Cybersecurity breaches due to human error on the rise
In late July, an email prankster in the UK ‘convinced’ a White House official into believing that he was Donald Trump’s son-in-law Jared Kushner. As if that was not enough, the official—who was tasked with cybersecurity—agreed to share his personal email identity with the trickster. Closer home, a not-so-tech-savvy employee of the Union Bank of India clicked on an email attachment just a year back, which unleashed a malware on the bank’s computer servers that siphoned off $171 million from the bank. Fortunately, the bank was able to recover the money.
Cybersecurity Ventures, a publisher of data on cybersecurity, estimates that by 2021, cybercrime will cost the world more than $6 trillion annually. Moreover, most of these cybercrimes will continue to be unwittingly aided by humans.
“Of all the vulnerabilities, human error is playing an even larger role in business security breaches today compared to two years ago, especially for companies in maturing economies,” says a 12-country survey conducted in 2016 by the Computing Technology Industry Association (CompTIA).
Experts concur with this view.
“We believe humans are the most important factor in the security strategy of a company and the weakest link as well,” says Ashish Thapar, managing principal of risk services, Asia Pacific, at Verizon Enterprise Solutions.
He adds that while firms often try to run awareness campaigns on cybersecurity for employees, it is important that they measure the awareness levels and avoid a “one-size-fits-all approach”.
Besides creating awareness and bridging the skill gaps, companies also need to bring about a “behavioural change”, according to Akhilesh Tuteja, global cybersecurity practice co-leader and partner at KPMG in India. People typically “do more of the same (campaigns), which is a bad idea. My belief is that in the enterprise environment, knowledge does not translate into action. It is not just the knowledge gap at the end-user level, but the behaviour gap among the users that needs to be addressed,” he says.
Tuteja draws an analogy between the behaviour of an end user in their personal life versus work life. “If you ask someone to share their ATM PIN (automated teller machine’s personal identity number), they wouldn’t do it, but they would more readily share the password to their system with a colleague,” he said. This is because of the concept of “beneficiary versus adversary”.
He explains, “When I’m operating my bank account, I’m the beneficiary as well as the adversary. But if I’m not in office and share my password with a colleague to operate my system, while I’m the beneficiary it is the enterprise that is the adversary because any loss resulting from lapsed security won’t be mine but that of the enterprise.”
In this context, the role of the chief information security officer, or CISO, is becoming increasingly important, say experts. After all, it’s the CISO and chief information officer’s (CIO) job to secure data and networks against attacks. Jaspreet Singh, partner—cybersecurity at EY India, believes “CISOs today should understand what the crown jewels of data are in their company, something they must protect at any cost.”
The problem is that while the cybersecurity risks are “pretty high”, the number of skilled cybersecurity professionals is “woefully low”, according to Nimitt Jhaveri, an IT architect and cybersecurity expert who runs BitScore CyberTech LLP. According to him, there are “hardly any CISOs” in the manufacturing sector even as “CISOs in other industries are likely to say they are under-staffed”.
The overall attitude to cybersecurity, he avers, “is reactive rather than proactive, which can prove to be costly”. Cybersecurity safeguards are important, especially in government sectors where initiatives such as Digital India and smart cities are likely to generate huge amounts of citizen and services data, Jhaveri adds.
The government, in its National Cyber Security Policy 2013, envisaged creating “a workforce of 500,000 professionals skilled in cybersecurity in the next five years through capacity building, skill development and training”. However, according to data available on CISOcybersecurity.com, currently India has only around 60,000 cybersecurity professionals—which only points to the widening skill gap and the situation getting more urgent with each passing day.
Experts say that in India while certain organizations such as the Reserve Bank of India (RBI) have been active in mandating certain cybersecurity provisions and even in defining the role of the CISO, more needs to be done in segments other than banking where such regulations apply.
Tuteja, for instance, suggests that companies should move away from “awareness” to “advocacy”. He advocates a three-pronged approach. First is the concept of “compartmentalization by using role-based access, for example—to contain the possibility of damage to the entire network”. The second approach is to use tools (user and entity behavior analytics, or UEBA, tools) that focus on the anomalous behaviour of people. The third strategy is to “make the awareness programmes simulation-driven, advocacy-led and focused on the adversarial outcomes”. For instance, he explained, many companies that do not charge people for bad behaviour have “even more bad behaviour”. One should have disincentives or penalties for, say, losing the company-provided access card, he said.
Jhaveri believes that “cyber risk needs to be elevated to a business risk rather than just an IT (information technology) risk within operations”. EY India’s Singh advocates that the CISO or the CIO also take other departmental heads into confidence, since it is these executives “who can really pinpoint what data constitute the crown jewels” for their functions. A cross-functional team, he concludes, should be formed whenever there is a risk assessment exercise in the company.