Ever since the COVID-19 pandemic began in March last year, cyber resilience and cybersecurity have attained renewed significance.
So, how do you make an organisation secure and resilient?
These questions were discussed in detail at W.Media’s Digital Week South Asia panel discussion titled ‘Assessing enterprise cyber resilience – Why cyber security matters?’.
Moderated by Dr Burzin Bharucha, Advisor, EY. The panellists included Bharat Panchal, Chief Risk Officer- India, Middle East & Africa, FIS. Gary Brantley, CTO, Beazer Homes. Naseem Halder, CISO, ACKO General Insurance. Deepak Talwar, National Security Officer, Microsoft and Pawan Chawla, CISO, Future Generali India Life Insurance.
What is Cyber Resilience?
It’s a myth when people think that because they have technology and they have control over it. “Nothing can happen to them and they will never face a cyber-attack, this is a wrong perception which is leading to people talk more about cyber resilience”, said Bharat Panchal
He further added that when you ask an organisation as to what preparation do you have if you experience a data breach. They would often reply saying that they have all the latest technologies but when they experience a data breach or cyber-attack they are not able to tackle the situation.
This is where cyber resilience comes to play as to how soon the organisation can detect a data breach and the intrusion and how soon the organisation can resolve it.
Currently, when organisations have shifted to the virtual world, it becomes important for them to become cyber resilient.
He further gave an example of the banking sector that they would respond well to intrusion and data breach because of better preparedness. This is not the case with every organisation.
“Adverse condition that can be handled in a best way with minimum impact, without disrupting your operations, for me is building the resilience”, said Deepak Talwar.
“In the previous year we have seen that whatever we had planned has taught us a lesson that we were not prepared for whatever is happening in the world today. Cyber Resilience needs to be in place and needs to be thought about from a future perspective.
Especially for unprecedented incidents, it is important for the organisations to make sure that there are enough controls in place to prevent data breach and cyber-attacks”, said Pawan Chawla.
The recent technology enhancement will give organisations an edge to build resilience in a different way. For example, organisations using cloud would have easily managed to work from home from remote locations, stated Naseem Halder.
He further added that, “Looking out for recent technologies that are already available in the market and how it can be used by organisations to build resilience in a different manner”.
Achieving Resilience
A single person cannot achieve cyber resilience for an organisation. “The technology team can build certain controls which can build upon certain areas, at the same time the processes can help you to define the work and operation.
The employees are a key factor in an organisation. If they don’t report about what is going on in the organisation then it becomes difficult to achieve resilience”, said Naseem Halder.
“We were in a traditional environment and we were following traditional practices of securing the organisation by doing the vulnerability assessment and evaluating technologies which are new and ensuring that those technologies could help us in mitigating certain controls which are at risk in the organisation.
But when the pandemic started in March 2020, suddenly there was a high jump in risk.
As we see, there were more than 500 domains that got registered every day, we also read about ransomware attacks on one of the biggest IT giant and they were almost down for one and half month and there are multiple examples where even those with a cybersecurity team and better controls than most organisations in the were impacted.
The most important lesson here is to learn from things that happened which we did not think of”, said Pawan Chawla.
He further added that it is important for organisations to learn from the mistakes and make a case study and pass it to every employee in the organisation, looking at the history of cyber-attacks it all starts from one simple mistake.
It could be a configuration challenge, it could be an old device legacy system being used in the organisation or an employee clicking on a link. These things are important to be thought through and a case study needs to be created. Port level Stakeholders could help in achieving that and they should be aware about the same.
The CISO should ensure that the information should be passed to the risk officer so that accordingly a budget can be sent forward and resolve the security challenges present in the organisation.
“Transparency plays a key role, there has to be a transparent process within the organisation. Right from identifying the concern to taking it to the port level and ensuring the resources are made available to mitigate that, added Pawan Chawla.
“Achieving cyber resilience is a journey. You first identify what you are trying to solve from resilience. I might be building resilience because I’m a production company and I don’t want to pay ransom if I am attacked. So my resilience will be based on how do I prepare for that aspect and look into that”, said Deepak Talwar.
He further added that on a larger approach if any organisation, startup, government, enterprise ecosystem looks at how do I build resilience then they will need to split down into business resilience what is the business impact and the operation resilience, how do we do it.
A lot of time organisations get into a mindset that resilience means safeguarding.
Resilience is also how you continuously move forward in the journey of innovation and how you are going through the digital transformation. It should only be about investing in technology, processes, minimising data breach. It is important to look good in cyber hygiene.
“The people, process, technology the three layers which we always use. It is essential to combine that and build the operational resilience, the business resilience and the impact.
All tools and technologies, configurations, the compliance standard also falls into resilience. It has to follow some compliance standard, maybe some zero trust model, a journey to get into, maybe applying all that end to end integrated security compliance identity approach”, added Talwar.
“When it comes to cybersecurity, if anything goes wrong people turn to the CISO. When it comes to packages, CISO’s have some constraints but when it comes to resilience whatever happens in terms of the business. It is important for everyone to understand what cybersecurity and cyber resilience is”, said Panchal.
He further added that the technology is getting integrated. People’s life is relying more on their mobile phones, earlier there were different gadgets for different things now everything is available in one mobile phone.
In an organisation its only cybersecurity that one has to look after, there is the consumer, third party vendor and others. The security is added during the process of designing and not in the last stage.