Cybersecurity Still Not A Board-level Issue

by CXOtoday News Desk    Oct 21, 2014


The average cost of a security incident for Indian companies has more than doubled from $194 in 2013 to $414 in 2014 with a 20 percent rise in the average losses as a consequence. Despite the alarming rise in information security breaches whose consequences are becoming far more damaging , Indian organizations have reduced the average security spending from $4.8 million in 2013 to $4 million in 2014. These are the findings of PwC’s ‘State of the Information Security Survey- India 2015’.

Cyber-security threats and these threats today have become increasingly complex with organizations adopting new technologies without fully understanding their implications, says the report. Unfortunately even though cyber threat incidents are on the rise, boards of organizations remain unperturbed and continue to treat cyber security as an IT problem, says PwC.

“Cyber security is no longer an issue that concerns only IT and security professionals. The impact has extended to the C-suite and boardroom. It is now a persistent business risk. Awareness and concern about such security incidents and threats are a priority for the consumers as well,” explains Sivarama Krishnan, executive director and leader - India Cyber Security, Governance Risk and Compliance Services.

He believes that the human element is cyber security is something firms should not ignore. “Firms in India need to increase engagement levels with employees to manage this better,” he added.

Some of the key findings of the survey are detailed below:

Security remains an IT concern: While there’s a rising year-on-year incident cost with an increase in the average losses as a consequence of security breaches, there’s been a decline in the average security budgets. In other words, though threats have become more frequent and damaging, organizations have not increased their security spending. This requires that cybersecurity practices should extend beyond IT to other areas of the business, says the report.  

‘Insiders’ are most dangerous: Company insiders or employees are cited by respondents as the most common causes of incidents, causing loss of confidential data. The lack of effective mechanisms to manage risks to data stemming from third parties can be most dangerous as per the findings of the study.   Compromise of customer records also interrupt smooth running of business, leave the organization exposed to legal action, result in loss of customers and may also damage the reputation of the organization.

Board-level passive to cyber security: Almost 37 percent respondents cited board level leadership is a key obstacle in enhancing security in the organization. The lack of leadership to set a clear direction for the overall information security strategy along with insufficient capital and operating expenditures represent the major areas of concern for organizations today. The lack of board level involvement in key areas of security such as budgeting and active participation in reviewing current security and privacy risks – indicates that organizations have not elevated information security to a board level issue.  

Lack on focus on the ‘human parameter’: The weakest link in the security chain is often the human resource, says the study, noting that the problem mostly lies in the way organizations engage with their employees and the communication program they employ to generate awareness. Over 50 percent respondents believe the companies do not have any mechanisms for active discussion, coordination and communication of key information security issues. Further, only 54 percent have an employee security awareness training programme, down from last year’s 56 percent.

PwC researchers opine that cyber-security in India can be strengthened by creating a model wherein government, the organization and the individual work in tandem to secure information and information assets in a concerted unified manner. This approach requires enhanced collaboration and communication of security posture among individuals, executives and industry organizations, as well as potential future improvements in legal exposure and assistance in regulatory compliance, says the report.