Businesses are waking up to the seriousness of cyber risk. The KPMG Cybercrime Survey 2017 reveals that 58 percent organisations have cyber risk on the boardroom agenda, up from 41 percent in the 2015 study.
Cyber incidents are multiplying at an alarming pace and are increasingly becoming more complex, causing multiple disruptions in businesses and economies.
With the number of attacks increasing, organisations are now beginning to understand the need for cyber intelligence, cyber resilience, and measures to decrease the impact from cyberattacks.
The KPMG Cybercrime survey report 2017 aims to provide a holistic perspective on cyber security and associated crime with a view on how organisations are gearing up against this threat.
According to the report, 79 percent organisations in India rank cyber security among the top five business risks. It also highlights that 69 per cent of organisations are of the opinion that ransomware is a significant business risk. About 43 per cent indicated that they have experienced ransomware attacks in the previous year.
As per the survey, malware constitutes the biggest share of cyber attacks faced by organisations as 73 percent of organisations indicated it to be a menace.
The report highlighted a contradiction to the organisations’ views as 73 percent of Law Enforcement Authorities (LEAs) indicated that ATM card theft was the most commonly reported cybercrime to the Cybercrime Investigation Cells, followed by phishing attacks (47 percent) and data theft (40 percent).
Multiple attack measures
More than 300 individuals, including CIOs, CISOs, CIAs, COOs and security professionals, participated in the study. The survey also saw wide participation from top law enforcement officers and end users from all over India.
There are multiple systems and technologies that are being targeted by attackers, using multiple attack measures. As per the survey, the top five attacks were email-based attacks, phishing/social engineering, malware/ransomware, web-based applications, vulnerabilities associated with the system and so on.
When it comes to cybercrime, financial information continues to be a key attack area. Almost 20 per cent of the organisations have indicated that financial losses, up to $500,000, have occurred on account of cybercrimes.
In addition to financial loss, the study indicates that organisations are exposed to espionage.
- 58 percent of organisations believe they may have been exposed to corporate espionage.
- 32 percent of organisations feel their CXOs may be vulnerable to cyber attacks.
- 61 percent of organisations feel they may be bugged and 36 percent of the organisations feel their corporate emails might be read by someone else.
Increase in cybercrime budget
Clearly, organisations are increasingly becoming aware of cyber risks and their repercussions. According to 51 percent of organisations, there has been an increase in cyber security/cyber incident response budget as compared to the previous year.
There is a steady increase in cybercrime incidents across industries, due to the dynamism of threat environment and ease of initiating cyber-attacks. The study showcases that 32 percent organisations indicate that the adoption of emerging technology like cloud, Blockchain, mobility and digital enablement is exposing organisations to newer cyber risks. About 27 percent organisations attribute the incidents to lack of security culture.
According to the 46 percent of end users, lack of awareness is the main reason of incidents not being reported by employees, while 34 percent said that on account of fear of penalties, they refrain from reporting the cyber incidents.
Of the surveyed organisations, 18 percent say they are prepared for a large-scale cyber-attack. With the constant rise in cybercrime and its impact, identifying key assets and protecting them is extremely important.
Preparation is key
Enterprises need a layered defence and a cyber-intelligence programme to combat big cyber-attacks. This can ensure quick recovery from the attack and bare minimum loss.
Preparedness for cyber-attacks extends beyond having the right leadership, budget, staff, framework and governance in place. One critical aspect of an effective cyber security strategy is a commitment to enhancing cyber awareness, education, and training across the organisation.
The report suggests that organisations today need to understand that cyber risks are not just IT or security risks – they are business risks and have the potential to slow down, or shut down the business entirely.