As digital transformation continues to reshape the business landscape, the conversation around cybersecurity has never been more pertinent. In an exclusive interview with ETCISO, Sundareshwar Krishnamurthy, Partner and Leader – Cybersecurity at PwC India, sheds light on the fast-evolving cybersecurity threat landscape, emphasizing the critical importance of staying ahead of emerging threats in an increasingly digital world.

All around us, digital transformation continues to accelerate. What are your views on the fast-evolving threat landscape?

The accelerated pace of digital transformation has brought cybersecurity to the center stage of business. It has also expanded the threat landscape for organizations and consumers alike.

Some of the key trends which are currently dominating the threat landscape are:

• Generative AI (GenAI) for cyber defence and offence: While GenAI is useful for enhancing cyber defence capabilities such as detecting and mitigating threats, it can also be weaponised by malicious actors to launch sophisticated cyberattacks.
• Geopolitical shifts and cyber warfare: Geopolitical conflicts have spilled over to the cyberspace with actors launching cyberattacks for espionage, sabotage and influence.

• Data protection and compliance: The increasing volume and value of data, coupled with the growing awareness and expectations of consumers and regulators have made data protection and privacy a top priority for businesses.However, these threats do come with opportunities and forward-looking organisations have leveraged these developments to harness the prospects they bring.

What are the various emerging threat vectors? What are the top three cyber threats in 2024?

The top three cyber threats this year are:

Identity compromise: Adversaries are increasingly becoming personal in their attacks and most of the attacks today are focused on individuals and their data.

Ransomware: Ransomwares supported by artificial intelligence (AI) and machine learning (ML) will become more powerful and can be a significant cyber threat.

Supply chain compromise: Digitalization is transforming the world into a more connected ecosystem. Therefore, organizations in a digital world can no longer rely only on securing themselves as every weak link in the supply chain will also impact their business.

The leading threat vectors in 2024 will be:

Mobile and other bring your own devices (BYOD): After the COVID-19 pandemic, organizations have increasingly become perimeter-less with remote or hybrid working becoming the norm. However, according to PwC’s Global Digital Trust Insights 2023 report, less than 40% organizations have been able to address the risks originating from remote and hybrid working since 2020. While BYOD initiatives offer greater freedom, agility and flexibility of working, they pose a major security threat. Organizations have limited to no control over these devices and have restricted visibility on the usage, apps installed, etc. which prevents them from monitoring the digital risks the devices are exposed to.

Email-based social engineering attacks like phishing: This will continue to be one of the leading threat vectors in the coming months. However, the sophistication of the attacks will see an exponential change with GenAI.

Cloud services: As more businesses adapt the cloud journey; it will become one of the leading threat-vectors this year. Misconfigurations and insecure design will allow attackers to exploit the weak areas in the system.

What challenges do enterprises face in ensuring a robust cybersecurity posture while thwarting cyber-attacks and data breaches?

Organizations are contending with external macro forces and internal business transformations as threat landscape is evolving at a rapid pace. As per PwC’s 2023 Global Risk Survey, cyber risks are one of the top threats for organisations, and 38% of respondents feel highly or extremely exposed to it. Compared to the 2022 survey, cybersecurity has moved from third to first position on the risk radar.

Some of the key challenges that businesses face today are:

Rapid digital transformation: As organizations embrace emerging technologies, they find themselves exposed to new digital vulnerabilities and cyber threats. While the appetite for investments in technology is on the rise, only 3% respondents of the PwC Global Digital Trusts Insights 2023 report were confident about mitigating the risks arising from the digital initiatives.

Regulatory compliance: With the introduction of new laws and standards such as the Digital Personal Data Protection Act 2023, and CERT-IN Guidelines 2022 the regulatory landscape for data security, privacy and cyber security in India is evolving rapidly. However, according to the PwC Global Digital Trusts Insights 2023, only 9% of the responders to are confident that they will be able to meet all the requirements of these regulatory norms effectively.

Legacy technologies: Legacy technologies impair an organization’s ability to be immune to the disruptions while adapting to new technologies and moving forward in their digital transformation journey. PwC Global Risk Survey highlights that more than 42% Indian organizations are facing increased security vulnerabilities resulting from legacy technologies.

What is your framework for improving cybersecurity discussions within an organization?

An effective cyber communication strategy is imperative for organizations. Cybersecurity is a collective organizational responsibility, and its ownership needs to be fostered across the organization and should not be limited to cybersecurity personnel. It is in fact important to steer conversations around cybersecurity with non-cybersecurity personnel within an organization to improve the overall security posture. An effective way to do this is through data-driven storytelling with a focus on the tangible benefits brought in by the actions undertaken by organizations to secure their cyberspace. De-jargonizing technical aspects of cybersecurity for non-technical audiences within an organization is critical to imbibe a cybersecurity culture within an organization.

In many organizations, budget for security is an afterthought. How can this trend be changed? How to ensure that security is prioritized?

Organizations need to change the trend of treating cybersecurity as an afterthought or a cost center, and, instead, recognize it as a strategic enabler and a value driver. Organizations can change this trend and prioritize cybersecurity by:

• Investing in cybersecurity capabilities and resources, based on a risk-based and outcome-oriented approach.
• Engaging the leadership including (board and CXOs) in cybersecurity decision-making and oversight, ensuring they are informed and involvement.
• Incorporating cybersecurity in the work culture and values and encourage a sense of ownership and accountability.
• Collaborating and exploring new solutions to address the emerging security challenges

Organizations who have adopted this strategy have been able to build a resilient cybersecurity ecosystem. As per PwC’s Digital Trust Insights Survey, 85% of the leading organizations who adopted these trends are performing well in terms of security maturity and will see an increase in the security budget allocation in 2024.

In the background of stringent data protection and privacy laws such as the Data Protection Law in India, how do organizations meet its various compliance and regulatory requirements?

In our survey ‘Readiness of India Inc. for the Digital Personal Data Protection Act 2023: PwC analysis’we observed that many most organizations in India have taken step towards enhancing data privacy, due to regulatory requirements and awareness around it.

Organizations are prioritizing the adoption of data privacy in the following ways:

Outsource: Considering the challenging requirements around withdrawal, access, correction, erasure, and grievance redressal, organizations are outsourcing their data privacy operations partially or completely.

Invest in technology: Organizations with significant personal data will need to invest in tools such as data discovery and prevention of data leakage along with data anonymization, encryption and pseudonymization.

Develop a compliance plan: Organizations will need to develop a clear actionable compliance plan in the light of the DPDP Act, 2023. The plan needs to be specific and measurable and should include a timeline for implementation.

What are some of the best practices towards building cyber resilience?

Disruptions are inevitable: Businesses must ensure that mature cyber processes exist across their environment to enable resilience. Organizations need to focus on the following key areas to build a cyber resilient organization:

Anticipate: Ensure preparedness to detect attempted compromises of mission critical services and prevent its impact on operations.

Withstand: Continue essential mission critical functions despite disruptions to ensure business continuity.

Recover: Activate response procedures to restore mission critical functions after any major disruption.

Evolve: Record and learn from previous disruptions for continual improvement of resilience processes and minimize future adverse impacts.

NOTE: This article is a part of ETCISO Brand Connect Initiative.