How can organisations ensure cyber security?
Cyber attacks happen all the time—ensuring security is a longterm, continuous goal
Cyber security—or rather, the lack of it—has been an issue highlighted in almost all the recent elections around the world. Towards the end of the year 2016, it was United States and, very recently, it was France and even India, where there has been much debate about the possibilities of hacking an electronic voting machine (EVM). On May 6, the legendary investor Warren Buffett mentioned that he saw cyber attacks as a bigger threat to humanity than nuclear weapons.
Closer home, we have seen multiple incidents of cyber breaches, but a common theme across the board for publicly disclosed ones is, “No financial loss from the cyber attack”.
It can be safely assumed that very few attacks involving financial losses are reported in the public domain.
Nevertheless, cyber attacks happen all the time and building a cyber-resilient organisation is a long-term, continuous goal for companies.
However, several organisations miss out on the basics, which start with securing the weakest link in the chain, i.e., the end users. Awareness is the key here and the lack of it, especially among the top-level executives, often results in attackers having a field day.
Let’s look at how security checks at end-user level are done in banking processes. In the case of opening a new bank account, apart from the mandated know your customer (KYC) compliance details, bankers typically ask users for a keyword to be shared with them. This keyword is used for identification in case additional identity checks are required. In cyber terms, the combination of your username, password and secret question replaces the same.
Let’s now look at specific issues in this area and highlight some best practices.
The choice of the username is generally a trade-off
AWARENESS IS THE KEY AND THE LACK OF IT, ESPECIALLY AMONG TOP EXECUTIVES, OFTEN RESULTS IN ATTACKERS HAVING A FIELD DAY
decision made by a company in terms of something unique but sufficiently easy to remember as well. Corporate email addresses and employee ID numbers are generally accepted as a norm. Based on the level of single sign-on integration, especially from the Internet, a careful decision needs to be made.
The strength and complexity of the password is again a trade-off decision made by a company in terms of something which is implementable, enforceable and acceptable by end users. Most password policies require the password to be at least 8-character long, comprising alpha-numeric characters and, in some cases, requiring inclusion of capital letters and special symbols (such as *, #, etc.). Other best practices include making it mandatory for the password to be changed every 90 days, with provisions such as exclusion of immediate previous passwords and of certain defined keywords like company name, user name, etc.
The choice of the password, however, is on end users and they often use “jugaad” tactic to comply with the password rules. This leaves the resultant password extremely easy to guess via a social engineering attack—if the same is not already pasted on the computing device or shared with a co-worker.
Secret questions are leveraged when the user forgets the password, in which case the self-service password reset mechanism can pop up one of these questions to ensure some level of authentication and security. However, again, the choice of these questions and answers in most companies is left to the end user and the exercise is generally done as a one-time activity during user enrolment.
When it comes to the top executives of a company, who may have certain requirements and preferences, the basic controls may get further diluted. I would recommend that what must never get diluted is the continuous monitoring process of keeping password controls as tight as possible.
Affordable technologies are available today which, when deployed appropriately, store, process and analyse user behaviour on a real-time basis at scale. The entire process can be done without affecting the overall end-user experience.
A human oversight either via the end user himself and/or done centrally in a security operations centre (SOC) goes a long way to detect, and hence respond to, as well as recover from a cyber breach.
Given privacy concerns today and the serious impact of cyber data breaches, notifying “no financial loss” as the outcome of a cyber attack will not ensure a safer cyberspace in the long run.
Getting the basics right in terms of a robust password policy that gets continuously monitored, however, will be a concrete step in the long march towards building cyber resilience. We are present in 91 countries. One of the places that I really wanted to get this year was India. Part of the reason is because while we have great operations all over the world, we are doing very well in India and I also see that the Indian market is very important one and a strategic one where we are anticipating continued growth over a long period of time.
I have been with Dale Carnegie for the last two years but what i have seen and what I have known is our operations here have grown significantly and consistently. It’s a dynamic market place and young market and a lot of changes have happened from talent standpoint.