EY helps clients create long-term value for all stakeholders. Enabled by data and technology, our services and solutions provide trust through assurance and help clients transform, grow and operate.
At EY, our purpose is building a better working world. The insights and services we provide help to create long-term value for clients, people and society, and to build trust in the capital markets.
Strengthening cyber resilience: strategies for today’s digital landscape
In the first episode of our ‘Cybersecurity Awareness Month’ podcast series, Pradeep Eledath, Partner, Technology Consulting, EY India talks about the critical importance of cyber resilience in today's digital landscape. As cyber threats grow increasingly sophisticated, organizations must focus not only on their cyber defense but also on their ability to withstand, respond to, and recover from attacks. Pradeep shares actionable insights on building a resilient cybersecurity strategy, the impact of remote work, emerging technologies, and the role of employee awareness in safeguarding against evolving cyber risks.
Businesses should focus on anticipating, withstanding, and recovering from cyberattacks to maintain business continuity amidst growing cyberthreats.
Leverage AI, machine learning, and zero trust architecture to enhance cybersecurity and mitigate risks in complex digital environments.
Effective employee training across all levels is also crucial to prevent cyber incidents and strengthen organizational security against targeted attacks.
Cyber resilience is more than recovery; it is ensuring your operations continue seamlessly, even amidst a cyberattack.
Pradeep Eledath
Partner, Technology Consulting, EY India
For your convenience, a full text transcript of this podcast is available on the link below:
Pallavi: Welcome to the new season of Cybersecurity Awareness Month podcast series, an integral part of EY India Insights podcast suite. I am your host, Pallavi, and today we are diving into a critical topic of cyber resilience.
It is my pleasure to introduce our guest for today, Pradeep Eledath, Partner, Technology Consulting, EY India. Pradeep is a seasoned professional with profound understanding of cybersecurity landscape. His domain knowledge is instrumental in helping organizations navigate through the complexities of cyber threats and bolster their defenses to withstand and recover from cyber incidents.
In this episode, we will explore the strategies and practices that underpin cyber resilience, an increasingly important aspect of cybersecurity in our interconnected world.
Pradeep, welcome to the show, and thank you for joining us.
Pradeep: Thank you, Pallavi. It is great to be here and look forward to speaking with you and the audience.
Pallavi: Thank you, Pradeep . For our listeners who may be very new to the concept, could you define what cyber resilience means in today's digital environment?
Pradeep: Broadly, if we define cyber resilience, it is the capability to deliver an intended outcome. This could involve delivering products or services to your customers. The whole concept of cyber resilience is the ability to continue delivering these outcomes–products and services–despite having any adverse cyberattacks or large-scale cyber incidents.
Holistically, cyber resilience is a combination of cybersecurity, business continuity and operational resilience. That is one part of the story. The other part is that there tends to be a confusion between cybersecurity and cyber resilience per se. In a broad sense, cyber resilience encompasses cyber security. But when you look at cyber security in a narrow sense, it is identifying the gaps in your infrastructure and your application layer, putting protection mechanisms in place, having a detection mechanism to detect any intrusions or anything which is not related to your business.
Taking the story a little further, cyber resilience involves anticipating threats by viewing the situation from the point of view of an attacker rather than a defender. Ask yourself: what would an attacker do? First, he would examine your attack surface, observing you from the internet. How does his attack surface look? Using that viewpoint, how do you anticipate an attack and the ability to withstand it?
Anticipating threats means assessing your attack surface, identifying open vulnerabilities and putting strategies in place to protect it, as well as restore data. Also, you should have the ability to withstand an attack, which is the second principle of cyber resilience. So, cybersecurity might put controls in place. It is not about what controls you put in place, but how strong your controls are to withstand an attack.
The third principle focuses on how you respond to an attack. While the attack is ongoing, how do you respond to it? Do you have incident management plans in place? Are your teams prepared? Is there a communication plan, and do you have an effective mitigation strategy?
The fourth principle is recovering from the attack, which connects back to the previous principle of continuously delivering the intended outcome. When you recover, you should be able to resume delivering the services you provided before the attack. Finally, the last principle is learning from the experience. If you do not learn from it, you will not be able to effectively mitigate future attacks.
Basically, you should have the agility and the strength to withstand an attack and quickly bounce back to normal operations. If possible, continue normal operations during an attack. That is the essence cyber resilience.
Pallavi: Thank you, Pradeep for setting the context of cyber resilience and also sharing the core principles. Could you tell us how the shift to remote work and increased digitalization affected companies’ approach to their cyber resilience strategies?
Pradeep Eledath: The shift to remote work post-Covid has posed both challenges and opportunities. While it has made work more flexible and productive, it has also introduced numerous digital layers within organizations. However, from the perspective of cyber resilience, we must consider the viewpoint of the attacker.
Let us say there is a company of one lakh people, of which 50% are working remotely. These employees could be working from their homes in the same city, from different cities within the country, or even from various countries around the globe. Additionally, they may be accessing company resources through different types of connections, whether broadband or mobile.
Then, there are different kind of attacks and different kind of surfaces from which an employee is trying to reach the enterprise resources. With such a vast attack surface, enterprises need to rethink how to protect these numerous points of vulnerability. Previously, there was only one attack surface to secure when everyone worked within the secure premises of the office.
So, to enhance security, organizations must implement measures like multi-factor authentication. While VPNs have traditionally been used, they are now essential for a larger group of users, and endpoint detection and response have become important.
Protecting your data, which is now either being accessed from thousands of different locations or stored across multiple data centers, various clouds spread across the world, or SaaS applications situated in different places. Each access points brings in a different threat, making data protection a priority.
This leads us back to the topic of the cloud. Many enterprises are migrating to the cloud, although some are returning to on-premises solutions due to cost concerns. However, the flexibility offered by the cloud is attractive, and remote workforces find it convenient to operate from the cloud, whether using their own resources or company resources provided in the cloud.
Organizations also need a very strong identity and access management. Cloud access security brokers can provide extensive data protection and visibility, especially in multi-cloud environments. With so many people sitting at multiple places, the single biggest way a ransomware is entering a system, which is one of the major cyber threats we are facing, is spear phishing.
This involves sending highly targeted phishing emails to individuals whom the hacker trusts, often based on social engineering studies of the target's current work context. Hackers typically target 10 to 15 people, relying on the trust established with a few key individuals. Such phishing attacks are causing significant problems.
When employees are scattered across different locations, it becomes challenging for someone to pick up the phone and verify information. While on a call, if they receive an email and click a malicious link, the damage is done—this is an emerging threat. Additionally, compliance regulations such as General Data Protection Regulation (GDPR) and India's upcoming Data Protection Act (DPDP) are creating challenges for businesses worldwide. The penalties for non-compliance can be substantial, with GDPR fines reaching millions of dollars.
Supply chain risks from a technology perspective are also critical. Vendors accessing our systems remotely can introduce additional vulnerabilities. While organizations focus on their employees, these external remote workforces can pose significant risks that require attention.
Finally, I want to address the business perspective regarding remote workforces. In the event of a large-scale ransomware attack, organizations heavily rely on technology. If the total recovery time ranges from 15 days to six months, how will employees manage to work manually while remote? These are pressing questions that must be answered as part of enabling a remote workforce.
Pallavi: Speaking of technologies, what role do you think the emerging technologies play in enhancing an organization's cyber resilience?
Pradeep: Let me touch upon three or four quick points on emerging technologies. Obviously, the darling of the day is artificial intelligence (AI), closely supported by its companion, machine learning (ML). Did you know that a driverless car can generate about four terabytes of data in just one hour? That's the volume of data we generate, reflecting the immense traffic coming at us. We need AI and ML to analyze this vast amount of data, identify patterns, and detect anomalies. For example, within those four terabytes, there might be a single thread of just 10 KB that represents a hacker trying to infiltrate the system. Essentially, proactive threat hunting and automated responses, along with effective detection and response mechanisms using AI and ML, are crucial.
Another important point we mentioned earlier is zero trust architecture. Zero trust means we do not automatically trust anyone, whether they are inside or outside the perimeter. Even after a single authentication, every level of access to the enterprise—where our crown jewel data is stored—requires validation. This approach aims to catch and stop hackers at each step before they can lateral spread through the network.
What this also does is it reduces the attack surface for the attacker, he has to study more, work harder, thus reducing the chances of the hacker entering the network, or once he enters, contain him to certain areas.
The other thing we see is the proliferation of Internet of Things (IoT) devices. I am sure many of us are wearing smartwatches, using smart glasses, and interacting with numerous other devices, all of which are increasingly entering our homes. In manufacturing, IoT devices are present across the enterprise, whether they are attached to long-discarded devices or numerous other types. Securing these devices has become a nightmare because, as mentioned earlier, it’s music to the ears of attackers. Instead of having just one point of entry pre-COVID, they now have potentially 1 million points from which they can infiltrate an enterprise. And that is causing to be a challenge.
To address this, we need enhanced encryption, regular patching, and continuous monitoring. Endpoints have become critical; your laptop and desktop are now key issues in today’s cybersecurity landscape. If you if you look at it the next year, which have come in, they use a lot of AI and behavioral analysis to detect malware.
Eventually, ransomware, as we mentioned earlier, typically infiltrates through a phishing email or a spear phishing email. Someone has to click on it, allowing it to download onto their laptop. Therefore, the ability to quickly detect such threats at the edge level, rather than relying solely on central detection, is important. That's why technologies like HTR are really working.
Lastly, I would like to speak about GDP and Indian DPDP act. There are privacy-enhancing technologies emerging today. For instance, if the marketing team wants to work with personal data but sends it to someone who is not authorized to use it, they are violating the law and could face penalties amounting to crores.
So, what do you do? There are technologies like homomorphic encryption that allow data to be encrypted while still enabling pattern recognition from that data. These are just a few of the technologies and emerging areas we need to focus on, especially in the realm of cyber resilience.
Pallavi: Could you also share some insights on the importance of employee training and awareness in building a cyber resilient culture within the organization?
Pradeep: We spoke about ransomware being a key threat within the whole cyber world. While other threats do remain, but ransomware is really bringing in the dollars to the hackers. Nations are using ransomware to collect intelligence on what other nations or enterprises might do next.
People are stealing corporate research data. This includes medical data, pharma and health data. If you look at from a point of view of an employee who is the last link in this whole story, and if that link is weak, that is what the hacker is looking for. Enterprises have strengthened their perimeters and are aware that their employees are dispersed, meaning each individual can be a point of failure.
So, training is an important consideration. So, the question becomes what kind of training we provide. Do we need to provide a training overload? At what level do we provide this training? These are all key considerations.
For example, it is essential to set the right context about the importance of data when an employee enters an organization. Within data, there are various categories. For instance, Personally Identifiable Information (PII) and Sensitive Personally Identifiable Information (SPI) are completely different from regular data that does not contain personal information. With PII and SPI, you are subject to regulations, while with regular data, you may not be subject to any regulations at all.
However, even with data that is not regulated, you still cannot send it or manipulate it freely. Violating these protocols could lead to not only termination but also significant penalties and imprisonment. It is crucial to inform employees about what they can and cannot do, the proper use of resources and technologies, including the hardware (such as laptops and devices provided), and the importance of data.
Another important point, which is very critical from a training viewpoint is: what is my responsibility as an employee in the company? How do I contribute? A: I can inform when I see something going wrong around me; b: I cannot be a party to something that is happening despite it happening in my team, or c: I happen to be aware of something which could damage the reputation of the company or data getting leaked, I should immediately report it to the right resources.
We need to provide the right training at the right level. This training should be segmented into categories for all staff, middle management, senior management, and the board. Each level requires a different approach to training.
For example, why should the board be interested in this? Cybersecurity and cyber resilience should be on the agenda for every board meeting. What you cannot protect, you cannot offer as a service to others.
When the board prioritizes cybersecurity and cyber resilience, leadership can allocate the appropriate resources at the right time to those responsible for maintaining cyber resilience within the organization.
Pallavi: Pivoting towards the future, what trends and challenges do you foresee in the realm of cyber resilience, and how should the organizations prepare for such a change?
Pradeep: On the emerging technology side, the sophistication of cyber attacks has increased. Cybercriminals have become more advanced, and nations or states with unlimited funding are entering the fray for various reasons, whether financial or strategic. They are leveraging AI and machine learning to conduct these attacks. Organizations must adapt; they cannot simply state that they won’t use AI and ML because of the increasing ferocity of cyber attacks. If they do, they will be left behind. To counter these cyber attacks, organizations need equally advanced defensive technologies and strategies.
I like to keep talking about ransomware because that is the most credible threat. They (cybercriminals) are after your data; they know that without your data, you are nothing. And without the data, you cannot provide anything to the customer. And with such regulations coming in, if you lose the data, you are going to shut up in a few days. So, they are also growing in sophistication. They are targeting not just encrypting your data and leaving it there. They are threatening to release sensitive data in public. I mean that can become really messy with something like a GDPR or DPDP with multiple penalties, which could again result in shutting of shop.
We spoke about supply chain vulnerabilities, which is another emerging thereat. We also discussed supply chain vulnerabilities, which represent another emerging trend. The SolarWinds attack is a prime example of a software supply chain attack involving their Orion platform. This platform is used for network infrastructure monitoring and management. A nation-state adversary exploited its vulnerabilities, allowing the threat actor to install malware on SolarWinds' customer networks. This attack impacted thousands of customers, with the Orion platform itself having around 33,000 customers, of which approximately 50% were supposedly affected.
There needs to be a very thorough assessment of vendors, and understanding of supply chain risks as to who is connecting to your network, and what is the vulnerability at their end. It is not enough for just me to be secure as an enterprise, but anyone who is connecting to me must maintain equal or higher level of security.
We discussed remote work, which poses another challenge. Organizations need secure connectivity, zero-trust models, and strict control over unauthorized software updates. Many organizations fail to prevent the installation of software. People are downloading AI applications to create presentations and similar tasks, but these shadow applications introduce multiple vulnerabilities. We need to detect, curtail, and remove them.
Many of these issues will ultimately lead to regulatory compliance challenges, and the penalties can be so severe that one or two incidents could literally shut down medium to small organizations. Therefore, it is crucial that we understand our risks, protect our data, and avoid penalties, all while maintaining customer trust—because once trust is lost, it will take years to regain.
Another area we previously discussed is IoT and Operational Technology (OT) security. The integration of IT, IoT, and OT devices is causing a significant security nightmare. While we are building security operation centers to monitor IT networks, there is also a need to develop similar platforms to monitor OT networks or possibly combine the two.
A very random threat, which I can think of is quantum computing threat. Current encryption methods may become obsolete as quantum computing advances. This threat is somewhat distant; encryption mechanisms like AES-128 are currently vulnerable to quantum attacks but have not been broken. AES-256, however, is further along in terms of security, though it is still knocking at our door. Therefore, I suggest organizations keep a close watch on trends and developments in this area to identify quantum-safe encryption algorithms, understand what it takes to migrate from current setups, and be cautious of any proprietary encryption methods that may pose challenges. All of these issues need to be considered.
Another point to address is the significant skill gap in the field of cyber resilience. While awareness of cybersecurity and cyber resilience is growing, the pace at which attacks evolve is not matched by the development of skills. Organizations are struggling to keep up with the speed of attackers, which is a critical area we need to work on.
Lastly, I want to touch on the current hot topic—deepfakes. Deepfakes combine deep learning and faked content, and you may have seen deepfakes of various international leaders. They spread disinformation, especially during campaigns or critical mergers and acquisitions, potentially causing immense reputational and financial damage, along with legal implications before anyone realizes it’s fake. Organizations must find ways to detect and respond to these new types of threats.
In summary, focus on training your people where skills are scarce. Take a proactive stance; more effort in cybersecurity is necessary. Stay vigilant, knowing you will face attacks. Keep your incident response updated and maintain a strong focus on resilience. Think resilience rather than recovery. Recovery is something which goes down and can be brought up. Resilience is something which you can keep running despite an attack.
Lastly, keep yourself, your teams, your policies, your frameworks updated so that it can percolate down to the on-ground implementation, which really means that you are abreast of what is happening around the world, especially from an attacker's viewpoint.
Pallavi: Pradeep, your insights have been invaluable in shedding light on the importance of cyber resilience. Your guidance will surely help our listeners fortify their defenses against the ever-evolving cyber threat landscape. Once again, thank you for joining us and sharing your invaluable insights.
Pradeep: Thanks, Pallavi. It has been a pleasure to join you and offer my perspective. Cyber resilience is a critical aspect of cybersecurity, and I am glad we could discuss it in detail today. Look forward to the next podcast and speaking to all of you. Thank you.
Pallavi: Thank you to all our listeners for joining us in this insightful conversation on cyber resilience. We hope you have gained a deeper understanding on how to protect and strengthen your organization against cyber threats. Be sure to stay tuned for our next episode as we continue to explore the most pressing cybersecurity topics. Until then, stay proactive, stay informed, and most importantly, stay resilient.
If you would like to listen to our podcasts on the go:
Discover how EY's cybersecurity, strategy, risk, compliance & resilience teams can help your organization with its current cyber risk posture and capabilities.
Discover how EY's identify and access management (IAM) team can help your organization manage digital identities for people, systems, services and users.
