Authored by Shankar Bhaskaran, Managing Director – India, MetricStream
The frequency and sophistication of cyber attacks have risen globally, causing concern among CISOs and risk professionals. As the digital interconnectivity of people, processes, and organizations intensifies, ensuring robust cyber health becomes a top priority for organizations. A report released by the US Federal Bureau of Investigation (FBI) in 2022 put India at the fourth spot on the list of countries that were majorly affected by cybercrimes. Canada, the UK and the US preceded India. Based on data collected between 2017 and 2021, India had over 31,000 reported cases. The 2022 IBM Security Data Breach Report states that the average cost of data breaches in India for the fiscal year 2022 hit an all-time high of $2.2 million.
Organizations know that having an impenetrable defence mechanism is a must. However, most of them focus only on reactive risk detection and response. Organizations today use technologies such as artificial intelligence (AI), machine learning (ML), the cloud, robotic process automation (RPA), and the Internet of Things (IoT) to offer a range of differentiated business experiences to their customers. These emerging technologies pose multiple challenges. For one, they increase the attack surface, thus requiring new mitigating controls to protect data assets while allowing for an elevated customer experience. Secondly, these technologies introduce multiple new cyber compliance and governance requirements, which require organizations to be agile in their responses.
Meanwhile, as analytics are adopted to strengthen business decisions, critical and sensitive customer information is moving into data lakes, thus increasing security risks. As organizations demand a more extensive API ecosystem to interact with third-party vendors, risks in the extended enterprise are growing. New vulnerabilities are emerging with the upgradation of mobile and cloud technologies. These challenges fundamentally alter the cyber risk landscape and render many traditional cybersecurity methodologies ineffective.
Organizations need a proactive strategy to minimize impact and potential loss while ensuring business continuity. To change the game, they must think ahead of their adversaries by proactively identifying and patching vulnerabilities permanently. This approach will require newer technology paradigms, models, and methodologies.
Recently, there has been a shift in the global narrative from cybersecurity to cyber resilience. This approach involves embedding risk management across business processes and the extended organization to make customers, partners, and third-party vendors full-time stakeholders in cyber resilience. At the same time, the business is made fully aware of all cyber risks in its decisions. Such a paradigm demands a shift in existing cyber risk management processes and perspectives.
Cyber resilience demands a paradigm shift
Cyber resilience involves implementing a holistic approach to managing cyber risks that is proactive and provides continuous access to critical data. All stakeholders should be fully aware of all cyber risks in their decisions. Initially, cyber resilience may seem like a daunting task. However, developing an effective cyber resilience management framework with the right mix of people, processes, and technology is possible. Organizations should not depend only on tools and technology to establish cyber resilience. The team's expertise and well-designed processes also play an important role. Cyber resilience involves prevention, detection, response, and recovery from attacks. It involves ongoing monitoring and testing of an organization's cybersecurity measures to identify vulnerabilities and potential threats. Organizations must prioritize threats according to their probability and potential impact and develop an appropriate response plan. These include ransomware, malware, phishing attacks, and others.
An effective cyber resilience management program requires integrating cyber risk into business strategy and engaging stakeholders for better decision-making.
Cyber resilience from a regulatory perspective
In recent years, operational resilience has been a crucial agenda for risk professionals. With regulatory focus shifting, regulators want to see how quickly organizations can recover from events. International standard-setting bodies and national regulatory bodies continuously release policies, guidelines, best practices, and other resources. Organizations need to look at cyber resilience through a similar lens as operational resilience.
ISO, a global standard-setting body comprising representatives from different national standards organizations, released ISO/IEC 27001, outlining the requirements for an Information Security Management System (ISMS). Additionally, the ISA99 committee developed the ISA/IEC 62443 series of standards to address and mitigate security vulnerabilities in Industrial Automation and Control Systems (IACSs). Apart from the global standards, several other standards, including the NIST Cybersecurity Framework, Cybersecurity Maturity Model Certification (CMMC) in the US, Cyber Essentials in the UK, and the BSI IT Baseline Protection Catalogs in Germany, among others, aim to enhance the cyber resilience of organizations operating in these regions.
Governments worldwide have implemented several cybersecurity regulations that dictate organizations' cybersecurity measures. In India, the Reserve Bank's Cybersecurity Framework applies to the BFSI sector, mandating various cybersecurity measures, such as risk assessment, security operations centre, and security incident management.
Given the changing regulatory landscape, traditional cybersecurity measures clearly won't suffice. To thrive, organizations need a mature cyber resilience program. Not having one can lead to non-compliances resulting in regulatory fines and huge penalties. Non-compliance can also cause reputational damage, loss of customer trust, and even threaten the very existence of a company.
Cyber resilience requires thinking beyond traditional cybersecurity
Organizations must start thinking beyond cybersecurity. They need an intelligent, interconnected solution for IT and cyber risk and compliance, threat and vulnerability, IT policy, and IT vendor risk management. A connected approach will help organizations avoid cyber risks while ensuring compliance and bolstering cyber resilience.
However, all these measures require a shift in human and organizational behaviour. It means giving up discretionary privileges, ensuring data drives decisions, and implementing additional front-end effort and scrutiny during software design. Such shifts always need a significant amount of change management and handholding. The ability to effect these changes and institutionalize cybersecurity measures remains the biggest challenge in the quest for cyber resilience.