Anmol Satija: In this episode of the Unthinkable Tech Podcast, Neelkanth Kaushik delves into the critical role human behavior plays in cybersecurity. Learn about the devastating consequences of neglecting human factors and how to proactively address common cybersecurity mistakes. This episode offers a comprehensive overview of how individual actions can help in maintaining organizational security.

Anmol Satija: Hello everyone and welcome back to another exciting episode of the Unthinkable Tech Podcast. Today we have an interesting topic lined up for you, one that’s becoming increasingly crucial in our digital age. I’m talking about the critical role of human factors in building a cyber-aware culture.

Why human behavior is the weakest link in cybersecurity?

Did you know that according to a recent study, 95% of cybersecurity breaches occur when employees unintentionally compromise security protocols, such as by clicking on a phishing link, using a weak password, or even failing to install software updates on time?

With cyber-attacks becoming more sophisticated, it is clear that technology alone isn’t enough to protect us. We really need to focus on the human element—that is, our behaviors, our awareness, and our actions to truly create a secure environment.

So to delve deeper into this topic, I am thrilled to welcome Neelkant Kaushik, who is the Lead of Cybersecurity COE at Unthinkable Solutions. Neelkant is an expert in the field of cybersecurity with years of experience in helping organizations build robust security frameworks and foolproof applications. He is here to share his valuable insights on why cyber awareness is so critical and how we can foster a culture that prioritizes cybersecurity.

Neelkant, thank you for joining us today.

Neelkanth Kaushik: Thank you, Anmol, and it is a pleasure to be here with you.

Anmol Satija: So let’s jump right into the conversation, Neelkant. You know, I recently heard about a major data breach that happened at a very well-known financial institution. Despite having state-of-the-art security systems in place, it was just a simple phishing email that led to the compromise of sensitive customer data. Given your extensive experience, what are your thoughts on this?

Neelkanth Kaushik: See Anmol, you know, cyber awareness and cybersecurity are really very critical for any business because they serve as the first line of defense against cyber threats. The technology is evolving very rapidly, and on a daily basis, hackers are evolving their techniques of doing data breaches and attacking the servers of businesses with the use of more sophisticated tools than ever. So it is no longer just about having the right technology because technology is always evolving. Human behavior is always there to play a significant role in either mitigating or executing those risks.

The Twitter hack & other shocking real-world cyber attacks

For example, take the Twitter hack in the year 2020 where one group of hackers actually did some social engineering with the employees of Twitter and gained access to the administrative systems. They could manipulate and post on behalf of any user, asking for money from the users of Twitter to be transferred in the form of cryptocurrency. During this attack, more than one lakh was compromised. This incident clearly shows that even the most advanced security systems can be bypassed if the human element is compromised.

Anmol Satija: Right, absolutely Neelkant. I mean, the example you gave just now is very critical and clearly highlights how crucial human awareness and behavior are in preventing cyber threats. Some may think that their technological defenses are sufficient or they might underestimate the risk associated with human error. You must have also encountered the same scenarios while dealing with certain clients. Can you set the stage for us on this and what are some potential consequences for companies that clearly neglect this aspect?

Neelkanth Kaushik: Sure, Anmol. The human factor is integral to cybersecurity; we cannot ignore that. When employees are well-informed and know what kind of measures they have to take while dealing with cybersecurity, they serve as the first line of defense against cyber threats. Conversely, when cyber awareness is neglected, the repercussions can be devastating on multiple fronts.

Let me give you some examples of those potential outcomes that are generally seen in all types of cyber-attacks which have happened in the years before. The most important aspect of any cyber security breach is the financial loss. Cyber attacks can result in direct financial theft where you see that some money can be transferred from the victim’s account to the hacker’s account. The hackers send you malicious emails and when you click on those links or download or run any kind of file, they just encrypt your hard disk and then ask for the payments to be transferred into their account, which is known as ransomware attacks. These are some direct financial impacts of any cybersecurity breach.

For example, in the year 2017, the Equifax breach happened, which exposed the personal information of about 147 million people. The overall cost involves all the legal expenses, all the legal suits that have been filed by multiple parties, the compliances, everything—all in all, a total of 1.4 billion dollars have been paid by the company in settlements and other expenses.

Anmol Satija: That is a huge amount.

Neelkanth Kaushik: Yes, this is one of the important parts. Then the next thing is the reputational damage to the business. For example, if you take any company that has been working in any business for many years, they have gained a lot of respect in the market. Their partners, their investors, they have a lot of trust in the organization. But when a cybersecurity incident happens and the world comes to know that something has happened in the company which has impacted their business, they lose trust in that organization because they think that the organization has failed to protect the sensitive information about their business. This loss of trust can lead to a decline in loyalty and a drop in stock prices.

The Twitter attack that I mentioned before in 2020 led to an instant four percent drop in the stock market price of Twitter. It was a direct impact, and over the coming days, the company faced a lot of challenges in handling that impact so that it could be minimal. They did a lot of mitigations; they had to do a lot of things. This is a kind of indirect financial loss where the company had to spend a lot of money in order to gain the reputation back. They have to tell the investors, they have to tell the users that everything is okay, and nothing much has happened. This is also a kind of impact that we see.

Why compliance failures can cost you millions?

Then coming on to the regulatory penalties. For example, if you are working in a certain industry that is governed by stringent regulations regarding data protection and cybersecurity. For example, you can take the financial industry, which is currently booming. Failing to comply with regulations such as PCI DSS can result in hefty fines and legal penalties that run into millions of dollars. It is not a small amount. For example, under the General Data Protection Regulation (GDPR) in the European Union, companies can be fined up to four percent of their annual global turnover for data breaches.

Anmol Satija: And GDPR is one of the crucial compliances, I think, irrespective of the industry type.

Neelkanth Kaushik: Yes, not only in the European Union. Now India is also coming up with their own personal data protection law and every country in the world, sooner or later, will have this law in their country to protect the rights and personal data of their citizens. This is very important because personal data is something that can be misused by hackers to do anything that we can’t even imagine.

Anmol Satija: Yes, actually, it is the need of the hour.

Neelkanth Kaushik: Now the next impact is operational disruption, and this is also a direct impact. For example, let’s take the example of Twitter again. When the attack happened and 130 accounts were compromised, as an instant measure, they stopped their users from posting or tweeting anything new.

Anmol Satija: Yeah, I recall that happening.

Neelkanth Kaushik: All the users could only like the existing posts or they could only retweet the existing posts. This is a kind of operational disruption where one of the main features of Twitter is to tweet something. The user comes not only to see the tweets of others but to tweet themselves. For example, all the news media agencies post their latest updates on Twitter. At that time, they were not able to do so. This is a kind of operational disruption. There are other attacks as well. For example, in the 2017 NotPetya attack, which initially targeted companies in Ukraine, there were multinational corporations involved in it, and they had to reinstall 4000 servers and 45,000 PCs, leading to weeks of operational disruption. This is a mass level of attack that involves multiple companies. But even a small company or even a single company can be impacted a lot by this.

Anmol Satija: Agreed.

How cyber breaches create financial and reputational chaos?

Neelkanth Kaushik: Then there are impacts on the loss of intellectual property where cyber attacks can lead to the theft of intellectual rights, including trade secrets, proprietary technology, and confidential business strategies, which can be very devastating for companies that operate in cutting-edge technologies and have patents. These kinds of things can lead to a lot of IP violations. Then there are legal liabilities. Whenever something happens in the case of any cyber attack, the customers, partners, investors, and shareholders sometimes file lawsuits against the company because they have failed to protect the sensitive information adequately. The legal cost can be lengthy; the legal battle can be lengthy. The cost can run into millions depending on the lawyer that the company is hiring and multiple factors. For example, Yahoo, after its 2013 data breach, faced multiple lawsuits which eventually led to an overall cost for the settlement of around 117 million dollars.

The hidden operational disruptions of a cyber attack

Then the last thing is employee morale and productivity. The employees who are working in those companies also feel stressed and demoralized when they come to know that their company or business has faced such an attack and information has been leaked. At that moment, no one knew clearly what kind of attack had happened, what had been leaked, and what is the value of the data which has been breached. But overall, at that moment, the employees face a lot of moral and productivity issues due to the disrupted work environment.

For example, when Twitter stopped everyone from tweeting new posts, all the employees working at Twitter must have felt that something bad had happened. They even delayed their new API release by many days, which was ready to go live. These are some of the impacts that we can say happen or impact businesses.

Anmol Satija: Thank you so much, Neelkanth, for that comprehensive overview and those interesting examples. I think it is clear that negligence can have far-reaching and severe consequences for any organization. Just like you mentioned, those big organizations like Twitter and Yahoo can also face those repercussions. From financial losses and reputational damage to regulatory penalties and operational disruptions, the impact can really be overwhelming.

Given the high stakes, it is crucial for companies to understand not just the importance of a cyber-aware culture but also the common pitfalls employees might fall into. After all, awareness is the first step towards prevention. So, what are some of the most common cybersecurity mistakes that employees tend to make?

Top cybersecurity mistakes employees make every day

Neelkanth Kaushik: So Anmol, employees of the companies basically, as I said before, we consider them as the first line of defense. But at the same time, being on the front line, they are also most vulnerable to cyber-attacks. Cybercriminals use sophisticated social engineering techniques where they gain the trust of the employees so that they can extract data from them. So, one common mistake that employees make that I want to highlight is the use of weak passwords.

Generally, in order to be easy to remember, employees use very simple passwords that are easy to guess. For example, an employee’s birthday is August 31st, so they might use a password like “3108AUG.” These kinds of passwords are very weak and can be easily guessed by anyone. For example, if I know your birth date, I can try out that combination of characters and numbers. Using weak passwords is one of the easiest ways for cybercriminals to gain access. Another common mistake is using the same passwords on multiple devices.

For example, if you use the same password for your Google account and your laptop, once a cybercriminal knows your password, they can try it out on multiple platforms. So, using weak passwords and reusing passwords is related to credential theft. Certain guidelines, such as OWASP guidelines for secure application development, suggest creating strict password policies that do not allow weak passwords. For example, systems might force passwords to have special characters and non-repeatable numbers.

Anmol Satija: That makes sense.

Neelkanth Kaushik: Additionally, reusing passwords is discouraged. For example, if you try to reset your password on Google and use the same old password, the system won’t accept it. These guidelines help mitigate password-related security issues. Another common issue is phishing emails. Cybercriminals use sophisticated social engineering techniques to trick employees into clicking phishing emails.

For example, they might send an email from an authentic-looking email ID, asking the employee to download and run a file. Once the employee falls victim to these phishing scams, they might reveal sensitive information. Cybercriminals might create a fake website where employees enter their username and password, which are then stolen. Even after proper training, hackers have become so professional that employees still click suspicious links or open attachments from unknown sources.

Employees might also unintentionally share sensitive information. For example, during a casual conversation with a colleague over lunch, they might reveal sensitive details. Or they might share their username or password over chat or WhatsApp, not realizing the risk involved. They trust the person they are sharing with but don’t know if that person can also be tricked by a cybercriminal.

Anmol Satija: That’s a valid point.

Neelkanth Kaushik: Another issue is working from public places like cafes or restaurants. Public Wi-Fi networks are not secure, and a hacker could be monitoring the traffic. This is known as a man-in-the-middle attack. For example, banks suggest not entering banking credentials while using public Wi-Fi because these networks are rarely protected.

Then there’s the risk of using USB devices. For example, if someone gives you a USB drive with a movie or song, and you plug it into your laptop, it might infect your system with malware. These USB devices can contain malware that can extract data from your laptop. Even using public USB chargers can be risky as they can act as remote connections. Ignoring security policies is another issue. Sometimes employees bypass or ignore established security policies for convenience, creating security gaps.

Anmol: These are some really eye-opening examples, Neelkanth. I think it is clear that even a small mistake can have significant repercussions when it comes to cybersecurity. Given the variety of potential mistakes, it is essential for an organization to be proactive in identifying and addressing these issues before they escalate into a major problem. So, Neelkanth, let’s explore this further. How can organizations identify and address these common mistakes before they lead to larger issues?

Neelkanth Kaushik: Yes, Anmol. Cybersecurity is more about prevention. Organizations must take proactive steps to educate and support their employees. Early identification and intervention are key to preventing small mistakes from turning into significant security incidents. Let me give you some strategies that organizations can use.

The first is regular security audits and assessments. At Unthinkable, we also offer security audits and assessments for web applications, mobile applications, and clouds. Conducting regular audits and assessments of your security practices, infrastructure, and digital assets can help identify vulnerabilities and areas where employees might be making mistakes early on.

For example, a security audit might reveal that employees are not following password policies or not updating software on time. These kinds of proactive security audits can identify loopholes in your system. Another strategy is phishing simulations and social engineering tests. These enable organizations to test their employees’ awareness of phishing attacks and social engineering and how they respond to them. These simulations can help identify employees who might need additional training to understand the risks involved.

Anmol Satija: That makes sense.

Neelkanth Kaushik: Continuous monitoring and logging of systems is also crucial. This is not only limited to employees but also to the users of the business or customers. Maintaining audit logs and activity logs allows for the detection of unusual or suspicious behavior that can create a security issue. For example, if a mobile app allows money transfers and notices multiple wrong OTP or password inputs, the app gets blocked for some hours. This is an example of monitoring and logging.

Similarly, if an employee is accessing sensitive data at unusual times, it could be a sign of a compromised account. Continuous monitoring can trigger an automatic email to the system administrator, alerting them to look into it. Setting up feedback loops where employees can report suspicious activities or potential security issues to their admin or cybersecurity team is also important. This encourages a culture where reporting is seen as a positive action. For example, if an employee notices their laptop has suddenly become slow, they can report it, and the cybersecurity team can investigate whether it is a security incident or a hardware issue.

Regular training and refresher courses for employees are also essential. Over time, we tend to forget things, so regular training helps keep employees updated. This includes not only non-technical employees but also developers and software engineers. Using real-world examples and interactive sessions can make learning more engaging and effective.

Having a clear set of policies and procedures within the organization is very important. Policies and procedures drive cybersecurity in any organization. They tell you what needs to be done and how it is to be executed. These should be written in simple language and regularly updated so that employees are aware of the latest changes.

Anmol Satija: Right.

Neelkanth Kaushik: Another strategy is setting up role-based access controls. Rather than giving someone a credential and permissions, there should be a group of roles with specific permissions. If an employee needs additional permissions, their role has to be changed. This way, it is not easy for a hacker to perform any action just by accessing a username and password. They would need to escalate to another role to perform unauthorized actions. Having role-based access control is very important.

Anmol Satija: Those are some insightful strategies, Neelkanth. But I would like to say, even with the best practices in place, misconceptions can still persist, right? These misconceptions can influence employee behavior and decision-making in ways that may not align with an organization’s security goals. So, according to you, are there any misconceptions about cybersecurity that contribute to these common mistakes? If so, maybe you can share some of those with us.

Top misconceptions about cybersecurity

Neelkanth Kaushik: Yeah, so basically, Anmol, misconceptions are prevalent in the field of cybersecurity as well. Most of the time, it is the human factor that gets impacted by these misconceptions. Let me highlight some of them. Many employees think that cybersecurity is solely the responsibility of the IT department. They believe they don’t need to do anything because the IT department will handle everything. However, in reality, cybersecurity is a shared responsibility.

The IT department can implement and manage security measures, but every employee plays a crucial role in maintaining security. As we mentioned before, following policies and procedures is essential. The IT department can set up policies and procedures and handle technical aspects, but it’s the employees who need to adhere to these practices.

Another major misconception is that small businesses think they are not vulnerable to cyber attacks. Cybercriminals actually target smaller organizations more because they know these businesses might not have implemented strong cybersecurity measures. In fact, smaller organizations are more vulnerable compared to larger ones. Every organization, regardless of size, is a potential target. Hackers might find even small pieces of information valuable. For example, a new company with a list of 10 clients might be targeted by hackers to gain insights into their business and clients, potentially selling this data to competitors.

Anmol Satija: That’s eye-opening.

Then there is the misconception that using strong passwords is enough. While setting strong passwords is essential, it’s just one aspect of a security strategy. Multi-factor authentication, regularly updating and changing passwords, and maintaining the integrity of passwords are also important. Some employees believe that installing antivirus software makes them immune to cyber attacks. This is not the case. Antivirus software is important, but it cannot protect against all types of attacks, especially those involving social engineering and zero-day exploits.

Another misconception is that cybersecurity is all about technology. However, human behavior is an equally critical component. Training employees, having awareness sessions, and creating a strong security culture are essential to complement the technological aspects of cybersecurity.

Anmol Satija: Thank you for shedding light on those misconceptions, Neelkanth. I think it is clear how they can lead to significant vulnerabilities within an organization. Moving on, given the importance of awareness and behavior in maintaining cybersecurity, it is vital for any organization to not only implement initiatives but also measure their effectiveness. Understanding what works and what doesn’t can help them refine their strategies and ensure continuous improvement in security practices. How can organizations measure the effectiveness of their cyber awareness initiatives? Are there any KPIs or metrics that they should be looking at?

Neelkanth Kaushik: Anmol, it is equally important to measure the effectiveness of cyber awareness and cybersecurity initiatives in any organization because it helps them understand the gaps that need to be filled and the improvements that need to be made. The cybersecurity landscape is always evolving, so what was practical last year may not be effective today. There are some effective strategies that organizations can use to measure their cybersecurity initiatives.

The first is simulation training. Track the percentage of employees who have clicked on simulated phishing emails. For example, if out of 1,000 test phishing emails, 100 employees clicked on them, it shows that those 100 people still need more awareness. A decreasing click rate over time after proper training indicates that employees are becoming more aware, reducing the organization’s threat surface.

Knowledge assessments are also crucial. After training sessions, conduct quizzes or interactive sessions to check the impact of the training. This helps the cybersecurity department understand whether the training has been effective. For example, ask employees whether they would click on a suspicious email or not to gauge their understanding.

The feedback loop is another important metric. If there is an increase in reporting suspicious activities, it indicates heightened awareness and vigilance from employees. The cybersecurity department can assess the quality and accuracy of these reports to ensure that employees are correctly identifying and describing potential threats.

Anmol Satija: That’s a good point.

Neelkanth Kaushik: Training participation is also a key metric. Track attendance rates for training sessions to measure engagement levels. This helps understand whether the training sessions are engaging enough or if they need to be made more interactive to encourage more employees to join.

Conducting surveys can also help. Ask employees if they have updated their antivirus software, changed their passwords, or are using proper password combinations. Surveys help understand the effectiveness of cybersecurity awareness initiatives.

Anmol Satija: That offers a very well-rounded view of where an organization stands. As we look to the future, technology continues to evolve at a rapid pace, and with it, the tools and technologies available to bolster cybersecurity. One of the most intriguing developments in recent years has been the rise of AI and machine learning. How do you see the role of AI and ML evolving in the field of cybersecurity?

The future of cybersecurity

Neelkanth Kaushik: AI and machine learning can analyze vast amounts of data in real time and detect anomalies and potential threats that traditional methods might miss or might take more time to identify. For example, machine learning algorithms can identify patterns indicating a phishing attack or malware infection by analyzing anomalies in network traffic. AI can also help in predictive analysis by analyzing historical data and trends. Behavioral analysis is another area where AI can be useful. For example, if an employee suddenly starts accessing sensitive data at odd hours, AI can trigger an alert, distinguishing between malicious and genuine traffic.

AI can also automate incident response processes, enabling faster and more efficient handling of security incidents. This reduces the time it takes to contain and mitigate threats. Real-life examples include major tech players like fintech and BFSI sectors, which already use AI to augment their existing cybersecurity landscape. For example, AI systems can analyze transaction patterns to identify unusual activities, such as multiple small transactions to a specific account or large transactions to foreign accounts, and alert the user.

Anmol Satija: Thank you so much, Neelkanth, for sharing your expertise on the evolving role of AI and machine learning in cybersecurity. It is an exciting and crucial area that will undoubtedly shape the future of how we protect our digital assets. As we wrap up, I want to extend my gratitude to you, Neelkanth, for joining us today. Your insights into fostering a cyber-aware culture and the importance of addressing it have been incredibly valuable. I have thoroughly enjoyed the conversation.

Neelkanth Kaushik: Thank you, Anmol. It was a pleasure to be here. I hope our conversation today helps organizations and individuals better understand the importance of cybersecurity and the human factor involved in it. I hope they take proactive steps to protect their organizations’ sensitive and personal data.

Anmol Satija: Right. And to our listeners, thank you for tuning in to this episode of the Unthinkable Tech Podcast. Cybersecurity is more important than ever, and staying educated and vigilant is key. If you enjoyed this episode, please subscribe, leave a review, and share it with your network. Until next time, keep listening.