Posters like this are quite common on the walls of IT/ITES companies. One could imagine that the outsourcing/offshoring industry would be the least vulnerable to cyberattacks because they depend heavily on IT and have greater awareness of cybersecurity tools and techniques within the organisation.
While this may be true, it doesn’t make them less vulnerable than other sectors of the economy. The industry has experienced its share of cyberattacks, such as the recent ransomware attack on Cognizant, because IT/ITES presents a lucrative opportunity for cybercriminals which motivates them to try harder. Let us first understand why cyber crooks find them attractive before we examine how we can stop them.
Why The IT/ITES Sector Is A Goldmine For Cybercriminals
- Customers’ Customer Data – IT/ITES firms are 3rd party solution providers and have access to the personal and private information of their customer’s customer data. This presents an opportunity for cybercriminals to steal customer data from multiple companies through a single source. Delta, Sears, and Best Buy suffered customer data leaks through a cyberattack on a 3rd party support provider
- Employee Profile – Many IT/ITES companies have large scale operations with tens of thousands (or more) employees, many of whom are young and relatively inexperienced. These companies are also more likely to support progressive HR policies such as working from home. This increases their vulnerability to cyberattacks
- Customer Confidence – Maintaining customer confidence is critical for the IT/ITES sector. This can motivate cyber thieves to hit them with ransomware attacks as they may be more likely to pay a ransom and keep operations running smoothly
- Regulatory Compliance – The IT/ITES sector deals with clients from many different countries with their own, sometimes very stringent, data privacy polices e.g., the EU’s GDPR or USA’s HIPAA. The sector has to comply with these regulations or face both regulatory and contractual penalties. This can also make them more vulnerable to extortion schemes
How IT/ITES firms Can Prevent Cyberattacks
IT/ITES firms usually have basic cybersecurity best practices in place, like having a comprehensive cybersecurity policy. We will examine a few critical measures that they must implement which may be overlooked in such policies.
- Create a Cybersecurity Culture – Having a CSO/CISO isn’t sufficient to demonstrate an organisation’s commitment to information security if the rest of the organisation doesn’t put cybersecurity first. All leaders in the organisation, across the chain of command, should lead by example and avoid the temptation of avoiding cyber hygiene measures, such as permitting passwords to be shared by their teams, to meet delivery targets
- Cybersecure the Supply Chain – IT/ITES may outsource some of their activities to contractors. These contractors’ operations will need to be highly cybersecure as well, as a chain is only as strong as its weakest link, and any point in a chain could be a point of entry for a cyber crook who could then compromise the entire chain. Even something as simple as a contractor using the default password on their router or not installing patches and updates regularly could compromise operations
- Implement a Social Media Policy – A cybersecurity policy is not enough. Social media is emerging as a new threat to cybersecurity as employees can inadvertently reveal critical information on social media which can be used to breach an organisation’s cyber defences. Responsible use of social media, or any internet forum, should be clearly laid down with examples of the kind of information that shouldn’t be shared
- Stipulate Work-From-Home Guidelines – This has achieved greater significance during COVID-19, but it should be a concern at all times. Employees who are working from home are at greater risk from cyberthreats as they are outside the protective cocoon of hardened enterprise IT networks and may not follow all cyber hygiene practices e.g., they may leave their computer unlocked when family members or guests are present. Guidelines for cybersafe work-from-home should be communicated and reiterated. We have published tips to stay cybersafe when working from home, which could serve as a starting point when you prepare your guidelines
- Formulate a Personal Device Policy – Many IT/ITES organisations allow senior staff to access work email on their personal phones. The organisation’s data is now only as secure as that phone. Maintaining personal device security is critical, which begins with restricting access to work-related services to those who really need to access those services on their personal devices and extends to securing the device to prevent inappropriate use and recovering the device/erasing data if it is stolen
- Create WhatsApp Guidelines – Many enterprise teams create groups on WhatsApp to discuss work-related concerns. Sensitive information is often shared which may include screenshots of critical issues. While convenient, this is often a violation of the organisation’s information security policy as WhatsApp is a 3rd party whose services (including data retention/use) are beyond the control of the organisation. Guidelines for responsible use of WhatsApp (or any other communication service) should be framed and team leaders should be made responsible for compliance
- Define Exit Procedures – HR is usually tasked with handling exit procedures when an employee leaves the organisation, but they usually don’t have visibility into the employee’s technical responsibilities/access levels. All responsibilities, along with associated credentials, should be transferred or data may be permanently lost when the employee leaves. Access, including facility access through biometric systems, should be immediately revoked
- Implement Cybersecurity Education – Poor awareness leaves the door open for cyber fraud in the IT/ITES sector. Not all cyberattacks are based on technology and therefore they cannot always be stopped by technology. Phishing depends on social engineering to gain the victim’s trust before persuading them to unknowingly perform a malicious action and can inflict severe damages, such as the theft of $47 million by impersonating the CEO in an email. Cybersecurity education can help employees spot and stop such cyberattacks
- Deploy Effective Endpoint Protection – Not all cyberattacks can be stopped by technology, but many of them can. Effective cybersecurity for corporate endpoints can protect desktops/laptops and servers from a wide variety of cyberthreats. These products may even be able to stop phishing attacks by blocking known phishing domains
K7 Security’s Endpoint Security (EPS) has helped IT/ITES firms implement powerful cybersecurity that protects their operations and users from a wide variety of cyberattacks, including ransomware, and supports many other security features such as restrictions on application installation and web filtering. Contact us to learn more.