As per a survey by Sophos 80% of Indian leadership and employees need correct cybersecurity education as their organizations are struggling to educate them. What is the take of industry veterans?
Amit Singh, General Manager – Security Business Unit at TechnoBind
“Cybersecurity, though very critical, is a relatively focussed subject for Indian companies for a very long time, be at the employee or at the Leadership level. It has gained much attention in the last few years where businesses are not confined to a given territory or region but are part of the whole connected world. While the Internet presents a wonderful opportunity for Indian companies to compete at the global level, it does bring a huge responsibility to safeguard their organization and customers from cyber threats.
In order to have an effective cybersecurity education in an organization, it’s important to carefully choose the topics that are most relevant at the employee level. The education must become a mandatory part of the standard induction program. There should be periodic and repeat training on a consistent basis as the cyber threat landscape changes very quickly and refresher trainings are required to update on the latest in the field.
The basic training for an employee to spot and possibly prevent a breach should include topics like Phishing, Malware, Ransomware, and Social engineering.
The add-on training should also include best practices like keeping machines updated with the latest security patches, understanding the risks of installing unfinished/unapproved apps, the importance of password security and regulatory obligation, and policies around data protection.
And finally, to bring a sense of accountability, they should also be introduced and educated on a process of reporting any red flags or anything that appears to be suspicious of a cyber threat.
As for leaders, all the above along with training on the assessment of the organization’s overall cybersecurity and introduction to the ramifications and legal obligations post a cyber-attack is highly recommended.
Leaders’ ongoing training should also include a world view about the latest security trends, specific security compliance requirements and organization’s posture or readiness towards it as well as ways to remove or mitigate gaps and build overall cyber resilience.”
Gurpreet Singh, Managing Director at Arrow PC (Dell Technologies – Titanium Partner)
“Sophos’ survey on how unprepared the organizations are in terms of educating their employees on cybersecurity sheds light on where organizations and their employees stand. There are best and worst practices that employees should be made aware of. Implement biometric logins, manage IoT security, use multi-factor authentication, including password management, set up stringent security policies, and ensure access to users based on the privileges to only those who are eligible. Sophos’ survey speaks on how 82% of businesses have failed to provide the right cybersecurity education to their employees. Ransomware, malware, and phishing are the major security threats organizations are facing. This is despite the fact that employees are always informed to be aware of these threats and how these threats manifest in their inboxes or browsers. The employees’ lack of awareness is what causes 90% of data breaches in companies say studies. By helping employees to learn about cybersecurity protocols organizations end up benefiting from it. That’s because with the right cybersecurity knowledge employee awareness increases and with that, there will be fewer breaches. This development leads to an increase in trust by customers and vendors who access the organization’s website. Cybersecurity risks and breaches not only compromise the integrity of the organization but is also an invitation to lawsuits and increased cost in terms of overhauling the process, which also leads to the operations coming to a halt. To avoid all this regular updation of cybersecurity policies and training of employees would be the safe and the right option.”
Vikas Bhonsle, CEO at Crayon Software Experts India
“You must have heard stories of how a person received an email from a seemingly known contact asking for urgent payment to some account. And just before they took any requested action, they realized that the mail was not from the genuine source, or worst, they perhaps they realized it very late. In the past year, these stories were shared a little more commonly.
The real problem in this scenario is not the cyberattacks themselves, but mostly the general laidback attitude of people towards cyber hygiene. We often see smart, educated people sending forwarded messages that carry spoofy links of misleading contests and dubious prize-winning sites. I cannot help feeling worried that if learned people can come into the lure of fake online discount offers, then wonder how most people must be falling victim to these traps every day.
We often hear in internal discussions about instilling strong IT hygiene practices in employees and internal stakeholders. I would suggest that let this be not just agendas in meetings but a sincerer and collaborative effort from across departments. The HR department and the CIO or CISO can collaborate to create an internal cyber education campaign for employees. But apart from enthusiastic training programs, they must also run cyber tests and audits on their employees.
In a phishing attack test, internal employees are sent mock phishing emails without their knowledge to check whether they fall for them and end up clicking the links. If they are careless or absent-minded, they may not only click these links but also register their data on unfamiliar websites to receive whatever the mail had promised them.
If the employees click on these links, it will reveal that they are still ignorant to cyber threats and cyber hygiene practices. Such cyber behavior can be liable for the organization, as human error is one of the biggest loopholes to most cyberattacks, like ransomware. Hence, identifying the scale of the problem is the first step to solving the problem.”