94pc of cyber attacks are caused by lack of infosecurity awareness training. Is your organisation safe?Prasad Ajgaonkar
Do you know that a cyber attack takes place every 10 minutes in India? This rate is higher than that in 2016, where a cyber attack took place once every 12 minutes. A study conducted by Fortinet found that a whopping 94 percent of IT experts believe that information security (InfoSec) practices in Indian organizations are sorely inadequate and completely fail to protect from cyber attacks in today’s world.
It is crucial to be aware that the exorbitantly high cyber attacks in India is a human issue, rather than an IT issue. This means that employees failing to follow InfoSec practices- rather than IT system failures- is the biggest contributor of cyber attacks.
Therefore, it is critical to ensure that all employees at an organisation are vigilant, fully aware of cyber-threats, and trained to follow InfoSec practices at all times.
Cyber attacks in the last three years
The Indian Computer Emergency Response Team (CERT-In) reported a total of 1,44,496 cyber attacks in India in the last three years. This comprised 44,679, 49,455 and 50,362 cyber attacks in 2014, 2015, and 2016 respectively; indicating that cyberattack rates are rising each year. Following are some recent instances of cyber attacks that largely affected individuals and organisations across India:
In May 2017, reports of the ransomware attack ‘Wannacry’ broke the news after businesses and individuals in India and across the globe were affected by it. Over 48,000 systems across various Indian organisations were targeted by Wannacry. Hackers locked computer systems and stole companies’ data, demanding ransoms of around $300-$600 through Bitcoins to release the data back to their rightful owners.
More recently, in early September 2017, “Locky” ransomware preyed on several companies’ systems in Delhi, including a large publishing house. The affected organisations reported that their computer systems and all their company data had been locked, with unknown hackers demanding high ransoms (Rs 2 lakhs and above) to release the data.
Locky ransomware was sent to employees via spam e-mails with vague subject lines such as 'please print', 'documents', 'images' and 'scans'.
In the above two cases, perhaps, a lot of grief could have been spared if employees were vigilant and practiced InfoSec protocols, such as not opening e-mail attachments or clicking on links in emails received from unknown, fraudulent senders. These instances exemplify how human error and negligence are large contributors to cyber attacks.
Why is India facing such high rates of cyber attacks?
There are hundreds of cybercrimes reported per day in India, simply because InfoSec measures are not practised when individuals use social media, access e-mails and make online payments using mobile wallets or credit/debit cards. In the case of organisations as well, the awareness and practice of InfoSec measures are inadequate, resulting in high numbers of cyber attacks. Organisations are often targeted through ransomware when employees unknowingly open malicious e-mail attachments and links. This results in the exposure of the company’s and clients’ sensitive information, deletion of backups and financial losses.
Since demonetisation in November 2016, and the rapid increase in online transactions using mobile wallets and online credit/debit card payments, 35 complaints are received per day related to internet banking.
For instance, in August 2017, a retired revenue officer had Rs 1.83 lakh stolen from his credit card within eight minutes of successive transactions by fraudsters.
Similarly, in May 2017, a businesswoman in Gurgaon received text messages from her bank informing her of five transactions that were made using her credit card. In her case as well, it was too late and she lost Rs 40, 000. There have been several other cases of internet banking fraud following demonetisation in November 2016.
Current trends in InfoSec awareness and training in Indian workplaces
A whopping 94 percenet of IT experts in India believe that InfoSec practices in Indian organisations are insufficient and do not safeguard from cybercrimes.
In 2016, despite cybercrime rates increasing by over 50 percent, regulators, governments and private sector organizations have not taken sufficient measures to counteract InfoSec threats. Boards of organisations continue to display obliviousness and treat cybersecurity as an IT problem, rather than a human problem, where in fact, the ‘human factor’ is the largest contributor to cyber attacks.
In other words, cyber attacks are most commonly caused when individuals fail to follow InfoSec practices; such as opening e-mail attachments or links from unknown senders, sharing passwords with employees and exposing their organisation’s and clients’ confidential and private data.
A PwC survey on InfoSec budgets in Indian organisations revealed eye-opening insights into InfoSec practices in Indian companies.
PwC’s survey results indicated that the highest reported impacts of cyber attacks in Indian organizations were the leaking of employee details (45 percent) and customer records (42 percent). Such exposure of client records and sensitive information tampers with the effective running of businesses, possibly making organisations legally liable.
PwC’s survey further indicated that 37 percent of employees across Indian organizations believe that board level management is a barrier to achieving adequate InfoSec practices. Employees reported that insufficient leadership, money and time is invested in training and educating organisations to ensure that InfoSec measures are practiced religiously, day in and day out.
These findings reveal that organisations in India lack cyber security management to train and educate employees in InfoSec practices, and InfoSec policy implementation is often overlooked and dismissed at the board level. Accordingly, employee training and awareness is the most crucial method of protecting organizations from cyber threats, as the weakest link in workplace InfoSec is the ‘human factor’.
Global trends in InfoSec workplace awareness and training
Ernst & Young conducted a global survey called ‘EY’s Global Information Security Survey’ across 67 countries to investigate InfoSec practices in workplaces. The results of this survey were as follows:
88 percent respondents believe that the current InfoSec practices do not adequately meet their organization’s needs.
45 percent of employees reported that they do not receive InfoSec training at work.
54 percent of organisations do not have a role or department in their Information Security function that focuses on emerging technology and its impact.
63 percent of respondents claimed that information threat and vulnerability management is a medium or low priority at their organisation.
When comparing statistics from India versus globally, we can see that India lagsbehind with regards to InfoSec training and practices in the workplace. The implications of these findings suggest that InfoSec training, that results in behavioral changes in employees, needs to be conducted at a much larger scale in India, as well as globally.
Online interactive training to create behavioral change
Given that the lack of existing InfoSec awareness training does not protect your organisation from cyber attacks, the implementation of a new training approach that effectively creates a behavioral change in employees is urgently required. Behavioral change training- an approach that aims to bring desirable changes in employees’ behavior by instructing, modelling and rehearsing desired behaviour - is highly effective in ensuring that employees practice InfoSec measures.
How can we create behavioural changes in employees to ensure they practice InfoSec?
The mark of an effective InfoSec Training programme is one that emphasises the importance of practicing InfoSec, and presents InfoSec policies and practices to employees in a simple, yet interesting and interactive manner.
Story-telling and scenario based training would be an excellent and highly effective way to ensure that employees consistently practice InfoSec measures. An effective InfoSec training programme has the following features:
- Educating employees through story-telling and interactive media - A training programme involving the use of digital media, animation and story-telling is highly engaging and interesting for employees in today’s digital age. Story-telling makes the entire activity a lot more interesting and thought provoking for employees. Stories and real-life scenarios will trigger employees’ imagination and increase the likelihood of InfoSec practices being absorbed and implemented by them.
- Continuous top of the mind recall - InfoSec training simply must not end after a one day programme or seminar. Employees need regular weekly or bi-weekly reminders and subtle nudges to ensure they never break the habit of practising InfoSec.
- Presenting InfoSec tips, trivia and reminders to employees through mobile phone apps would be highly effective in ensuring their continuous practice of InfoSec. An interactive mobile phone app with quality graphics and engaging content would be an ideal way to subtly nudge employees and ensure that they always recall and apply their InfoSec practices.
- Training through scenario-based assessments - After employees receive training on safeguarding from cyber attacks, an interactive assessment about the learned information using stories and scenarios would be highly effective in bringing about behavioural changes.
- Training through group discussions - Training that involves group discussions on potential InfoSec application scenarios also ensures that the information is retained in employee’s memories, and consistently practised by them.
(Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the views of YourStory.)