, and processes. It is the first two which are extremely critical as they set the foundation stone of risk evaluation mapping and management. Companies like BT which have a vast experience of running such operations for our customers and also for our own global operations, bring in the desired experience and learning which are extremely important as enterprises have to be always one-up against the attacker.
And this change is across the industry segments whether it is IT, ITeS companies, or banks or airlines, I think slowly enterprises in India are catching up with this changed security perception.
Most organizations exhibit a knee jerk reaction to a security breach and try to arrive at a solution for the entire organization, based on one or two security incidents. This quick-fix approach sometimes makes the security infrastructure more complex and in turn more vulnerable. When you look at multiple data breaches collectively the picture changes. Being context aware is critical. It is also equally important to exchange notes with peers. When there is a breach, most enterprises seem to hush up the whole situation thereby effectively not letting other organizations know that their security was compromised. This is not a favorable situation as we have to build an aware community of CISOs which share their experience and security incidents.
For example, if a bank in a particular country is hacked, the likelihood of another bank, in that country having a similar security breach becomes very high. This is simply because the hacker, having breached a particular bank, gets a fair understanding of the core IT/security infrastructure, which, is likely to be similar for another bank and so it becomes easy for him to hack another bank. In countries where interbank connectivity is high, this is even more pronounced. Therefore, it is important to build a community safety setup allowing CISO’s to exchange valuable notes and information in order to protect other enterprises too.
New kinds of cybercrimes are hitting us and the trick as I mentioned, lies in how can we be one-up against the attackers. One of the innovations which I think is great is predictive threat analysis. This involves collection and analysis of malicious cyber threats, past history, locations, and many more contextual variables, to predict the threat. Today there are multiple internal and external sources of data – emails, application logs, logs from firewalls, attempted breaches, IDS/IMS server logs, chats, voice calls, social media, and many more, and the volume is huge. Implementing data analytics is the only way to effectively analyze this data in real time and use it to provide predictive threat analysis and forecast, with a fair degree of certainty.
In the end I will share a real scenario – as per RBI as on September 2017, in India, there are 33 million credit cards, 820 million debit cards in use, and approx. 3 million POS at various merchant establishments. Each of these are potential threat points and an attack emanating from a POS machine somewhere in a small town can have the potential to create a catastrophe for a bank and its data center and can eventually create a full-blown financial crisis. All this is not fiction it is very real.
My advice to all firms, big and small is to first move away from a state of denial and become context aware. The risk out there is real and the faster they understand and use experts to better manage the risk for them in the long term and know that risks are best managed by experts who have experience understanding and getting a full view of the threat landscape.