The Key Requirements of Effective Workforce Cybersecurity

​Cyber crime is rising in the current era of remote work, and both better technology and trained employees have a role in preventing it.

Cyber threats have risen by 25% or more since the beginning of the Covid-19 pandemic for more than two-thirds of companies in India, according to a recent poll by technology firm Cisco Systems. 

The pandemic-induced work-from-home environment has pushed companies to shift more functions online. That, in turn, has created new opportunities for hackers to target corporate information technology systems. Security experts say it's not enough to simply buy software programs that aim to block hackers; a lapse in employee behavior could also potentially let criminals in.

"At the end of the day, 70% of attacks are caused by human errors," said Vishak Raman, director of the security business for Cisco in India.

The most common types of cyber attacks in India are 'phishing,' in which hackers send deceptive emails, and 'smishing,' which involves sending a text message on a mobile phone. These messages ask the recipient to click on a link or download an application that is malicious.

In the pandemic, hackers have impersonated collaboration applications like Zoom and Microsoft Teams, and even the Indian government's Covid-19 contact tracing app Aarogya Setu, to try and steal personal information, according to India's cyber security agency.

"One identity theft of your database can give access to your entire corporate set-up," said Raman.

In recent months, hackers have crippled the IT systems of many organizations, and then ask for money to restore it. Such 'ransomware' attacks happened to 74% of 300 companies in India that were surveyed in the fall, according to a study released by cybersecurity firm CrowdStrike. Given the high risks, experts say it's imperative that companies beef up training for their employees on best practices for cyber behavior.

"You want your workforce to understand the basic nuances of what to click and what not to click," said Mrinal Rai, principal analyst at ISG, a technology research and advisory firm. At ISG, Rai said employees complete mock drills which involve, for instance, sending emails about the employee's pay slip, to see if it was clicked on or not.

For remote workers, another risk emanates from security loopholes in the home office. The wifi or internet connection might not be very secure, making it easier for malicious emails to get in.

Devices may also be a weak link. Many employees are now using personal computers, laptops or mobile phones to do their company work. In some cases, these devices are being shared by family members. If a partner or child clicks on a phishing link, or downloads malicious software, hackers could potentially access company information.

"How do you train your kids, because they are part of the extended network now?" said Raman. In addition to prevention training, employees should be prepared to respond quickly if something untoward happens. They should know "what do you do at home when you have a phishing attack on your computer?" said Raman.

Companies Underprepared in India

Though many companies in India have stepped up their cybersecurity investments this year, experts say they need to do much more. "Even the attack space is evolving," said Rai of ISG. This means that companies need to keep upgrading their systems continuously.

Historically, many employers in India allowed employees access to company systems only when they are in the office using a workplace computer and other company devices. Firewalls were put up around this on-premise network to protect corporate data, much like how walls and moats protect a castle.

However, to enable employees to work from home, more data is now being placed on applications on the cloud, employees are downloading corporate data on their home computer or mobile phones, and as outsourcing has increased, more data is going to external partners.

"Now that treasure has been taken out of the castle," said Abhijit Tannu, Mumbai-based chief technology officer of Seclore, a data-centric security provider. "All your walls and moats are of no use."

Instead of having one physical office, there are now hundreds, or thousands, or tens of thousands of offices, because each employee's home is an office. Protecting so many of these offices presents operational complexities. 

Companies that are serious about cybersecurity have turned to various security tools to protect identities, networks, devices, applications and data. For instance, many companies use "multi-factor authentication," which verifies the user of a network or application in multiple ways, such as through a password and a fingerprint. Geo-fencing can be used to capture the latitude and longitude of the person logging in.

Some companies go a step further and focus on securing their company data, so that even if their systems are hacked, the data is not usable by the hacker. "Make sure that your data is encrypted irrespective of where it goes," said Tannu. 

Hurdles to Beefing Up Cybersecurity

Cyber crime cuts across industries, with pharmaceutical companies and online grocery retailers among those that have reported attacks this year in India. In fact, a cyber attack on a gas distribution company in Delhi infected its invoicing system and it could not process payroll for several days, said Raman of Cisco.

Still, experts say that business heads often underestimate their need for cybersecurity. Seclore's Tannu said HR chiefs often tell them that they don't have anything critical to protect.

"What about your employee payroll information? Budgetary allocations? Appraisals?" said Tannu. "You don't want that kind of information to leak out," he said.

A resistance to change also holds back companies from investing in security systems. A new system, which may require additional authentication or a second password, would affect many employees.

"That is why a stronger determination is required from the top level" to drive these investments, said Tannu.

Lots of small and medium-sized businesses in India think they will not be targeted and don't make the investments in cybersecurity, said Rai.  "These guys are the most vulnerable," he said.

Like any digital transformation initiative, many companies thought they would upgrade their cybersecurity at some point in the future, said Rai. But the pandemic has shown that getting top-notch security can't be delayed and is no longer optional. "It has to be done."