Don’t miss the latest developments in business and finance.

Consulting firms stepping up to build stronger cyber armour for businesses

Cyber threats, especially ransomware, have spiked in the past 12-18 months largely due to the highly digitised post-pandemic economy. Some experts have pegged the rise at 38% over pre-pandemic levels

Cybercrime
Ruchika Chitravanshi Panaji
5 min read Last Updated : Nov 14 2022 | 4:42 PM IST
An Indian logistics company recently found that 400 of its servers had stopped working. While it did not take the firm long to realise it was a victim of a cyberattack, the warning that went unnoticed was sent over three weeks ago on email. The hacker, claiming to have stolen all data and taken control of its systems, wanted a ransom of 25 Bitcoins (worth roughly $420,000). The company swung into damage control mode by engaging the best minds in forensic cybersecurity.

Despite isolating its systems, there was still some information that remained irretrievable. Finding itself in a corner, the company decided to pay up. After much hand-wringing and extensive coordination with foreign authorities tormented by the hack, the ransom was negotiated down to 4 Bitcoins.

Cyberthreats, especially ransomware, have gone up significantly in the past year and a half, primarily due to a digitised post-pandemic economy. Some industry experts have chronicled the rise at 38 per cent, compared with pre-pandemic levels.

“Cyberattacks have increased consistently in line with growth of Digital India,” says Murali Rao, partner, cybersecurity consulting leader, EY.

Hackers are becoming more sophisticated in identifying chinks in a company’s cyber armour. No surprise then that cybersecurity is worrying chief executive officers and has wormed its way into boardroom meetings.

“Earlier it was a technology (tech) risk. Now it is a business risk,” says Gaurav Shukla, leader-cyber, Deloitte.

Reported ransomware incidents and their severity have skyrocketed in recent years, with estimates of the global 2020 cyberattack losses at around $945 billion, according to a Swiss Re Institute study.

The Big Four are among advisors who are ramping up their cybersecurity divisions. 

They are also coming up with newer strategies to make companies cyber secure.

Becoming hack-proof 

There is no silver bullet.

EY has advised its clients to adopt a ‘zero or lean trust policy’ for a better ‘cyber hygiene’.

“E-commerce and digital enterprises should be wary of TechTech and human-tech handshakes. The enforcement of ‘digital trust (zero/lean) principles’ enables trust in transactions,” says Rao.  

 With a sizeable workforce working remotely, there has been a sea change in the way access rights are granted, and how the access rights are controlled.

“The onus is both on the consumer and the enterprise to establish trustworthiness,” adds Rao.

PwC has gone from being an advisor to implementing and managing cybersecurity operations of its clients.  

“Clients are no more interested in simply hearing what they should do. They want someone to do it for them,” says Sivarama Krishnan, partner, PwC.

Many cybersecurity experts now come armed with specific expertise in Android/iOS devices.

Deloitte is trying to build sector-specific specialisations in its cybersecurity team. It is trying to do a sector-wise ‘threat profiling’. The requirements of the energy and oil sectors will be very different from banking and finance or the tech sectors.

Companies are spending 60-70 per cent more on products and services related to cybersecurity, observe industry sources.

“Cybersecurity will no longer be painted with the same brush across organisations. 
Having industry and sector knowledge, along with cybersecurity expertise, is the way of the future,” said Shukla.

“We have been helping some of the largest clients in dealing with cyber risks. We have one of the largest teams in India with deep cybersecurity skills,” says Akhilesh Tuteja, Leader, global cybersecurity practice, KPMG.

Evolving cybercrimes and mounting challenges

From deep fakes and application program interface-related attacks to supply-chain ambushes, cybercrimes are more targeted today. Hackers find lacunae in a company’s process to not just attack, but also time it for maximum returns.

For instance, a company was recently targeted right before its initial public offering. Investigation revealed that its system was first attacked nearly three years ago.

“Hackers today choose the right time to exploit and seek ransom to maximise their winnings,” says Krishnan.

He said that with the right monitoring mechanism, even if it is compromised, a company will have the wherewithal to retrieve data faster without waiting for the hacker to make the first move.

Industry experts also say that ‘supply-chain attacks’ have become a nightmare for companies, where a second- or third-party’s system is hacked to target another company or end-user.

The internal threat has also emerged as a big challenge for companies — from employees who may be moonlighting to compromise sensitive information to a disgruntled employee or a mole in an organisation.  

“We are constantly developing new models aligned with the enterprise business objectives to manage and enhance vigil,” says Rao.

He adds that EY requires all senior partners to make regular disclosures on an annual basis as transparency de rigueur.

EY has fortified its cyber department by 40 per cent and Deloitte by 55 per cent. PwC is expecting to double its cybersecurity division next year.

Skilled manpower is still a big challenge. Most companies are opting for campus recruitment and training personnel hired in-house.

As the cyberwar ensues, consulting firms feel they can keep containing these attacks. But can they really?

“We are always trying to get inside the mind of the hacker. It is a constant mindgame,” said Shukla.


Topics :cyber securityCyber threatcyber crimeCyber fraudcyber war