The human element in India's cybersecurity equation

The digital transformation of India is driving industries forward with cutting-edge technologies such as 5G, Internet of Things (IoT), and generative artificial intelligence (AI). This uncharted digital territory brings new opportunities, but also substantial challenges, particularly in the realm of cybersecurity.

In 2022, an alarming 13.91 lakh cybersecurity incidents were reported across India, according to CERT-In (Indian Computer Emergency Response Team). A report by Palo Alto Networks claimed that India faced a significant risk of cyberattacks targeting critical infrastructure, public sector and essential services, adding that 67% of government and essential service entities reported a 50% increase in such attacks.
 
What's even more astonishing is that a significant source of vulnerability is attributed to human error. The 2023 DBIR Report reveals that 74% of all breaches included the human element, with people being involved either via errors, privilege misuse, use of stolen credentials or social engineering. 
 
Surge of skill-based and decision-based errors

Organisations have recognised the need to tackle the human risk factor as a critical factor in strengthening their cybersecurity posture. While they look at this aspect with razor-sharp focus to improve their digital defenses, this requires a deep understanding of the myriad varieties of human behaviour that could pose or lead to security breach or threat.
 
By definition, human error in a security environment refers to inadvertent actions — or lack of action — by staff and users that originate, spread, or allow a security breach to occur. Experts categorise the types of human errors in cybersecurity as either skill-based or decision-based errors. For instance, skill-based errors are minor, and may occur while people are discharging their duties, while decision-based errors are the result of poor judgement or malicious intent. The eight main categories of human error security threats are insider threats, misdelivery, weak passwords, patching, careless handling of data, inadequate software security, low security awareness and ineffective data access management.
 
Nurturing a culture of security awareness 

To effectively reduce the human risk factor, organisations, enterprises and SMEs alike, must cultivate a culture of security awareness at their core.

Automation can help reducing the chances for human errors to some extent through access and privilege controls, password management, and by mandating the use of two-factor authentication. Other systemic measures to bolster cyber-defence include having stringent security policies, zero trust protocols and limiting access to data and sensitive information. Experts also suggest the implementation of UEBA (user and entity behaviour analytics) to solve cybersecurity challenges. Such solutions use ML and deep learning to model behaviour of not only users, but also end-point devices in the network. UEBA identifies abnormal behaviour patterns to detect well-hidden and slowly executed attacks, automates the analysis of alerts and logs, and can speed up incident investigation.
 
However, building a security-minded culture brings in constant vigilance and makes cyber-security the responsibility of every employee in the company, ensuring more eyes watching out for possible attacks. Training employees to recognise and counter cyber threats and thwarting common threats, like social engineering, phishing and digital fraud, is paramount in today's digital landscape, especially with the surge in remote and hybrid work models.
 
There are various effective methods, including educating staff on emerging threats, integrating cybersecurity into organisational culture, and employing mock scenarios and gamification for practice. Most companies today incorporate cyber-security training into mandatory trainings that inform employees on policy, ethics and business purpose. These trainings put in place a foundational level of awareness on threats and importance of cyber-security to the company, as well as make employees aware of behaviours and expected actions to identify and respond to threats. Red teaming can also be an effective way to raise vigilance; when companies bring in ethical hackers to target employees and report back on correct behaviours. Additionally, managers are often given performance objectives for their teams on cyber-security incidents. CSO offices can energise this culture by celebrating cyber-security awareness weeks, running workshops and hackfests, or by other employee engagement methods. Involving employees into cybersecurity and equipping them with advanced tools not only enhances productivity but also contributes to job satisfaction.
 
Strengthening the weakest link is no longer optional

The impact of cybercrime is likely to reach $10 trillion this year, which is more than the GDP of all countries in the world, except the US and China. The repercussions of a cybersecurity attack on any organisation can be hard to recover from, with impacts on revenue, increased costs, and losses from reputation and customer loyalty, and regulatory penalties. According to a report by IBM, the global average cost of a data breach in 2023 is $4.45 million; this is an 15% increase in just three years.

In this digital era, untrained end-users often become the weakest link in an organisation's security chain. Recognising this vulnerability and investing in the right tools and training can transform employees into the first line of defense against cyber threats. Beyond safeguarding against data breaches, proper cybersecurity training fosters a culture of security, limiting legal and financial liabilities. By addressing the human element in cybersecurity, India can not only protect its digital transformation but also empower its citizens to become digital warriors, safeguarding the nation's digital future.

Anshuman Sharma

---

Anshuman Sharma is Associate Director CSIRT & Investigative Response at APJ, Verizon Business