[Exclusive] In conversation with CiOL on Cybersecurity Awareness: Aiyappan, Senior Member IEEE and Founder, Congruent Services

With the pandemic accelerating the need for digital adoption, cybersecurity has become an essential need for organizations, governments, and individuals. It is now dominating the priorities as each adapts to the next normal. Remote workers’ identities and devices are the new perimeters of security. Zero Trust model for security was designed specifically for this and now, the new normal i.e. post-pandemic world is its litmus test.

A recent IDC report revealed that 70% of all breaches still originate at endpoints, despite the increased IT spends on this threat surface. Hence, it is high time for CIOS/CISOs to restrategize their IT model and allocate funds for cybersecurity to protect them from potential financial setbacks. With that base, in conversation with CIOL, Aiyappan, Senior Member IEEE and Founder, Congruent Services, delves into the important aspects of cybersecurity.

Aiyappan, Senior Member IEEE and Founder, Congruent Services

Why is cybersecurity so important in the current times?

With the pandemic forcing everybody to go virtual for education, work, banking, citizen services and entertainment, among others, the internet has become a veritable hunting ground for hackers and scammers. Gullibility and lack of cyber-awareness among a large base of the users increase the risk. Hence, cybersecurity assumes greater significance in these times.

What advantages does the modern cybersecurity have over traditional cybersecurity models?

It has been seen that a good number of cyber-attacks were enabled by insider complicity. The traditional model is rendered ineffective in such scenarios. Modern cybersecurity practices built around a zero-trust architecture reduces the risk factor significantly. Compared with the traditional approach of having zones of trust and perimeter protection, every actor and component accessing networks and systems are not trusted inherently. Each entity is verified and authorised at each stage to ensure minimal security risk.

Has cybersecurity had many implications of Covid-19 on businesses?

According to India’s National Cyber Security Co-ordinator, COVID-19 has led to over a 50% surge in cybercrimes. There is a spurt in phishing, ransomware and malware attacks. As the pandemic has necessitated businesses to embrace digital as well as a virtual model of operations, the attack surface area has widened considerably.

Hence, businesses must adopt proper cybersecurity measure to prevent potential loss of business, reputation, money as well as face lawsuits due to security breaches. They need to invest in training all users on cyber hygiene and good cybersecurity practices.

Has the change brought in the need for cybersecurity personnel? If so, what are the qualifications for the person?

Businesses need to proactively implement appropriate cybersecurity practices. Depending on the scale of digital systems implemented, cybersecurity needs to be taken care of either by appointing personnel with the right skills or engaging security services organizations. It is essential to have personnel with qualifications aligned to the IT eco-system of an enterprise.

Popular qualifications in vogue today are CISSP and its variants, CISM, CCSP, CEH etc. that can take care of cloud, traditional or hybrid IT environments. Further, there are accredited cybersecurity courses conducted by institutions like IIT, NIT and others.

Do organizations need to train all or specific employees on avoiding phishing and social engineering attacks?

Organizations MUST train all employees – whether on-rolls or off-rolls, on cyber hygiene practices. This is non-negotiable. Employees dealing with special systems need to be given advanced training.

How can India reduce the skill gap for CSOs?

I recommend a three-pronged approach. A) Institute certification with minimum criteria, B) mandate basic minimum cyber-security criteria and C) mandate positions in organizations.

While there are cybersecurity courses run by reputed institutions, it would be apt for CERT-in to prescribe or certify cybersecurity courses. This would be like the empanelment of IT security audit and vulnerability testing agencies. The courses must be constantly updated and tailored to the prevailing cybersecurity requirements.

All organizations may be mandated to have/ be engaged with CERT-in certified cybersecurity practitioners. An organization can decide the employees it wishes to get certified. The aim is to widen the base of candidates who would move into CSO roles.

What are some basic approaches that can prevent cyber-attacks?

The following basic practices and implementations are recommended to prevent attacks:

• Implement secure cybersecurity systems like firewalls and antivirus

• Provide access rights on the principle of least privilege

• Enforce password management and multi-factor authentication

• Ensure periodic review of users and privileges

Are activities like Private browsing and VPN really secure?

While private browsing prevents local storage of browsing activity etc., the ISP could record it. Further, if the ISP is compromised, so are likely its customers. While both these techniques allow a user to mask their connection details (IP address) - activity history and encrypt the communications (VPN), they do not prevent malware from entering the system from compromised sites or emails. A good anti-malware system is essential to prevent such attacks. Hence one must use updated anti-virus software in conjunction with a VPN or when using private browsing.

How do organizations change the IT Infrastructure before they fall prey to cyberattacks?

IT infrastructure cannot be changed overnight. As a start point, organizations should implement security policies diligently with periodic threat assessments and drills. Vulnerabilities need to be addressed expeditiously. They should upgrade the software firmware and apply recommended security patches on all equipment and systems. End of life devices needs to be replaced on priority. All personnel should be trained in basic cyber-hygiene and incentivised to follow best practices.