How Enterprises Can Combat Cyberisks and Deploy Advanced Technologies Besides nation-state attacks, entreprises are today facing a host of other cyberisks including global non-state cyber risks, breaches, repeat breaches, time to recover and cybersecurity regulatory changes.

From 2018 to 2022, a staggering 39 per cent of nation-state attacks have targeted the private sector, exposing organizations to all manner of threats, including espionage, digital lockdowns and damage to critical infrastructure, according to a State of Cybersecurity Report 2023. The report by Wipro also states that besides nation-state attacks, other cyber challenges that organizations face today include global non-state cyber risks, breaches, repeat breaches, time to recover and cybersecurity regulatory changes.

As a result of such cyber attacks and challenges, a whopping 75 per cent of organizations suffered on brand reputation. Others reported loss of customers, opportunity loss and regulatory fines. A case in point is the cybersecurity incident in 2021, involving Air India wherein data files from more than 4.5 million customers were leaked in a cyber attack. In a separate incident, personal data leaks of around 180 million users were stolen from Domino's India's database."

So, the big question is: what can be done to mitigate these risks? During a panel discussion on 'Deploying advanced technology to reduce current and future cyber risks', at the Tech and Innovation Summit in Bangalore, organized by Entrepreneur Media, and moderated by Priya Kapoor, Features Editor, Entrepreneur India, CISOs came together and shared their thoughts on the same.

According to Neehar Pathare, Tech CEO & CISO, 63 SATS, the solution lies in deploying technology. "We need to evolve with the times. If you don't, the threat is real. Everyone will be affected. We were running a lot of exchanges, and we were faced with millions of state-based attacks and we defended this with the best and latest technology."

Josey George, General Manager, Cybersecurity & Risk Services, Wipro Ltd says that mitigating the risks starts from identification. "In the enterprise context there are two types of companies. One is being hacked and one that will be. If you look at the essence of what should be done, it starts from identification of risk. And risk itself is evolving. If you look at attack surfaces in cyber security context, earlier it was IP based services. Today, AI itself has become a potential attack server. Nursing syringes that are used automated in a nursing station that has an IP address. Detection becomes equally important. You have to assume that at some point whatever infrastructure you are running with, will get breached and you have to limit the damage caused."

Modernizing cyber laws

There are several pieces of legislation that govern India's legal, regulatory and institutional framework for cybersecurity, promoting maintenance of security standards, defining cybercrimes and requiring incident reporting. But the pace of modernizing data protection laws is growing in both depth and scope. A number of countries including Argentina, India, Canada and the USA have proposed changes to their data protection regulations through tabled bills. The Indian government on August 11, 2023, passed its long-awaited Digital Personal Data Protection Act (DPDP).

Added George, "For a secure digital future, regulations are critical. Most of the regulations around the world are focused so much on how soon you will report to the regulator that you have been breached. We work with lots of customers who have a global footprint. So if you are operating in 50-60 different countries, the way the governments look at regulating their ecosystem from a cybersecurity viewpoint and risk is very very different. For some reasons dealing with regulatory compliance, the biggest challenge is how do I meet all of those broader requirements that seem to be conflicting in nature and yet do what is right for the organization. One should look at the principles behind the regulations first. That always is a good place to start. The underlying principles are meant for the greater good of the economy you operate in, the stakeholders including consumers.

Pathare says that regulators are catching up, and the privacy act is going to change how data is collected, stored but reporting a crime is still low. "Although we are an IT-based nation, we follow rules everywhere, but when it comes to us we become relaxed. We don't like to report for fear of a bad image. But regulation is gearing up and in the next few years it will be very stringent.

Investments in Cybersecurity

While across the globe, the cybersecurity budgets allocated in the IT budget ranges from 4-15 per cent, there are issues with the utilization of budgets, "There is an overload of tools available that people use across the board for securing the stack starting from networks and going upwards. In today's economy, the struggle that many security organizations are going through is a cost optimization drive so you have to deal with those measures as well."

According to Pathare, the budget for cybersecurity is going upwards now. "The management and board is ready to up the scale of the budget these days. My own budget for cybersecurity has gone up to 35 per cent. Security is an integral part. Anything that is digitally connected will be hacked and therefore the budget is increasing."