79 per cent organisations identified cybersecurity as one of the top five business risks: KPMG cybercrime survey 2017

69 per cent of organisations are of the opinion that ransomware is a significant risk  to them and 43 per cent of organisations indicated that they have experienced ransomware attacks in the past year, states KPMG in India’s Cybercrime survey report 2017. The survey report reveals several concerns pertaining to the changing regulatory landscape as almost two-third of the law agencies feel that there are not adequate laws to address matters related to cybercrime prevention, detection, and investigation. It highlights that 40 per cent of end users feel, cross country jurisdictions being involved, is a hindrance in lodging a complaint with the cyber cells. Not surprising then that a mere 3 per cent of the organisations have reported cyber incidents to a local law enforcement agency. 

More than 300 participants which includes CIOs, CISOs, CIAs, COOs, security professionals, top law enforcement officers and end users from all over India participated in the survey.

Speaking at the report launch, Akhilesh Tuteja, Partner and Head - Risk Consulting for KPMG in India and Co-Leader - Global Cyber Security, KPMG said, “Cybercrime has moved from corporate espionage and theft of Intellectual Property to use of advanced technology and malicious software, with the intent of holding companies to ransom and the threat of sabotaging brand reputation with data security breaches.”

The survey report shows that with an increased trend of attacks, the top management of organisations are now beginning to understand the need for cyber intelligence, cyber resilience, and measures to decrease the impact from cyber-attacks. This is visible from the fact that 58 per cent organisations have included cyber risk as part of the boardroom agenda, which has moved up from 41 per cent as recorded in the 2015 KPMG in India’s Cybercrime study.  

Commenting on this finding Sudesh Anand Shetty, Partner – Risk Consulting, KPMG in India said, “Cyber breaches should no longer be looked upon as isolated incidents linked with IT or IT security. Organisations should consider it as an indicator to a potential cyber fraud and be vigilant online.  Security awareness is key and we encourage organisations to report matters as observed to be potentially investigated.”

48 per cent of the organisations say that cybersecurity risk assessment is one of the important pre-requisites that needs to be addressed before outsourcing to any third party. Unfortunately, only 30 per cent of the organisations have clearly defined requirements with reference to cybersecurity expectations, incident response and data breach prevention and have educated vendors about the same. 

Organisations are increasingly adopting different measures to combat cybersecurity risks which include development of a thorough cybersecurity framework, risk assessment, cybersecurity awareness trainings, etc. 29 per cent of organisations believe that the cyber incident response teams and cybersecurity specialists in organisations require major skills and talent enhancement making cyber incident response a key element of cyber strategy. Another interesting finding of the report is that only 18 per cent organisations are of the opinion that they are fully prepared to withstand and respond to large scale cyber-attacks, while 69 per cent of organisations are in the process or have formalised cyber response processes and procedures. 

Commenting on this, Atul Gupta, Partner IT Advisory and Leader- Cyber security, KPMG in India said, “Cybersecurity has emerged as one of the key business risks and boards are addressing this proactively. Cyber-attacks are a reality in today's world and there is a need for an organisation to have balance between the protect and response measures, currently the preparedness on response to cyber-attacks need to be enhanced significantly.” 

Cybercrime survey report 2017 champions the need for organisations across sectors to set up robust risk management measures/systems, thereby allowing a smooth and secure pace for the impending digital transformation most of them have embarked on. Some of the measures are: 
1. Identification of crown jewels
2. Cyber risk assessment and threat management
3. Vulnerability management with advance measures such as red teaming
4. Cyber in supply chain
5. Cyber awareness beyond normal practices
6. Cyber analytics
7. Incident response mechanism to include periodic cyber drills and updated talk/run books

Organisations today need to understand that cyber risks are not just IT or security risks but a serious business risk that can completely shut down the business.