The approach to implementing enterprise cyber security often is skewed towards focus on control rather than “what are we trying to protect?”

Most cybersecurity projects do not feature active involvement from the company’s board and the business teams. Companies may attain a security certification but end up not focusing on protecting what needs to be protected, which is information and data, says Vittal Raj, an expert on cyber security.

Often, the most sensitive business information is on mail or on employee personal mobiles, which is least protected.

Hence, the first step after context setting, the companies should focus is on identifying and inventorizing information assets across their enterprise, he said at a Phygital 2024, an event on cyber security organised by Madras Chamber of Commerce and Industry on Monday.

Once information assets have been identified, the next step is to determine the value of such assets based on confidentiality, integrity and availability. What follows is the critical step of classifying the assets, which helps in right sizing the investment in security proportionate to classification, followed by risk assessment and controls implementation.

Robust information asset management is the foundational step for successful and agile cybersecurity implementation, said Raj.

Ramkumar Ramamoorthy, Partner, Catalincs, said while companies largely focus on technology while driving cybersecurity readiness, adequate focus should be given to people and processes as well.

In many cases, disgruntled employees from within the company have become perpetrators of cyber breach or sabotage. Increasingly, remote working environments are turning to be an additional security challenge as it increases the number of end-point vulnerabilities for companies to manage.

GenAI, Cloud security, mobile security, IoT in the era of 5G and edge computing and non-state actors and state sponsored cyberware are some of the other newer security challenges, he said.

Quoting a report by da research firm, Ramamoorthy said that nearly 48 per cent of companies were compromised because of attacks on the third-party partners and ecosystem players.

This is something that companies will have to be worried about. They need to do a periodic audit of their third-party partners and also ensure that the third-party companies are subject to stringent tests and audits, the reports of which will have to be verified by the companies.

According to another data, even in the first few months of 2024, an increased ransomware attacks on manufacturing and healthcare companies were witnessed. Given the use of IoT across manufacturing companies and edge computing in areas such as autonomous vehicles and medical health devices, attacks on products, devices and real-time systems are going to increase.

It is not just private companies, but the government should also increase their cyber vigil. With many national assets, including nuclear reactors, dams and energy grids getting IoT enabled, governments need to increase their investment in cyber security, he said.