Training the workforce in basic cyber hygiene
While there was a significant amount of dependence on technology in the pre-COVID era, the extent of such reliance on tech has increased exponentially, both in the personal as well as professional spheres of life, as the world strives to stay connected in times that demand distancing. A global population of 7.5 billion people today is connected online, and the current global environment has increased the risk of cyber attacks on these individuals.
In his session at People Matters TechHR India 2020, Vineet Kumar, Founder & President, Cyber Peace Foundation apprised the attendees of such cyber threats, discussed the vulnerabilities the workforce today is exposed to and helped organizations understand how to build better cyber defences to secure both company data and employees.
A relief, highlighted Vineet, in the face of surging cyber threats, there is a parallel increase in investment in cybersecurity with an increasing number of startups focused on beginning work in this space. Global cyber spending is predicted to cross $1 Tn between 2017 and 2021. This is the right time to plan a startup or a venture in cybersecurity, he suggested, given the rise in investment in this space.
Read on for highlights from the discussion.
Vulnerable points of exposure
Between just 2019 and 2020, technology utilization has witnessed a significant surge. Here are numbers reflecting online activity over a time span of 60 seconds, in 2019 vs 2020:
- People tweeting: 87,500 vs 194,444
- Individuals scrolling through Instagram: 347,222 vs 694,444
- Messages sent over whatsapp and messenger: 41.6 million vs 59 million
- Netflix hours watched: 694,444 vs 764,000
- Google search queries: 3.38 million vs 4.1 million
- Apps downloaded: 390,030 vs 400,000
According to an IDC report, global spending on digital transformation is estimated at $2Tn, with AI, RPA and Cloud computing expected to boost the number of available jobs, leading to those many more avenues that give way to a cyber threat. Statistics from the World Economic Forum reveal that cyber-attacks and data fraud have become the third biggest COVID-related business concern, ranked after global recession and a surge in corporate bankruptcies.
Post February 2020, the number of cyber-attacks has skyrocketed, with the average attack costing an organization US$350K to US$400K.
With the ongoing digital acceleration for both work and home, Vineet highlighted that there are several occasions that expose user data and company data, through user devices, to third parties that seek confidential personal information of the nature that could benefit them. One such occasion, rather opportunity used by hackers, or as he calls them, black hat hackers is social engineering tactics. Vineet describes social engineering attacks as the most common form of cyber attacks where employees are enticed with certain links or messages and are exposed to phishing attacks, and other forms of cyber threats etc, These tactics often leverage employee interests, and emotions such as greed, desire, ego, fear etc to attract employees to click on unauthorized and misguided links.
When a company as big and established as Twitter isn’t secure enough from hackers, Vineet exclaimed that one can only wonder how secure are employees, who may or may not be digitally proficient to navigate their way out of such scams. One such case he quoted was the Whatsapp Gold Scam - a scam through which hackers were able to tap into organizational networks once employees fell prey to the false claims of the scam.
Vineet points out how hacking is not just a threat to individual employees, but also to organizational data, where competitors might attempt to steal information. He also emphasizes that the size of the organization has no role to play in this regard, a smaller organization is as prone to cyber attacks as is a large organization. Bringing to light how basic it is to hack into individual accounts on the basis of bare minimum information, he shared that all that is needed is identifying one bug to gain an access point. “If anybody is able to find a bug, that person can access your network easily.”
What cyber criminals look for
With the global workforce operating remotely across geographies, and exchanging a sizable amount of organizational data over unsecured networks, a lot is at stake. The nature of data exchange might vary, however here’s a sample of what cyber criminals often seek:
Cybercrime is estimated to already cost the world $6Tn annually.
In the last decade, there have been 300 data breaches involving the theft of 100,000 or more accounts. There has been an 80% increase in the number of people affected by health data breaches between 2017 and 2019. Additionally, attacks against the health sector have significantly increased post COVID, as per a report released by Interpol.
There are no two ways about how remote working is protecting the global workforce from a life threatening virus. Yet, it is giving the hacker community “the ease to access company’s private data due to employees’ weak network configuration or lack of cyber awareness,” stated Vineet. “If your phone is vulnerable, a hacker might be able to get access to your phone, and via your phone might be able to get access to the confidential company network.”
Caution on how to protect against and identify possible cyber attack
Vineet shared a few signs to look out for that might indicate possible hacking. These signs include:
- New programs that were not installed appear
- The computer slows down
- Strange pop-up ads appear on the screen
- Loss of control of the mouse or keyboard
To safeguard and avoid potential exposure to access points for hackers, he recommends avoiding public wi-fi. If urgent, he recommended using a personal hotspot to encrypt the web connection.
Other measures he suggested were using VPNs (virtual private networks), a better alternative over accessing public wi-fi; keeping work data on work computers and encrypting sensitive data in emails on your device.
Additionally as a hygiene check, Vineet recommended following online safety practices such as using antivirus software, installing software updates, using unique passwords alongwith two-factor authentication for passwords, visiting only trusted websites and using only a trusted password manager.
Training the workforce in basic cyber hygiene
Among concerns about business sustenance and solving the remote working vs return to work situation, organizations need to pay immediate attention to boosting their cyber defences.
Throwing light on the many vulnerabilities that make employees and organizational data exposed to cyber attacks, Vineet emphasized that the need for cybersecurity stems from business, compliance and regulatory goals, and as per international norms and standards, flows from the top management down to the most elementary staff. Here’s how organizations can work towards it:
- Cyber awareness: Vineet urged organizations to conduct cyber security awareness training for staff right from top management to admin, and educating the workforce on threat intelligence. “Security awareness is an area being heavily invested in by companies, big and small, across the globe.”
It is crucial to extend such training across career levels, right from boardrooms to the admin staff.
- Collaborating with IT teams on establishing organization wide policies, password management, access etc., BYOD (Bring your own device) policies. BYOD policies must be adapted to equip staff with secure access points to interact on organizational networks, through personal devices. Additionally, consider policy reviews from time to time, implement security policies and standards, and ensure efficient policy management within organization - creation and enforcement.
- Hiring: Hire exceptionally skilled and proficient data protection specialists and data protection officers. Strengthen the company’s data security intelligence by hiring individuals with the needed expertise.
- Increase in the amount of penalty for being non-compliant: To foster better legal and regulatory compliance, organizations must consider increasing the penalty amount for non-compliance of established security norms.
Recognizing the urgency of building adequate cyber defences to safeguard the organization and employees against potential threats, is the need of the hour. The threat isn’t just to confidential data, but in effect the economic impact of cyberattacks on organizations can drain the funds saved so far, as they struggle to recover from the losses that cyberattacks can put them through. It’s time to shift the needle on cybersecurity and prioritize working towards building stronger cyber defences.