‘Consumer-based Sec­tors, En­ergy Most Vul­ner­a­ble to Cy­ber Threats’

Cos are not mov­ing as fast as the prob­lem & it’s not get­ting any bet­ter even if they are in­vest­ing in cy­ber se­cu­rity

The Economic Times - - Disruption: Startups & Tech -

Th­ese are times when even the tra­di­tional havens of safety are not safe, as the Bangladesh cen­tral bank’s hack demon­strated re­cently. Breaches in not only high pro­file govern­ment in­sti­tu­tions but even lead­ing cor­po­rates like Sony, JP Mor­gan Chase, eBay and Tar­get demon­strates that com­pa­nies need to be bet­ter pre­pared to bat­tle the men­ace of in­creas­ing so­phis­ti­cated cy­ber-at­tacks. Ted DeZa­bala, Deloitte’s Global Cy­ber Risk Ser­vices leader tells ET’s Sachin Dave and Vinod Ma­hanta how com­plete cy­ber se­cu­rity may just be a myth and many In­dian com­pa­nies may be ig­nor­ing the big­gest threats at their own peril. Edited ex­cerpts:

How do you see cy­ber threat pre­pared­ness of In­dian com­pa­nies? Many In­dian multi­na­tion­als have to fo­cus on cy­ber se­cu­rity be­cause they deal with a lot of sen­si­tive data. Also, a lot of things have oc­curred in the bank­ing in­dus­try and the In­dian out­sourc­ing in­dus­try. So th­ese com­pa­nies have been at­tend­ing to this (cy­ber se­cu­rity) but they are not talk­ing about it as they are deal­ing with this for a long time. I am not say­ing they have solved the prob­lem but they are as so­phis­ti­cated as prob­a­bly you would find com­pa­nies in the US. When you talk about other multi­na­tion­als and other in­dus­tries I don’t think the In­dian firms are any fur­ther be­hind than multi­na­tion­als all over the world. The prob­lem is the com­pa­nies are not mov­ing as fast as the prob­lem and it’s not get­ting any bet­ter even if th­ese com­pa­nies are in­vest­ing in cy­ber se­cu­rity.

Where do you stand on the Ap­ple vs FBI stand-off? I don’t take a stand on it. There are a cou­ple of things go­ing on, the ques­tion is should a com­pany that man­u­fac­tures a prod­uct have re­spon­si­bil­ity for the con­tent of what’s on the de­vice. And who owns the de­vice? It’s not a tech­ni­cal is­sue but more of a so­ci­etal or an is­sue of law. Also, how much pri­vacy one can ex­pect to have and in the US there are le­gal out­lines around this but this is a mod­ern age. But the govern­ment didn’t have to deal with such a prob­lem be­fore where the tech­nol­ogy is so strong that they ac­tu­ally can’t get the in­for­ma­tion they need. I won’t talk about the fact that every­thing is hack­able. The ques­tion is should the govern­ment ask the com­pany to open a back­door to the tech­nol­ogy for them.

Do you think trans­parency is re­quired es­pe­cially when banks are hacked. In In­dia the banks never dis­close when they are breached. Do banks need to dis­close when­ever they hacked so that the cus­tomers can make an in­formed choice about stay­ing with a bank or mov­ing on to a more se­cure al­ter­na­tive? You have to go back in his­tory to see why the banks dis­close what they dis­close. It goes back to the pri­vacy law in one of the states in the US. Cal­i­for­nia passed a law where com­pa­nies had to dis­close breaches that af­fect per­sonal iden­ti­fi­able in­for­ma­tion. And be­cause Cal­i­for­nia is a big state it im­pacted ev­ery sin­gle ma­jor in­sti­tu­tion. Then other states passed those re­quire­ments. So the only rea­son many US banks do this is be­cause it’s a law, it’s a reg­u­la­tion.

My be­lief is that if they didn’t have to they wouldn’t. They wouldn’t share it in a way that would be use­ful to the govern­ment and oth­ers. The rea­son that there is so much at­ten­tion on this is be­cause there is a re­quire­ment to dis­close which comes from the pri­vacy laws. So even in the US only if the COM­PANY PHOTO con­sumers are af­fected no one dis­closes it, un­less the hack­ers them­selves come out and do so. So even in the US the trans­parency is not be­cause of the good­ness in their (banks’) hearts, but be­cause of the re­quire­ments. I am not an ad­vo­cate of more reg­u­la­tions.

Do you see a threat to even cen­tral banks of emerg­ing coun­tries? The big multi­na­tional banks largely are at­tend­ing to this prob­lem with vigour and are putting in money, re­sources and peo­ple be­hind it be­cause they un­der­stand the im­pli­ca­tions. But if you look at com­pa­nies be­low the multi­na­tion­als, the re­sources be­come pro­hib­i­tive. We have seen that in some cases big banks share the in­tel­li­gence with the smaller banks which they think can help the smaller banks. But no­body can force the big banks to do that.

Which sec­tors are most vul­ner­a­ble to cy­ber-at­tacks? Consumer-based sec­tors that rely on pay­ment sys­tems be­come tar­gets of threats. But other crit­i­cal in­fras­truc­ture ar­eas like en­ergy poses a big threat be­cause it adds such an im­por­tant di­men­sion. If you look at elec­tric fa­cil­i­ties there is more vul­ner­a­bil­ity than we would like to see. It also de­pends on laws in coun­tries about how much im­por­tance is as­signed and how quickly those in­sti­tu­tions deal with the threats. When you look at out­side of that every­thing is vul­ner­a­ble. Like the me­dia com­pany.

The prob­lem is that they are so in­ter­con­nected to every­body else. Air­lines or au­to­mo­bile com­pa­nies will face more threats as they be­come more con­nected on­line. They didn’t hear or care about threats. We see that the whole health­care sec­tor in the US is sus­cep­ti­ble due to the sen­si­tiv­ity of the data.

Are boards be­com­ing more aware about the po­tency of the cy­ber threat and also the ex­tent of dam­age it can cause? What are some of the best prac­tices be­ing fol­lowed around the world? In the last 24 months we have seen a 1000% (Thou­sand) in­crease in boards ask­ing us ques­tions around cy­ber se­cu­rity. Start­ing with first and fore­most some­one com­ing and help­ing them re­ally un­der­stand what is go­ing on.

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.