69 percent of organisations are of the opinion that ransomware is a significant risk to them and 43 percent of organisations indicated that they have experienced ransomware attacks in the past year, states KPMG in India’s Cybercrime survey report 2017.
The survey report reveals several concerns pertaining to the changing regulatory landscapes almost two-thirds of the law agencies feel that there are not adequate laws to address matters related to cybercrime prevention, detection, and investigation.
It highlights that40 percent of end users feel, cross country jurisdictions being involved, is a hindrance in lodging a complaint with the cyber cells. Not surprising then that a mere 3 percent of the organisations have reported cyber incidents to a local law enforcement agency.
More than 300 participants which include CIOs, CISOs, CIAs, COOs, security professionals, top law enforcement officers and end users from all over India participated in the survey.
Speaking at the report launch, Akhilesh Tuteja, Partner and Head - Risk Consulting for KPMG in India and Co-Leader - Global Cyber Security, KPMG said,“Cybercrime has moved from corporate espionage and theft of Intellectual Property to use of advanced technology and malicious software, with the intent of holding companies to ransom and the threat of sabotaging brand reputation with data security breaches.”
The survey report shows that with an increased trend of attacks, the top management of organisations is now beginning to understand the need for cyber intelligence, cyber resilience, and measures to decrease the impact from cyber-attacks.
This is visible from the fact that 58 percent organisations have included cyber risk as part of the boardroom agenda, which has moved up from 41 percent as recorded in the 2015 KPMG in India’s Cybercrime study.
Commenting on this finding Sudesh Anand Shetty, Partner – Risk Consulting, KPMG in India said, “Cyber breaches should no longer be looked upon as isolated incidents linked with IT or IT security. Organisations should consider it as an indicator of a potential cyber fraud and be vigilant online. Security awareness is key and we encourage organisations to report matters as observed to be potentially investigated.”
48 percent of the organisations say that cybersecurity risk assessment is one of the important pre-requisites that need to be addressed before outsourcing to any third party.
Unfortunately, only 30 percent of the organisations have clearly defined requirements with reference to cybersecurity expectations, incident response and data breach prevention and have educated vendors about the same.
Organisations are increasingly adopting different measures to combat cybersecurity risks which include the development of a thorough cybersecurity framework, risk assessment, cybersecurity awareness training, etc.
29 percent of organisations believe that the cyber incident response teams and cybersecurity specialists in organisations require major skills and talent enhancement making the cyber incident response a key element of cyber strategy.
Another interesting finding of the report is that only 18 percent organisations are of the opinion that they are fully prepared to withstand and respond to large-scale cyber-attacks, while 69 percent of organisations are in the process or have formalised cyber response processes and procedures.
Commenting on this, Atul Gupta, Partner IT Advisory and Leader- Cybersecurity, KPMG in India said, “Cybersecurity has emerged as one of the key business risks and boards are addressing this proactively. Cyber-attacks are a reality in today's world and there is a need for an organisation to have the balance between the protection and response measures, currently, the preparedness on response to cyber-attacks need to be enhanced significantly.”
Cybercrime survey report 2017 champions the need for organisations across sectors to set up robust risk management measures/systems, thereby allowing a smooth and secure pace for the impending digital transformation most of them have embarked on. Some of the measures are:
- Identification of crown jewels
- Cyber risk assessment and threat management
- Vulnerability management with advanced measures such as red teaming
- Cyber in supply chain
- Cyber awareness beyond normal practices
- Cyber analytics
- Incident response mechanism to include periodic cyber drills and updated talk/runbooks
Organisations today need to understand that cyber risks are not just IT or security risks but a serious business risk that can completely shut down the business.