Almost half of all employees have been working from home since the pandemic began, according to a recent Gallup survey. Unquestionably that makes the job of protecting the organization’s data, networks and apps even more challenging. With the lines blurring between work and leisure and employees using company-issued devices and resources for personal use—such as social media, online shopping and even telehealth—the intensity of cyberattacks continue to increase. A personal cyberattack on an employee can create a huge burden for the organization—questioning the credibility of not only the employee, but also the organization on the whole.
While studies have proved time and again that educating employees on cybersecurity is the key to proactive security practices, a recent survey by Sophos shows that 82% of Indian organizations are struggling to educate their employees on cybersecurity, with 90% of data breaches occurring due to employees’ lack of awareness on the subject.
Amit Singh, General Manager – Security Business Unit at TechnoBind says, “Cybersecurity, though very critical, is a relatively under focused subject for Indian companies for a very long time, be at the employee or at the Leadership level. It has gained much attention in last few years where businesses are not confined to a given territory or region but are part of the whole connected world. While Internet presents a wonderful opportunity to Indian companies to compete at the global level, it does bring a huge responsibility to safeguard their organization and customers from cyber threats.”
Singh believes, in order to have an effective cybersecurity education in an organization, it’s important to carefully choose the topics that are most relevant at the employee level. The education must become a mandatory part of the standard induction program. There should be periodic and repeat trainings on a consistent basis as cyber threat landscape changes very quickly and refresher trainings are required to update on the latest in the field.
Cyber hygiene involves three basic principles: using products and tools that fit your hygiene needs, performing these hygienic tasks correctly and establishing a routine. Cyber hygiene is about training the employees of your organization to think proactively about their cybersecurity, reducing cyber threats and online security issues.
And finally, to bring a sense of accountability, they should also be introduced and educated on a process of reporting any red flags or anything that appears to be suspicious of a cyber-threat,” he said.
For CXOs, a training on the assessment of the organization’s overall cyber security and introduction to the ramifications and legal obligations post a cyber-attack is highly recommended.
“Leaders’ ongoing training should also include a world view about the latest security trends, specific security compliance requirements and organization’s posture or readiness towards it as well as ways to remove or mitigate gaps and build overall cyber resilience,” Singh recommended.
Already a number of organizations are using biometric logins, manage IoT security, use multi-factor authentication, include password management, set up stringent security policies and ensure access to users based on the privileges to only those who are eligible. But the Sophos’ survey said despite using advanced technologies, over 82% of businesses have failed to provide the right cybersecurity education to their employees, as a result, when cybersecurity fails, people are at a complete loss.
“By helping employees to learn about cybersecurity protocols organizations end up benefiting from it. That’s because with right cybersecurity knowledge employee awareness increases and with that, there will be less breach. This development leads to an increase in trust by customers and vendors who access the organizations website,” said Gurpreet Singh, Managing Director at Arrow PC (Dell Technologies – Titanium Partner).
According to Singh, “Cybersecurity risks and breaches not only compromise the integrity of the organization but is also an invitation to lawsuits and increased cost in terms of overhauling the process, which also leads to the operations coming to a halt. To avoid all this regular updation of cybersecurity policies and training of employees would be the safe and the right option.”
“The real problem is often not the cyberattacks itself, but mostly the general laidback attitude of people towards cyber hygiene. We often see smart, educated people sending forwarded messages that carry spoofy links of misleading contests and dubious prize-winning sites. I cannot help feeling worried that if learned people can come into the lure of fake online discount offers, then wonder how most people must be falling victim to these traps every day,” Vikas Bhonsle, CEO at Crayon Software Experts India, said.
Since new technologies alter the way companies operate, employees should adjust to the changes accordingly. They need to learn new methods and approaches at every stage of the digital transformation, adapt to new software and develop new skills. PwC has recently announced that it would invest $3 billion into job training for its 275,000 employees around the world, future-proofing its workforce against emerging digital needs. A recent report by IDC states that companies that utilize educational platforms for their staff may see a 746% return on investment over three years.
Instilling strong IT hygiene practices in employees and internal stakeholders is the only answer and this requires a collaborative effort from across departments. “The HR department and the CIO or CISO can collaborate to create an internal cyber education campaign for employees. But apart from enthusiastic training programs, they must also run cyber tests and audits on their employees,” he mentioned.
Thinking about cybersecurity early is mandatory for any innovation-focused company. Insufficient security could result in enormous losses as research shows that one in three employees are vulnerable to cyberattacks without systemic education. Yet at the same time, cybersecurity training can dramatically increase resilience among employees. In that respect, a proper approach to security training will ensure resilience, competitiveness and secure digital development for years to come.
