What is security? What is the difference between a threat, vulnerability and risk in terms of cybersecurity?
The National Institute of Science & Technology (NIST), USA, defines security as ‘the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability’
Further, NIST defines a threat as any circumstance or event with the potential to adversely impact an organisation’s or a country’s operations by affecting its IT systems, as a result of unauthorised access, disclosure, destruction/ modification of information, etc.’
A vulnerability is defined as ‘weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.’
Threat agents exploit vulnerabilities to cause incidents. The estimated impact of an incident in an organisation/ nation, multiplied by the likelihood of the threat materialising is classified as Risk.
How has the cybersecurity landscape changed in the last decade?
Cybersecurity has changed significantly in the past decade, we’ve moved away from the days when basic virus protection and security controls were sufficient to deter threats, to the need for advanced security analytics tools to prevent advanced persistent threats (APTs) and tackle malicious insiders.
Attackers too have evolved – earlier they were lone wolves who perpetrated attacks for financial gains, but today they range from a well organised criminal agency to a government sponsored hacker group. These well-funded, technically adept attackers have the capability to bring an entire enterprise or sector to a halt – something that was unimaginable a decade or two ago.
Further, while the immediate financial loss of a cyber-attack is easier to estimate, the long term loss as a result of lost revenue from damage to the enterprise’s brand is much more difficult to quantify. The recent ransomware (WannaCry) attacks were global and affected companies from across sectors – asking probing questions on cybersecurity maturity.
The proliferation of attacks has forced corporates to take cognisance of threats posed by cyberspace – a majority of companies now have Chief Information Security Officers, dedicated staff and enhanced budgets for security. Cybersecurity is a field deeply influenced by technology trends such as digitisation, the rise of fintech, ‘connected’ cars and homes among others, and supply-side cyber security companies continually develop new solutions to address cyber-threats arising from these trends.
How have recent technology trends affected security?
Cyber security is a field deeply influenced by technology trends such as digitisation, the rise of fintech, ‘connected’ cars andhomes and wearables and cybersecurity companies continually develop new solutions to address threats arising from these trends. From the supply point of view, this has led to the proliferation of numerous cutting edge cyber security products from security information and event management (SIEM), e-discovery, privileged identity management, behavioral analytics, next-generation firewalls and UTMs amongst others.
Further, solutions have also been developed to secure specific sectors and address specific threats such as, end-to-end solutions for Supervisory control and data acquisition (SCADA) systems in oil and gas, connected cars, smart cities, etc. Regulations and compliance are major drivers for the industry, as most critical infrastructure sectors are highly regulated.
How big are the global and Indian cybersecurity markets? Who are the big spenders on security?
Currently, the global cybersecurity market is estimated at ~US$ 80 bn. by various analysts, and is expected to grow to US$120 bn. over the next 5 years. Products (software and hardware) account for almost 55% of the market, the rest being accounted for by services. Within products, the market is divided into a number of sub-segments (comprising of both software and hardware) including network security, endpoint security, identity and access management, security monitoring, amongst others. On the services side, there are four major sub-segments, which are security consulting, managed security services (MSS), security implementation services and education, training and certification services. The Indian market, on the other hand, is estimated at ~US$1.1 bn, by various analysts, is expected to grow in double digit figures in the coming years.
In India, as it is globally, the financial services sector leads spending on cyber security. The sector is highly regulated, owing to the sensitivity of data handled and the consequences of a potential breach. PwC’s recent thought leadership on RBI’s circular on cyber security discusses the regulator’s mandate on the subject in detail. After financial services, technology, telecom and government are also major spenders, although in most countries a large part of the government’s spending on cyber security is classified as it has direct link with national security.
How prepared are businesses against attacks like WannaCry?
The recent ransomware attacks affected hundreds of thousands of organisations globally, including leading organisations in India. The ransomware, which propagated through the EternalBlue exploit, rendered systems useless by encrypting user files and demanding a ransom to be paid via Bitcoin.
Interestingly, Microsoft had released a patch for this vulnerability in March, 2017 which a lot of organisations overlooked. Further, the ransomware exploited the lack of awareness among users and lured them into clicking on files/ links which led to the ransomware being downloaded on their computers. Organisations that followed a rigorous patch management process were far less likely to be impacted by WannaCry. The key towards preventing any cyber-attack is first by strengthening basic IT and cybersecurity processes, and strengthening the human element – making users aware of cyber threats, and giving them the knowledge to be able to identify a potential attack.
What are the cybersecurity implications that various stakeholders should keep in mind as GST is implemented?
The new GST information architecture results in the aggregation of data, of both customers and suppliers, outside of enterprise applications, further, detailed transactions were limited to only ERP systems, but are now shared with a broader set of stakeholders, consequently exposing sensitive data to potential cyber threats outside the enterprise perimeter.
As the GST requires bi-directional information flow as a result of periodic reconciliation and will result in information flow over the internet, strict monitoring of the enterprise perimeter and encryption of information over the internet will also be required. Enterprises need to answer a number of questions around system integration, adoption of off-the-shelf, or developing homegrown solutions, and effectiveness of existing and proposed security controls while preparing to go-live with the GST. By addressing these concerns, organisations can effectively manage and mitigate cyber-risks emerging from the new tax regime, while fully realizing its benefits.
(Sivarama Krishnan is Cybersecurity leader, PwC India)