Cyber thugs are getting smarter, more aggressive, and greedier. The cost of data breach in India increased from Rs 3,396 in 2015 to 3,704 for one compromised record. Vaidyanathan Iyer, Business Head – IBM Security, sheds light on what security heads can do to mitigate threats.
What explains the spike in the cost of data breaches with respect to the Indian enterprise?
The answer is manifold. One is that Indian enterprises are globalizing at a very fast pace. If you look at the world economy, India is one bright spot.
Also, there are entities with vested interests that do not want India, or Indian enterprises to succeed. So, hacking an Indian enterprise, or a wing of the Indian government will show the country in poor light, and put India on the back foot.
Third is the awareness of the people – employees are also being exposed to global trends. It's like getting exposed to a new culture and there's a lot of training which is required.
Fourth is the law. The law requires that data breaches should be reported. We have to maintain transparency, so the data breaches are getting reported more.
Lastly, there is a shortage in terms of the available skillset to do this kind of job.
Why is it becoming so hard for companies to contain a breach?
This is because enterprises are still catching up. All leading enterprises are beefing up their defenses. They're putting up incident response systems, they're putting up local Computer emergency response teams (CERT).
Second thing we've observed is that healthcare is getting exposed to breaches. This is because the database containing personal health information data is getting leaked. The reason why the financial and healthcare suffer a lot is because the moment a bank or a hospital is hacked, it's very easy to lose faith and trust.
The third trend we've observed is coming up through POS terminals. I'd rather say point-of-contact, because ATMs are point-of-contact machines.
How can organizations mitigate the cost resulting from data breaches?
Firstly, the approach should be a top-down approach, driven by the board. There should be a proper governance mechanism put up.
Then you look at data-viewing and access privileges; have a legal counsel that's monitoring this; put in regular audit mechanisms in the organization; and ensure that your employees are continually made aware of these protocols. This also includes conducting mock drills. Organization leaders can also reward employees for identifying data breaches.
You might have identified your data breach, and a whole lot of reports on that, but what you need to focus on is how quickly you're able to recover from the breach.
This is where your disaster recovery system comes in to play. In case you're hit by ransomware, your data should be very recent.
You did talk about making employees aware about cyber-security. But there's only so much one can do when it comes to controlling 'human weakness'. How can organizations get more control over insider threats?
Now internal security doesn't necessarily mean that an employee's details have been compromised. It can be someone masquerading as an employee and causing the damage. The employee may not even know that an incident happened.
Insider threats can be mitigated to a large extent by having a good governance model in place. A CFO may have certain privileges that I don't have. There should be constant monitoring of passwords, authority, and identity management systems, which keep tab on employees' roles and access.
What can organizations do to minimize post-data breach expenditure?
Technology is just one part of the picture. Today Indian organizations are waking up to cyber-assurance. The cyber-assurance package identifies and quantifies the risk exposure. The package comes at a premium, so if the company is breached, the insurer has to cough up the money.
One needs to remember that as technology evolves, the risk also evolves. Just as we are trying to design better security, the bad guys are also trying to develop advanced ways of breaking in.
Cyber-security insurance includes a consultant firm, a technology vendor, and an insurance company. These are the three key elements of a cyber-insurance package. The consultant educates the insurer about vulnerabilities, and the technology vendor provides newer technologies to combat breaches.
We're now seeing cyber-insurance catching up in India. It's going to be a big business sooner or later.
Your takeaways for CSOs on mitigating the Mean Time to Identification (MTTI)
You have to put your response system and security intelligence in place, and build your analytics around it. You have to make sure that you spot the zero-day malwares.
And if there's a breach happening, you need to have alternate routes chalked out. For instance, at IBM, we use a technology called 'Resilient', which combines incident response with security intelligence. This ensures business continuity.