By 2020, 74% of the world’s businesses will be hacked, according to the World Economic Forum. That is why EY’s recently appointed Partner and Africa Cyber Leader Ritesh Guttoo believes it is high time for corporate organisations to be concerned with cyber security. He favours the setting up of a Chief Information Security Officer’s office, working jointly with IT and business, to implement effective cyber defences.
Cyber security has made it to the agenda of board meetings in leading organisations in Mauritius. Why is it gaining so much importance?
We are living the fourth industrial revolution. The rapid digitalisation of the global economy is leading to a dramatic increase in the number of cyber security incidents. The World Economic Forum estimated economic loss due to cybercrime to reach $3 trillion by 2020, with 74% of the world’s businesses expected to be hacked.
Mauritius is no different. The 2017 Wannacry attack affected 150 countries, including Mauritius. It’s not a matter of if, or when an organisation will be attacked. It has already happened. Organisations are failing to identify the attack on time and only learn about it when they get blackmailed or when the information is published online. Some don’t even know their information is being sold online until you tell them.
So, I think it’s high time for boards to be concerned about cyber security. Unfortunately, most of them don’t have a cyber representative at the table to make sure that they are taking the right approach. Having cyber security on the agenda is a good start.
There is a myth that IT is responsible for cyber security as organisations have the technological skills needed to tackle cyber issues. How do you see cyber security being handled?
This is unfortunately still very much the case in a lot of organisations. While most of them have realised that cyber security is a business topic which requires management attention, the implementation of a cyber security function outside of IT, i.e. in the second line of defence, has been hampered by a lack of skills available in the market and a lack of budget.
It is clear that organisations will have to build a Chief Information Security Officer’s (CISO) office working jointly with IT and the business to implement effective cyber defences.
Are increasing regulatory pressures contributing to a more effective cyber security function?
Definitely. We are seeing more strict regulations across the world, although these tend to be in the critical industries. What I like most in some of the recent regulations is that they are enabling information sharing across organisations. We need to share information to better prepare against the incoming threats. Don’t think that you can work alone to defend against large groups of cyber criminals or nation states. The government also has a role to play to defend against massive cyberattacks targeting key industries. In Mauritius, we are gradually improving but still need to see regulations that focus on defending against the threats of today and tomorrow.
So how is EY helping organisations to face the cyber criminals?
Cyber security is a global priority of EY and the firm is investing significantly to develop innovative ways of combatting cyber threats. In Mauritius, we have set up a Centre of Excellence (COE) for cyber security to service the Middle East, Africa & India regions, as well as the wider Europe. Over the last six months, we’ve had our consultants from Mauritius Cyber COE delivering work in New York, Sao Paolo, Perth, Dubai, Doha, Johannesburg and Cape Town just to name a few.
We are also innovating by having data scientists, programmers, and robotics specialists to work with our cyber team to develop solutions, with machine learning, for board and operational monitoring of cyber posture.
Are you able to recruit cyber specialists easily in the Mauritius market?
It is a challenge to find qualified and experienced cyber resources. There is a global scarcity of cyber skills and this is not an issue only in Mauritius. However, access to global learning platforms, experienced resources in the team providing coaching on the job, and EY sponsored certification programmes help us to build the consultants we are looking for. We recruit STEM (Science, Technology, Engineering and Mathematics) profiles who show passion in cyber and we provide them the work environment to help them prosper.
Our resources are already leading cyber engagements for major organisations across the world and this shows that our COE will only get stronger and bigger. We are in fact in the process of recruiting 20 more resources for cyber.
Would you say that it’s time for business leaders to act?
Cyber risks are evolving; any organisation that regards itself as safe from cyberattack is likely to be in for a shock. Don’t rush in investing in technologies as I see too many of these failing. Make sure that there is good cyber security hygiene and basic lines of defence, as well as a clear roadmap towards improving maturity before making major decisions.
Cyber security needs to be viewed as an enabling function rather than a block to innovation and change. This means that that security needs to be implemented by design rather than a reaction to a threat or regulation.
As a last word of caution, although there seems to be emphasis on external attackers, don’t underestimate insider threats or accidents by employees. We are seeing an alarming increase in the number of successful breaches exploiting insiders through phishing and malware attacks. We are living in an age where organisations will be severely impacted or even disappear after major cyber breaches.
Key success factors for the digital transformations that most organisations are now going through are to focus on stopping low-value activities, increasing efficiency, and reinvesting the funds in emerging and innovative technologies to enhance existing protection.