Careless, unaware employees top vulnerability for rising cyber risk exposure: EY

"Careless or unaware" employees have been rated as the biggest vulnerability for increased risk exposure of enterprises, followed by factors like outdated security controls and unauthorised access, according to a report by EY.

The EY Global Information Security Survey 2018-19 India edition found that about 32 per cent respondents attributed "careless or unaware employees" as the leading vulnerability with the most increased risk exposure over the past 12 months.

This was followed by factors like outdated security controls (21 per cent), unauthorised access (19 per cent), related to cloud computing use, smartphones/tablets and social media (8 per cent each) and related to Internet of Things (4 per cent).

Interestingly, 87 per cent of the organisations (surveyed) in the technology sector and 70 per cent in the telecom sector put careless employees as the most likely source of attack, with the fear of losing their most valuable information - personal identifiable information of customers.

The survey includes responses from 230 C-suite leaders from various organisations in India across sectors like consumer products and retail, government and public sector, banking, health, automotive, media and entertainment, power and real estate.

About 70 per cent of the organisations said they plan to increase their cybersecurity budgets next year, but only 19 per cent said they have sufficient budget to provide the levels of resilience required.

EY India Partner Burgess Cooper said while spending on cybersecurity depends on various factors including size of the organisation and scope of work, it ranges between 3.5-8.5 per cent of the annual tech budget.

National Cyber Security Coordinator in the PMO Gulshan Rai, who unveiled the report, said companies have enhanced their security spending by 15-20 per cent over the last year.

"With the rise in digital movement and subsequent exponential increase in data generation, there is a growing realisation that security is also about maintaining the continuity of business operations - and not restricted to only security of data and privacy," Cooper said.

The report said in India, 62 per cent of the boards are taking active steps to strengthen their cyber security understanding, but only 46 per cent of boards have a comprehensive understanding of information security to fully evaluate cyber risks and related preventive measures.

Citing multiple sources, the report said 6.95 lakh cyber attacks were identified in India between January-June 2018 and the country ranked third (after the US and China) as the most vulnerable nation in terms of risk of cyber threats in 2017.

The average cost of a data breach in 2017 was estimated to be about USD 1.7 million.

The report said while a large number of organisations consider cyber security as an integral part of their strategy and plans, skill shortage has emerged as a key challenge.