It has become clear that in order to make sure that your company is winning the battle against cybercrime, cybersecurity simply has to be an agenda topping issue.

This has served India well and has helped the country position itself as one of the worlds leaders when it comes to the adoption of the gigeconomy, which is something that will explode during this decade.

Key realization.

The article pointed out that because of the ever-changing nature of cyber threats, the government in India seems to have realised the dire need for cybersecurity initiatives, to come together under a National Cyber Security Policy, with a unified vision and a set of sustained and coordinated strategies for implementation.

In light of the burgeoning digital sector in India, ambitious plans for quick transformation and rapid growth, the role of IT infrastructure is critical. At the same time, it needs a secure computing environment and enough trust and confidence in digital banking transactions, software, services, devices and networks across the nation.

The article added that such a focus enables the creation of a suitable cybersecurity ecosystem in the country, in tune with a globally networked environment. The overall market for cybersecurity is expanding fastly in both India and across the world.

While India has been lagging behind other nations when it comes to cybersecurity and in fact had no cybersecurity policy before 2013, in the last few years much has changed, and the government’s plans are on a fast track to fostering cybersecurity.

The article pointed out that there are various ongoing initiatives and programs of the Indian government to fight the cybersecurity challenges, which have significantly added to the creation of a platform that is now capable of supporting and sustaining the efforts in securing cyberspace.

Because of the ever-changing nature of cyber threats, the government in India seems to have  ealized the dire need for cybersecurity initiatives, to come together under a National Cyber Security Policy, with a unified vision and a set of sustained and coordinated strategies for implementation.

Specialised Projects.

The article added that several projects are aiming to establish India as a leading hub by accelerating identification and development of cybersecurity technologies in the country to further strategic objectives, develop critical capabilities, exploit commercial potential, and thereby driving future-readiness.

For example, Data Security Council of India (DSCI) is building a world-class infrastructure for creating momentum for cybersecurity technology development at its NOIDA campus. The program was formally launched in January 2020. It includes incubation for startups, state-of-the-art technology research lab, a unique infrastructure for things like forensics and testing, security training and R&D.

The article added that, moving forward, National Centre of Excellence (CoE) for Cyber Security Technology Development is an idea conceptualised by Ministry of Electronics & IT and DSCI for setting up connected and coordinated efforts to foster cybersecurity development in India. National CoE initiative stands strong on three pillars, which envisages connected and concerted efforts for cybersecurity technology development by identifying critical technology areas and use cases, productizing security research, and extending physical and virtual incubation along with facilitation adoption.

Fostering Cybersecurity Startups And Product Companies.

The article pointed out that, with an ecosystem of more than 200 product companies, Indian cybersecurity product segment has embarked upon success, and more than 70% of these companies and startups have come to exist just in the last 10 years with some having 60%+ Y-O-Y growth rate across new age cybersecurity startups.

The government is also working to enhance cybersecurity startups. The government is working to create an ecosystem of cybersecurity technology development and entrepreneurship. Under this, security startups need to be incubated so that innovative solutions can be developed.

The article added that some of the aspects of startup-promoting initiatives include:

  • Translating R&D to security product;
  • Enhancing technology stack of security products;
  • Market adoption of developed products; and
  • Making India destination for R&D and product development.

Under a Cyber Security Grand Challenge, startups had to create solutions around six areas, including microservices, IoT, biometrics, hardware security, among others. A ‘Security Grand Challenge’ awarded Rs 3.2 crore to breakthrough startups.

The article points out that the stakeholder ecosystem consists of global players, research institutes, academia, startups, investors, security researchers, Indian security leaders, technology players, and enterprises. Together, they can be leveraged and brought together in a tightly linked ecosystem to create momentum for cybersecurity product entrepreneurship.

National Cybersecurity Policy.

The article added that the National Cyber Security Policy is a policy framework developed by the Department of Electronics and Information Technology (DeitY) whose objective is to safeguard the public and private infrastructure from cyber attacks.

As part of India’s National CyberSecurity Policy, the draft of National Cyber Security Strategy 2020, which envisions building secure cyberspace in India, will be shortly sent to relevant ministries for comments before seeking the Cabinet approval, according to reports. The policy is being worked upon to close the gaps and meet the talent and product requirements under the National Cyber Security Policy 2020.

National Level Computer Emergency Response Team.

A National Level Computer Emergency Response Team (CERT-In) acts 24*7*365 as a Nodal Agency for coordination of all initiatives and projects for dealing with cybersecurity emergency response and crisis.

CERT-In also serves as an umbrella organisation in enabling creation and operationalisation of sectoral CERTs and helping in the communication and coordination efforts in managing cyber crisis situations.

Change the narrative.

Hell hath no fury like a scored employee. In terms of liability, employees pose the single biggest threat to companies as these employees have access to server information and passwords. Even after you sign reams and reams of NDA’s with these employees, if things end badly, employees are likely to accidently-on purpose release this information on the dark web. That’s the reality of the situation.

But that does not mean that you need to see employees as a major risk while they are working for you. The narrative has to move away from employees being your biggest risk.

The article points out that There are a few things we just won’t stand for in 2020 – but first on the list is the phrase, “employees are the weakest link in cyber security.” It’s a saying that people really should have ditched in 2019.

You can probably guess that since I’m writing this, unfortunately, most people haven’t. Online and even among cyber security professionals, it’s still a common thought process.

“What’s wrong with believing employees are the weak point?”, you might ask. Given the ever-increasing frequency data breaches – with human error often being either a cause or catalyst in the majority of cases – you’d be forgiven for thinking that employees are naturally at fault.

But they’re not – and there are a few logical reasons why.

The article adds that, firstly, framing the conversation like this doesn’t get us anywhere. Are football players to blame when they lose a match? Well, in a way, but the players are also to ‘blame’ when they win. And even when they do lose, telling them that they’re the problem is only going to demoralize and lead to further losses.

Secondly, if blame has to lie somewhere, it surely lies with the security awareness programs rather than the employees who rely on those programs to better protect themselves. The reason that human-error breaches continue to occur at such at rate is that – and let’s be honest here – security awareness training in its current form just doesn’t work.

Training doesn’t work because, in most cases, it focuses solely on awareness. Awareness is all well and good, but increased awareness by itself is not what necessarily matters. Just because people are ‘aware’ of cyber risks doesn’t mean that, in the real world, they will behave in a more secure way.

The article points out that, to reduce human cyber risk, security ‘awareness’ training – a rather misleading moniker when you think about it – must go beyond raising awareness. It needs to focus on also changing behavior and building a culture of security simultaneously. Collectively, you can think of this as ‘ABC.’

Doing so creates a virtuous circle in which improvements in one area flow into the next. Raising awareness lays the foundation for changes in behavior. Secure behaviors nurture a culture of security. And, completing the circle, a culture of security advances awareness.

Understanding the disconnect between people and security

How do businesses improve behavior and, in turn, begin to develop a positive culture? The article adds that, while there’s no short answer, the first step for any business new to the principle of ABC is to try to understand the origins of undesirable behavior. One of the most useful questions to tackle early on is, “Why are my people not complying with security policies?”

When businesses begin to probe why, they tend to find that motivation, or rather lack of it, is at the root. Staff are failing to take security on-board as part of their everyday job: They don’t see it as a serious issue; they don’t see it as their responsibility; they don’t see it as something they have much control over; or a combination of the above.

The article appoints out that, more often than not, businesses also discover that the relationship between security and staff has become strained. In extreme cases, it’s become adversarial. Security is seen as an inconvenience, an annoyance, as something that exists just to ‘get in the way.’

Businesses will likely need to address both before significant improvements are seen. Making cyber security more personalized and relatable to staff, gamification, bringing leaders on-board, and getting employees involved in cyber security conversations, will all go some way to boosting motivation. Meanwhile, making security policies and procedures simple – ensuring that doing the right thing is the easiest thing – will help to address issues of tension between security and staff.

Developing cyber security behavior and culture.

So, if I could ask businesses to adopt two new approaches to cyber security this year, the first would be to leave behind the ‘weakest link’ language. The second, to hopefully avoid a data breach in next year’s stocking, would be to pay more attention to behavior and culture.

The article points out that, by treating people as a useful and powerful security asset, and by addressing security awareness, behavior and culture in tandem, businesses can bring about real and tangible reductions in their human cyber risk.

Moving towards success.

Humans are fallible and are prone to lapses of concentration. An ideal cybersecurity programme should therefore incorporate a human and an artificial intelligence element.

The article points out that, from misdirected emails to accidental clicks of a mouse, a vast number of data breaches are caused by human error. Every day employees access the a company’s data, often sharing it across their company and with outside contacts.

In a perfect world, cyber security training and company policies would ensure that data was always secure. But humans make mistakes, break the rules, and are easily hacked. A single slip or phishing attack can result in a major data breach — the kind that traditional cybersecurity methods just can’t predict or prevent.

The article adds that this exists because, while the machine layer can be secured with any one of the cyber security products crowding the market, the complexities of human behavior make securing the human layer significantly more challenging, because humans are simply unpredictable.

Tremendous risk.

The article points out that an employee might not recognize, for instance, that sending work documents to their personal email account carries a tremendous amount of risk. A single typo could mean a misdirected email sent to the wrong address, and the consequences could be dire, from penalties and fines to regulatory bodies and bad publicity resulting in loss of reputation to the company.

And then some employees with access to valuable company data might be tempted to cash in, such as the recent case where an employee sold 68,000 customer records to scammers.

Sometimes the human risk comes from outside the company, such as hackers targeting employees with spear phishing attacks which impersonate internal and external contacts. Employees are always vulnerable to cybercriminals, and bad actors are always hunting for ways to gain access to company networks.

The article adds that, in the end, the problem is that human behavior simply can’t be codified with the “if-this-then-that” logic that powers traditional machine learning, and those algorithms are at a loss when it comes to predicting a potential threat. We all communicate differently, we use natural language, and our behaviors and relationships are never static, but change over time as we make new connections, take on new projects, and respond to an ever-changing work environment.

Cyber security training and company policies are essential tools to help minimize threats and ensure your people are keeping themselves safe, but businesses need a more robust, people-centric approach to cybersecurity for those moments when inevitable errors occur. They need advanced technologies that understand how individuals’ relationships and behaviors change over time in order to effectively detect and prevent threats caused by human error.

Finding the answer.

The article points out that human layer security is the answer, taking on the challenge of protecting your most important asset — your people. Human layer security (HLS) is designed to secure human-digital interactions in the workplace. It works together with your machine layer security, which protects networks, devices, and apps, to protect your employees, contractors, customers, and suppliers.

It uses a different type of machine learning: stateful machine learning.

Stateful machine learning essentially understands human behavior and relationships, enabling it to detect and prevent dangerous activity in real time to protect employees from making errors. It can even learn and adapt to how people work without getting in the way or impeding productivity. Stateful machine learning models analyze historical email data in order to understand human relationships and communication patterns.

The article adds that, once you know what “normal” looks like, stateful machine learning can automatically predict and prevent dangerous email activity, without disrupting employees and automatically prevent the most advanced forms of spear phishing, accidental data loss, and data exfiltration in real time.

“The Fourth Industrial Revolution is changing the world, but is also introducing the world to a new set of challenges that need to be address if companies are so succeed. Cybersecurity is one of them. The answer to this is not to run around pointing the blame at employees. Businessmen like Warren Buffet and Richard Branson in the past have been outspoken in that employees are the beating heart of a company. Do not treat them like dirt. Work with them to build a cybersecurity protocol and they will become as invested in the company’s success as you are. This is the way winning is done. GTconsult has always had an employee centric approach to its business and over the years, we have built key capabilities in our A Team that can address any cybersecurity issue.”