‘Consumer-based Sectors, Energy Most Vulnerable to Cyber Threats’
Cos are not moving as fast as the problem & it’s not getting any better even if they are investing in cyber security
These are times when even the traditional havens of safety are not safe, as the Bangladesh central bank’s hack demonstrated recently. Breaches in not only high profile government institutions but even leading corporates like Sony, JP Morgan Chase, eBay and Target demonstrates that companies need to be better prepared to battle the menace of increasing sophisticated cyber-attacks. Ted DeZabala, Deloitte’s Global Cyber Risk Services leader tells ET’s Sachin Dave and Vinod Mahanta how complete cyber security may just be a myth and many Indian companies may be ignoring the biggest threats at their own peril. Edited excerpts:
How do you see cyber threat preparedness of Indian companies? Many Indian multinationals have to focus on cyber security because they deal with a lot of sensitive data. Also, a lot of things have occurred in the banking industry and the Indian outsourcing industry. So these companies have been attending to this (cyber security) but they are not talking about it as they are dealing with this for a long time. I am not saying they have solved the problem but they are as sophisticated as probably you would find companies in the US. When you talk about other multinationals and other industries I don’t think the Indian firms are any further behind than multinationals all over the world. The problem is the companies are not moving as fast as the problem and it’s not getting any better even if these companies are investing in cyber security.
Where do you stand on the Apple vs FBI stand-off? I don’t take a stand on it. There are a couple of things going on, the question is should a company that manufactures a product have responsibility for the content of what’s on the device. And who owns the device? It’s not a technical issue but more of a societal or an issue of law. Also, how much privacy one can expect to have and in the US there are legal outlines around this but this is a modern age. But the government didn’t have to deal with such a problem before where the technology is so strong that they actually can’t get the information they need. I won’t talk about the fact that everything is hackable. The question is should the government ask the company to open a backdoor to the technology for them.
Do you think transparency is required especially when banks are hacked. In India the banks never disclose when they are breached. Do banks need to disclose whenever they hacked so that the customers can make an informed choice about staying with a bank or moving on to a more secure alternative? You have to go back in history to see why the banks disclose what they disclose. It goes back to the privacy law in one of the states in the US. California passed a law where companies had to disclose breaches that affect personal identifiable information. And because California is a big state it impacted every single major institution. Then other states passed those requirements. So the only reason many US banks do this is because it’s a law, it’s a regulation.
My belief is that if they didn’t have to they wouldn’t. They wouldn’t share it in a way that would be useful to the government and others. The reason that there is so much attention on this is because there is a requirement to disclose which comes from the privacy laws. So even in the US only if the COMPANY PHOTO consumers are affected no one discloses it, unless the hackers themselves come out and do so. So even in the US the transparency is not because of the goodness in their (banks’) hearts, but because of the requirements. I am not an advocate of more regulations.
Do you see a threat to even central banks of emerging countries? The big multinational banks largely are attending to this problem with vigour and are putting in money, resources and people behind it because they understand the implications. But if you look at companies below the multinationals, the resources become prohibitive. We have seen that in some cases big banks share the intelligence with the smaller banks which they think can help the smaller banks. But nobody can force the big banks to do that.
Which sectors are most vulnerable to cyber-attacks? Consumer-based sectors that rely on payment systems become targets of threats. But other critical infrastructure areas like energy poses a big threat because it adds such an important dimension. If you look at electric facilities there is more vulnerability than we would like to see. It also depends on laws in countries about how much importance is assigned and how quickly those institutions deal with the threats. When you look at outside of that everything is vulnerable. Like the media company.
The problem is that they are so interconnected to everybody else. Airlines or automobile companies will face more threats as they become more connected online. They didn’t hear or care about threats. We see that the whole healthcare sector in the US is susceptible due to the sensitivity of the data.
Are boards becoming more aware about the potency of the cyber threat and also the extent of damage it can cause? What are some of the best practices being followed around the world? In the last 24 months we have seen a 1000% (Thousand) increase in boards asking us questions around cyber security. Starting with first and foremost someone coming and helping them really understand what is going on.