Enterprises need a holistic approach to cybersecurity
Mumbai: Cybersecurity remains a tough nut to crack for governments and organizations around the globe. While the world continues to struggle with newer forms of terror attacks, a recent United Nations (UN) report, Global Cybersecurity Index (GCI), may hold some clues as to how the increasingly critical problem of safeguarding business and personal data could be better handled.
The report, prepared by the International Telecommunications Union, scored all its 193 member states on their “commitment” to cybersecurity. Singapore tops the list. India ranks 23rd (surprisingly ahead of Germany and China but way below Malaysia and Oman) and Equatorial Guinea occupies the lowest berth.
What is noteworthy about the GCI—and which could offer takeaways for chief information security officers (CISOs) tasked with protecting employee and customer data in various organizations—is that the index focuses on five factors that encapsulate a holistic approach to cybersecurity.
The report points to the five pillars of the ITU Global Cybersecurity Agenda—“legal, technical, organizational, capacity building and international cooperation”—according to an announcement on the UN website.
The enterprise equivalent of these five pillars could be taken as companies’ technical and legal competence in dealing with data security issues—a well thought-out hierarchical structure for incident response, and continuous training and information-sharing.
As any seasoned chief information officer (CIO) or CISO would tell you, there exist multiple “silos” and “power centres” in organizations that hamper their ability or intent to take a “holistic approach” to cybersecurity.
In November 2016, US-based National Institute of Standards and Technology (NIST) came out with a publication, Systems Security Engineering. The title doesn’t reveal much—until you move to the descriptor: “Considerations for a multidisciplinary approach in the engineering of trustworthy secure systems”.
Ron Ross, one of the co-authors of the NIST report, makes this remark in the foreword: “Increasing the trustworthiness of systems is a significant undertaking that requires a substantial investment in the requirements, architecture, design, and development of systems, components, applications, and networks—and a fundamental cultural change to the current ‘business as usual’ approach.”
With the news of repeated cyber-attacks—be it the recent Petya/Goldeneye and WannaCry malware unleashed globally, the 2016 Indian debit card data breach in which 3.2 million accounts were compromised or sundry others—organizations can hardly continue with their “business as usual” stance.
The cost of cybercrime is only going up: from $3 trillion in 2015 to $6 trillion by 2021, as per estimates by Cybersecurity Ventures.
A study by International Business Machines (IBM) Corp. in June noted that the average cost of a data breach for Indian enterprises could go up to Rs110 million this year—up 12.3% from 2016.
More often than not, most enterprises respond to growing cyber threats by buying more and more security tools—but they are hardly able to optimally use them.
“Many organizations use at least half-a-dozen solutions from just as many vendors. In many cases, their security teams can investigate only half the security alerts they receive on a given day,” noted the Cisco 2017 Annual Cybersecurity report.
The Cisco report, too, emphasizes the need to take an overarching view—rather than a scattered, solution-centric one. The “real answer” to meeting the complex cybersecurity challenges of today, it said, is “to operationalize people, processes, and technology in an integrated manner”.
No cybersecurity company in the world today can promise to provide 100% safety or foolproof data protection, but a holistic or integrated approach to tackling cyber threats—which doesn’t remain static but keeps evolving with the changing antics of hackers—seems to be the best bet for enterprises.
With the incidents of data breaches growing and the “attack surface” ever-widening—think of the billions of devices to be connected through the Internet of Things (IoT) and the possibilities of Mirai-like attacks—the trust that citizens and customers place when using online interfaces is likely to take a hit. All the more reason to broaden the scope of cybersecurity beyond technology tools alone.
Renowned security expert Bruce Schneier once remarked, drawing upon a quotation he had heard: “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” This quote is standing the test of time.
- Opening bell: Asian markets open higher; PSU banks, Future Group in news
- Temporary staffing firms seek rapid growth through a spree of acquisitions
- Jet Airways: cost reduction isn’t good enough?
- Edible oil duty hike doesn’t spoil investor appetite for packaged food stocks
- Company earnings estimates continue to be cut after September quarter results