As per a survey by Sophos 80% of Indian leadership and employees need correct cybersecurity education as their organizations are struggling to educate them. What is the take of industry veterans?
General Manager – Security Business Unit
“Cybersecurity, though very critical, is a relatively under focussed subject for Indian companies for a very long time, be at the employee or at the Leadership level. It has gained much attention in last few years where businesses are not confined to a given territory or region but are part of the whole connected world. While Internet presents a wonderful opportunity to Indian companies to compete at the global level, it does bring a huge responsibility to safeguard their organization and customers from cyber threats.
In order to have an effective cybersecurity education in an organization, it’s important to carefully choose the topics that are most relevant at the employee level. The education must become a mandatory part of the standard induction program. There should be periodic and repeat trainings on a consistent basis as cyber threat landscape changes very quickly and refresher trainings are required to update on the latest in the field.
The basic training for an employee to spot and possibly prevent a breach should include topics like Phishing, Malware, Ransomware and Social engineering.
The add on trainings should also include best practices like keeping machines updated with latest security patches, understanding risks of installing unfinished/unapproved apps, importance of password security and regulatory obligation and policies around data protection.
And finally, to bring a sense of accountability, they should also be introduced and educated on a process of reporting any red flags or anything that appears to be suspicious of a cyber-threat.
As for leaders, all the above along with a training on assessment of the organization’s overall cyber security and introduction to the ramifications and legal obligations post a cyber-attack is highly recommended.
Leaders’ ongoing training should also include a world view about the latest security trends, specific security compliance requirements and organization’s posture or readiness towards it as well as ways to remove or mitigate gaps and build overall cyber resilience.”
Gurpreet Singh, Managing Director at Arrow PC (Dell Technologies – Titanium Partner)
Sophos’ survey on how unprepared the organizations are in terms of educating their employees on cyber security sheds light on where organizations and their employees stand. There are best and worst practices that employees should be made aware of. Implement biometric logins, manage IoT security, use multi-factor authentication, include password management, set up stringent security policies and ensure access to usersbased on the privileges to only those who are eligible. Sophos’ survey speaks on how 82% of businesses have failed to provide the right cybersecurity education to their employees.
Ransomware, malware and phishing are the major security threats the organizations are facing. This is despite the fact that employees are always informed to be aware of these threats and how these threats manifest in their inbox or browsers. The employees lack of awareness is what causes 90% of data breaches in companies say studies.
By helping employees to learn about cybersecurity protocols organizations end up benefiting from it. That’s because with right cybersecurity knowledge employee awareness increases and with that, there will be less breach. This development leads to an increase in trust by customers and vendors who access the organizations website.
Cybersecurity risks and breaches not only compromise the integrity of the organization but is also an invitation to lawsuits and increased cost in terms of overhauling the process, which also leads to the operations coming to a halt. To avoid all this regular updation of cybersecurity policies and training of employees would be the safe and the right option.
Vikas Bhonsle, CEO at Crayon Software Experts India
You must have heard stories of how a person received an email from a seemingly known contact asking for urgent payment to some account. And just before they took any requested action, they realized that the mail was not from the genuine source, or worst, they perhaps they realized it very late. In the past one year, these stories were shared a little more commonly.
The real problem in this scenario is not the cyberattacks itself, but mostly the general laidback attitude of people towards cyber hygiene. We often see smart, educated people sending forwarded messages that carry spoofy links of misleading contests and dubious prize-winning sites. I cannot help feeling worried that if learned people can come into the lure of fake online discount offers, then wonder how most people must be falling victim to these traps every day.
We often hear in internal discussions about instilling strong IT hygiene practices in employees and internal stakeholders. I would suggest that let this be not just agendas in meetings but a sincerer and collaborative effort from across departments. The HR department and the CIO or CISO can collaborate to create an internal cyber education campaign for employees. But apart from enthusiastic training programs, they must also run cyber tests and audits on their employees.
In a phishing attack test, internal employees are sent mock phishing mails without their knowledge to check whether they fall for them and end up clicking the links. If they are careless or absent-minded, they may not only click these links but also register their data on unfamiliar websites to receive whatever the mail had promised them.
If the employees click on these links, it will reveal that they are still ignorant to cyber threats and cyber hygiene practices. Such cyber behavior can be liable for the organization, as human error is one of the biggest loopholes to most cyberattacks, like ransomware. Hence, identifying the scale of the problem is the first step to solving the problem.