Technology alone cannot Prevent a Security Breach – Why You Need to Focus on the Frontline

By: Makarand Joshi, Area Vice President and Country Head, Indian Subcontinent, Citrix

Businesses put more on the table with every advancement in technology, so they have to effectively manage risks. As India takes steps towards a digital economy the hacking targets go up exponentially.

However, alongside these innovations in working practices, is a rising number of cyber attacks and breaches. According to a joint study by Assocham and PwC, there has been a surge of approximately 350% in cybercrime cases registered in India, with close to 50,000 security incidents in 2015 alone.

Operations systems in India are increasingly being subject to cyber attacks, as many are built around legacy technologies with weaker protocols that are inherently more vulnerable. In a business environment where firms are facing heightened levels of security breaches, organisations in India are now investing in more sophisticated and robust infrastructure to protect their data, assets and reputations. From advanced machine learning and artificial intelligence, to cloud based monitoring and analysis technologies, there are many sophisticated solutions being adopted to fight cyber crime. Yet the effectiveness of these solutions is increasingly dependent on

one often overlooked business asset– employees.

With BYOD and flexible working becoming accepted norms, employees are often the biggest threat to safeguarding a company’s data and IP against cyber criminals. Staff negligence and indifference to IT policy is one of the most significant inhibitors to cloud security. Further, there is a clear lack of security understanding. Almost two-thirds of companies attribute “employees’ lack of cyber security knowledge” as the biggest inside threat and only one in 10 Asia Pacific companies fully understand how cyber attacks are performed.

In research by The Ponemon Institute for Citrix, titled “The Need for a New IT Security Architecture: Global Study”, over half (60 %) of respondents stated that employees and third parties bypass security policies and technologies because they are too complex. This complexity continues to drive Shadow IT in India.

This lack of education and awareness is leading to two types of companies emerging – one that knows it has been hacked and one that does not. If individual employees are not fully aware of how breaches occur and do not take steps to not only protect IP, but also monitor and alert managers about cyber issues, the door is continually left open for cyber-attacks. What can organisations do to allow staff to work the way they want to, while ensuring confidential data and competitive IP is safeguarded in the data centre? How can they promote a resilient and active security culture, while empowering staff with knowledge and education?

1. Embedding security into everyday operations

Firstly, security needs to be embedded as part of the day-to- day running of the business to ensure it stays front-of- mind and becomes ingrained in core business processes. It’s the ‘human firewall’ effect, whereby employees become integral to the security solutions rather than the problem.

As such, security policies should be developed collaboratively across the company from the top to the bottom, with input from as many stakeholders as possible playing an equal part. Regular training is also best approached on a collective basis and should be more than one standard session per year. Some organizations take this approach one step further, developing fake phishing emails and distributing them to staff, to alert IT teams to more susceptible employees. Identified employees can then be enrolled in additional training on how to spot a sophisticated scam. Employers have a duty of care to arm all employees with the necessary tools, guidance and training to protect their organisations. By organising certifications, comprehensive curriculums and free learning opportunities to develop employees and their security awareness, employees’ ability to recognise and respond to potential attacks will be enhanced.

2. Adopting a hearts and minds approach

Taking it a step further, smart organisations should take an even more active role in engaging and uniting employees against breaches and security issues. Creating a culture of security advocates who are well informed and feel compelled to help protect the intellectual property of their employer is vital to long-term protection.

This can be enabled and promoted in various ways, including the use of fake phishing attempts or mock breaches to develop the security awareness of employees, and their ability to recognize potential attacks. These mock attacks are a highly effective tool, firstly as a test bed to gauge the level of vulnerability of your organisation, and also as an interactive way of educating employees on best practice, safe behaviours and as a way of motivating team members. This approach gives the individual more responsibility and accountability in preventing attacks, so that everyone can contribute to shared goals of advancing and protecting the business and its culture.

3. Have a holistic view on security, across the network: Securing data from the bottom up

Lastly and most crucially, any approach must be underpinned by the appropriate technology infrastructure to support and protect a modern, collaborative and mobile workforce, while ensuring data is safe within the data centre. Without this foundation, any ‘security-minded’ company culture will have its vulnerabilities.

When surveyed, 43% of respondents from India stated that visibility into all business-critical applications and systems, was critical for a successful security framework. Core security pillars should include; identity and access, network security, app security, data security, and monitoring and response. Any technology deployed to support your business’ security needs should provide you with a view across the organisation, the network, apps, data and down to an employee level to help ensure critical assets are secured to suit the demands of the modern workforce. Employees can be able to work productively from anywhere, without security being compromised. These solutions also deliver access from a centralized system, while addressing privacy, compliance, and risk  management mandates.

With the ongoing spotlight on cyber security and threats constantly evolving to advancing response technologies, coupled with an increasingly mobile workforce, it’s clear that robust infrastructure is only fully effective when supported by proactive, educated and breach savvy staff.

The modern enterprise workforce calls for deep, comprehensive security to keep data and applications safe no matter how people work—any location, any device, any access method. Best practices for security encompass identity and access, network security, application security, data security, monitoring and response to ensure both protection and productivity in every application/data access scenario.