By Anil Lole, CISO, Fujitsu India
In an age when cybercrime has become rampant, ransomware and hacks grab the news headlines every day. The stakes for companies are even higher in today’s threat-laden environment. A recent survey report by Palo Alto Networks shows that 67% of Indian government and essential services witnessed more than 50% increase in disruptive cyberattacks in the period of 2022 and 2023.
According to the survey, 75% of Indian organisations have increased their cybersecurity budgets in 2023 compared to 2022 with many Indian organisations have started investing more within cybersecurity and it has become a boardroom discussion.
Over the past few years, we have seen a stark rise in cyberattacks with even mature organisations falling victim to cyberattacks. For instance, one of America’s largest nursing home operators was pushed into bankruptcy after cyberattacks in October 2023 compounded its ongoing financial challenges. The attacks led to the loss of key business records, hindering its billing protocols and interactions with insurers and customers. Ironically, October is also commemorated globally as the National Cyber Security Awareness Month, which seeks to boost cybersecurity awareness among the masses.
As this incident indicates, the consequences of cybersecurity breaches can be incalculable. Besides major operational disruptions and financial chaos, some companies are pushed over the brink of bankruptcy.
Consequences of overlooking cybersecurity measures
Similarly, hundreds of companies have paid a heavy price for ignoring the importance of cybersecurity awareness among employees and other stakeholders. An array of cybersecurity threats looms large over organisations with spoofing, spear phishing and other cyberattacks.
These events emphasise that enhanced cybersecurity protocols are indispensable, and the risks are especially high for leaders and executives with access to sensitive information – be it classified data, financial reports, pricing strategies, administrative control or more.
Privileged access as company custodians makes executives prime targets of cyber crooks who wish to exploit the valuable information of corporate networks. This threat extends much beyond mere data access and includes the intrinsic authority vested in these executives. For example, any requests from leaders are undertaken without questions being asked, particularly by people who are relatively new in the company or hold entry-level roles. This inflates the overall impact of the compromised accounts. The combination of access and authority reinforces the need for raising cybersecurity awareness across all employee levels to counter cybersecurity threats.
Since executives’ digital footprints are easily available through social media and public records, these can be weaponised via complex social engineering campaigns. Take the simple ‘fake boss’ email scams. Herein, new employees are duped into buying gift cards by cyber crooks who impersonate their CEOs. According to the Anti-Phishing Working Group, more than 241,324 unique phishing attacks have cost enterprises globally around $1.8 billion each year.
As technology has advanced, cybercrime methods have transitioned from straightforward phishing emails to sophisticated hacking tactics. Cyber crooks now exploit weaknesses in networks, software, and human habits to gain unauthorised access to classified information or disrupt services. The emergence of artificial intelligence has also made it more difficult to differentiate between legitimate and fake emails. Worse, inadequate cybersecurity training of executives has left them extremely vulnerable to deceptive cyberattacks. Typically, the executives are perceived to be techno-savvy due to the number of digital devices and tools they handle but generally overlook the security measures.
Nonetheless, technological advancements are acting as a double-edged sword. Although cyber criminals are exploiting loopholes to use AI and cheat people, cyber experts are leveraging the same tools to increase cybersecurity capabilities. AI and ML (machine learning) algorithms analyse massive amounts of data to pinpoint and counter cyberattacks in real-time. Sensitive information is being secured by using blockchain, which provides a tamper-proof, decentralised way to safeguard transactions. In this way, companies are staying a step ahead of cyber crooks and protecting their digital assets.
Safeguarding the human element
However, even the best digital security mechanisms won’t work if people lack adequate awareness of cybersecurity in daily situations, personally and professionally. Absolute knowledge is required of the inherent threats when checking email, browsing the web and interacting with others online, which are all aspects of cybersecurity awareness. Company executives across various levels should consider it a common responsibility to avert any cyberattack via their systems.
Additionally, companies must periodically hold cybersecurity awareness campaigns and workshops to educate employees on cybersecurity issues/threats. Cybersecurity awareness efforts must be treated as a perennial programme since cyber crooks are continuously discovering new means to surmount the latest defensive tools and tactics, ensuring their malicious mail and software can break through firewalls and other network security.
With more than 90% of malware being delivered through email, most data breaches succeed because of human error. Almost always, the email attacks entail some form of phishing that tricks victims into disclosing sensitive information, including their passwords or credit card details. Sometimes people are offered free gifts while in other cases they may even be told to change their passwords by warning them that this has been compromised. Although email spam filters will segregate most of these emails, some may still get through into the inbox.
Once employees are aware of the evolving tricks of fraudsters, cybersecurity practices should be employed proactively in all personal and professional work. By constantly staying up to date with the changing tricks of fraudsters, a cybersecurity culture gets ingrained within the collective consciousness of a firm. Gradually, the cybersecurity culture permeates all aspects of their thought and behaviour. This can then be reinforced through regular cybersecurity training sessions. The current cybersecurity tips and threats can also be communicated via a monthly email that highlights the latest learning and happenings so that individual cybersecurity measures become second nature.
If the human element is recognised as the weakest link in the cybersecurity chain, it is easier to prevent phishing, spear phishing and other social engineering attacks that only succeed due to human error. A proactive, preventive approach can save organisations tremendous resources that would otherwise be lost in rebuilding damaged reputations or recovering lost assets. As a result, awareness and accountability coupled with cybersecurity training is the best way for firms to limit their risk exposure and prevent devastating losses that keep occurring in the digital age.