Originally Posted by Forbes – via forbes.com – January 26, 2021
“What is faster than the wind?” asks the yaksha, to which Yudhishthira smiles and replies, “The mind, of course!”
The Mahabharata War, described in a Sanskrit epic, is one of the greatest battles ever fought by the small yet fierce army of the Pandavas, and it was led by Lord Krishna against the mighty Kauravas. Krishna’s astute strategies, although considered deceitful by many, conquered the enemy’s vulnerability and harnessed the strength of the Pandavas by tapping into their consciousness — their minds.
To draw the same parallel to cybersecurity, I wondered if we have been fighting the wrong battle with the wrong weapons. Businesses have been battling insider threats and human errors in cybersecurity, which has led to the loss of billions of dollars and proprietary data for decades. In fact, the latest IBM Cost of Insider Threats 2020 report puts the average annual cost of insider threats at $11.45 million. That’s a huge amount for a problem as ancient in the world of cybersecurity as the Mahabharata is in Indian mythology.
To learn how to drive a car, we take several steps before finally getting our driver’s license. We observe, practice and prepare before taking our first solo drive. This is because we need to recognize the risks before we take on the act of driving. However, when the internet was introduced to us, we started using it without ever observing, practicing or preparing. Most people weren’t ever “taught” to use it initially, let alone use it safely. The culture of internet safety is not the responsibility of big corporations or the government alone. Cybersecurity, in its most granular and raw form, begins with normal people like you and me ingraining it into our consciousness. Like chewing food with your mouth closed and sneezing with your mouth covered (this one has become very important lately), cyber hygiene is also a habit.
Circling back to the Mahabharata: Yaksha’s questions continue, “What is the greatest kind of wealth?” to which Yudhisthira aptly replied, “Education.”
In this hyper-connected atmosphere, the internet is as important as the quintessential basics in Maslow’s hierarchy of needs. Yet, our minds typically do not register cyberthreats as seriously as they would threats in the physical world. Wearing a seatbelt or looking both ways before crossing the road has become an instinct — whereas, in the cyber world, we still slide back to our unsafe creature-comfort habits.
Let’s take the example of the most basic thing we use on the internet to remain safe: the password. A decade back, most of us used our birthdays or the names of our loved ones. As cybercriminals evolved, so did our passwords. We were asked to make our passwords longer, capitalize at least one letter, and include numbers and special symbols. Long ago, it might have taken one day to crack 10 single-case passwords. As of 2012, it was possible to guess 350 billion passwords in a second. The future of passwords, the first layer of security on the internet, looks grim. This is where your innate cyber consciousness will come in handy.
As of now, the cybercriminals are clearly outwitting individuals and organizations. Despite the cyberattacks we’ve seen embarass some of the biggest companies, many enterprises still go back to archaic and rigorous training to reduce the cyber risks that arise from their employees’ behavior. I don’t believe this will work until the time when good cyber hygiene becomes second nature. As we gear ourselves toward a world that includes increasingly versatile workplaces, the attack surface area is becoming vast. Quarterly sessions or classroom-based training during your employees’ onboarding merely scratches the surface. To instill a habit, we need to rehaul cybersecurity to make it more engaging and gamified. We need a system that doesn’t just reeducate and emphasize the fundamentals but, more importantly, also excites the human mind.
Even our education curriculum is designed to take us through to the difficult concepts step by step. Imagine walking into school on day one of fifth grade and learning the concept of vectors. A student who does not know the application of direction and magnitude to speed and velocity will never be able to confidently grasp the concept of vectors. Similarly, cybersecurity needs to be unshackled from its siloed jargon. Only then can our collective cyber consciousness be strong enough to withstand phishing, ransomware and other social engineering attacks that exploit us.
To begin with, organizations should adapt the format in which they provide training to the times. Vanilla, one-directional, classroom- or computer-based lessons do not necessarily work for the generations that prefer Netflix-style, on-the-go modules. Along with upgrading their content to match the latest tactics, enterprises should also map the progress of their employees’ cyber consciousness with time to customize learning to their needs. This process of quantifying their knowledge will help organizations cultivate an era of customized cyber awareness education that employees receive and apply better than a one-size-fits-all policy.
A 2016 Gartner study found that 62% of insiders with malicious intent were “second streamers,” or people seeking a supplemental income — and 2018 Gartner research (via Security Intelligence) found that 29% of insiders stole information after quitting or being fired. Enterprises, therefore, should monitor various parameters — including but not limited to employees’ background, past employment with competitors, level of education, employment status, level of access to sensitive data and other factors.
Cyber awareness, improved knowledge of security configurations on their personal and work devices, and tracking active leaks of sensitive data over the dark web will help employees and employers change their attitudes toward cybersecurity at large and the way they interact with (and in) the digital world.
Sun Tzu, in the book The Art of War, aptly says, “The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.”