Cyber Security is not Just about Technology, but also People and Processes

Tarun Bhatia, Managing Director, Kroll For more than 45 years, Kroll is the leading global provider of risk solutions. And has been helping clients make confident risk management decisions about people, assets, operations and security through a wide range of services.

From an Indian perspective, where do you think the Cyber Security market stands and what are the factors contributing to its growth?
Fraud risk in India has clearly increased, especially during the last year, where the incidence of fraud has also moved up across categories. Moreover, another thing that stands out in the broader framework is that India now has the highest incidence of fraud across most number of categories(3), while other countries have it in not more than one or two areas. India also ends up being one of the top three most affected countries across different risk categories, which clearly suggests that the incidence of fraud in India is at a critical level. If we look more specifically at Cyber Security, it must be noted that cyber security risk is increasing. However what makes it even more concerning is that the number of cyber events that get reported within the country, are in a very small proportion to the actual number of cyber attacks out there. Kroll thus genuinely believes that there is still a large audience that is not aware of being attacked from a cyber point of view and those that are under attack; tend to sweep these issues under the rug as opposed to taking action. While we’ve personally dealt with SMEs who have been victims of identity theft and voucher frauds, what gets talked about more in the cyber community are the million dollar frauds, or the bank heists that entail heavy losses. However the incidence of a cyber attack, more so for a small or medium size company, can result in serious business continuity risks.In my opinion, Cyber Security isn't just about technology, but also involves people and processes, along with the technology. Most of the cyber frauds that take place today proceed not in the absence of good technology, but because the people failed to implement the necessary processes along with the technology.
Simplistic processes such as ensuring a good password policy, basic KYCs during recruitments and resignations, disabling of emails, limiting access to external equipment like pen drives etc., can go a long way in ensuring security within the organization. Furthermore, having frequent ongoing training for your team, not just for the people who deal with technology, but also for supply teams, procurement teams, and the HR, could be beneficial as information can be shared through any channel. It would be very naive to think that only the people with access to confidential information can breach the network; it could be anybody within the system. Secondly, it is important to look at investments around cyber security as money spent should be treated as investment and not as an expense. So, from basic antivirus to anti-malware, I would say customer centric businesses like banking, pharmaceutical and retail, should invest in protecting their customer data and confidential information. You need to think of it as an investment and not a P&L item but a balance sheet item. When businesses are having a tough time, they usually cut on training and off sites and so on. Similarly, in technology, they'll cut on the security aspect as they believe it can be managed later. Cyber-security can cause very severe business risks, and we've seen very large companies globally crumble owing to cyber security issues. Therefore, every company should build a good incidence response in place in order to be alerted when a breach happens.

You cannot only embrace technology to make your business easy, but you also need to look at what needs to be done to ensure how the information can be protected, as your business becomes more easy, convenient and efficient

Future Possibilities in Cyber Security Space
As you embrace technology more and more, there's always a risk of security breaches. So, today with the increased penetration of the internet and now the emergence of AI, the more you use technology, the more you rely on a third party for storage, maintenance of data and information, the greater the risk is. So, the onus on companies to invest in cyber-security only goes up as they use more and more technology. You cannot only embrace technology to make your business easy, but you also need to look at what needs to be done to ensure how the information can be protected, as your business becomes more easy, convenient and efficient. Most organizations only focus on what helps the business grow and not what protects the business.

At the same time, as investigators, we also need to invest in technology, including AI, to provide our clients solutions and services to tackle the risks in the current environment. We are not receiving cyber security requests that are plain vanilla. The requests are much more complicated. There are people who want to develop very high end applications to be used in sectors like defense, aerospace. We're talking about driverless cars. How will you also create systems which will ensure that nobody can penetrate into these applications? One of the biggest risks for a driverless car is what if somebody else takes control of your car. So, you need to do enough R &D on penetration testing.

The degree of error has to be one in a billion or even less, because you cannot have a system where people can break into it.