As Cybersecurity Awareness Month draws to a close, we’ve had insightful discussions with numerous experts, each bringing fresh perspectives on the role of the human element in cybersecurity. A recurring theme that stood out was the critical role of employees in an organization’s cybersecurity framework. Alongside the pressing shortage of cybersecurity professionals in India, experts emphasized that human vulnerabilities often make employees the “weakest link” in safeguarding data. In a conversation with Preeti Singh, Director of Information Security and GRC at OSTTRA, we explore these challenges in depth, from social engineering threats to securing remote work environments.
TAM: As cyber threats evolve, social engineering remains a constant threat that targets human vulnerabilities. What are some innovative strategies or training programs that can be implemented to increase organizations’ ‘human firewall’ against social engineering attacks?
Preeti Singh: In the digital world, nearly everything has become incredibly easy for us—often just a click away. We can make payments, access any website, and obtain all kinds of information effortlessly. However, with this convenience comes inherent risk, making it essential for each of us to prioritize building a culture of security and awareness. To strengthen the “human firewall,” organizations must adopt comprehensive training programs.
Also read – Enhancing IT Governance and Compliance Amidst Rising Cyber Threats: Preeti Singh, OSTTRA
A well-rounded training program should address multiple components. First, understanding the organization’s business, as well as specific roles and responsibilities, is crucial for tailoring training to different functions. For example, someone in finance faces different risks than someone developing an application. This calls for role-based training to address these varied vulnerabilities.
Secondly, gamified training can significantly enhance engagement. Since traditional training sessions often feel dull, incorporating interactive and gamified elements can motivate employees to actively participate in security practices.
Another important aspect is microlearning. Instead of hour-long sessions, offering short, focused training sessions makes it easier for employees to complete them regularly and retain information effectively. This consistent, bite-sized training approach helps reinforce essential security habits over time.
Phishing remains one of the most critical human vulnerabilities. As phishing tactics become increasingly sophisticated, organizations must conduct regular phishing simulations. When an employee fails a simulated phishing test, they should be informed about it and given follow-up micro-trainings to help them learn from their mistakes. Encouraging employees to report suspected phishing attempts to the security team is also essential; identifying phishing is only half the battle if incidents aren’t reported.
Peer workshops are another valuable tool. These sessions allow employees to share personal experiences with security challenges and the strategies they used to overcome them. Such workshops foster a collaborative atmosphere where employees can learn from each other’s experiences and insights.
Finally, fostering a culture of openness is crucial. Employees should feel comfortable discussing security concerns and reporting anything suspicious. This supportive environment not only reinforces good training practices but also encourages vigilance across the organization.
TAM: Given the rise of phishing-as-a-service and AI-generated deepfakes, how do you foresee the nature of social engineering evolving? What proactive measures can security teams adopt to mitigate these emerging threats?
Preeti Singh: Technology advances at an incredible pace today, evolving almost every second. Unfortunately, so do the tactics used by cybercriminals, who are equally adept at leveraging new technologies. As our technology becomes more sophisticated, so do the methods used to breach systems.
With the rise of “phishing as a service” and AI-generated deepfakes, social engineering threats are becoming more complex. These attacks pose significant challenges for individuals and organizations alike, making it increasingly difficult to recognize and respond to them in real-time. There’s a familiar saying: “With great power comes great responsibility.” This applies to digitalization as well. While it brings immense convenience, it also introduces new challenges in information and cybersecurity, which must be managed responsibly.
To counter these emerging threats, security teams should implement a layered defense mechanism that includes security tools, monitoring technology, and well-structured protocols at each level. Each layer needs to be safeguarded with threat detection, monitoring, and response capabilities. However, technology alone isn’t enough; continuous education must also be a focus for organizations.
Cybersecurity is not solely a technical matter; it’s equally about human involvement. Employees play a crucial role in protecting their organization. It’s vital to foster a culture where employees understand that cybersecurity is not just the responsibility of the information and cybersecurity teams—it’s their responsibility too. Employees are, in effect, one of the strongest firewalls against cyber threats.
Employees should understand their role in safeguarding the company. Whether a threat arises from social engineering or other tactics, they need to recognize suspicious behaviors, know whom to report to, and understand how quickly they should act. If their machine starts behaving unusually, they should know the steps to take.
Ultimately, no matter how sophisticated cyberattacks become, a strong “employee firewall” can be an organization’s best defense against these threats.
TAM: Many security programs focus on technical defenses, but behavioral change is crucial to counter social engineering. How do you balance technical controls with a culture of awareness, and what measurable impact have you seen on employee vigilance?
Preeti Singh: I come from a company that emphasizes development heavily, as we are a product-focused organization. Security, for us, is not merely an awareness initiative; it needs to be woven into our daily tasks. Balancing technical controls with a culture of awareness requires a holistic approach, where security becomes an integral part of organizational efforts.
To achieve this, companies must combine robust technological defenses—such as firewalls, intrusion detection systems, XDR, EDR, encryption, and other essential controls—with consistent employee education. For instance, application development teams require specific security measures to ensure a secure product reaches production. Likewise, administrators who build machines need to understand fundamental security controls during the setup process. Employees handling data on a daily basis should be aware of security measures for data at rest, data in motion, and data storage.
Regular assessments, including various audits, are essential to gauge employees’ awareness of security protocols. Additionally, employees should take responsibility for the assets and information they manage. They need to understand that mishandling these assets can lead to penalties or governance actions, reinforcing accountability and security as core values.
Building a security-conscious culture allows an organization to balance innovation, development, and customer trust with security as a day-to-day operational focus, rather than a separate task. Integrating security into daily operations is crucial for driving meaningful behavioral change within the organization. Security isn’t only about protecting against social engineering; it’s about addressing multiple areas where employees can be the weakest link, leading to potential security flaws.
Security isn’t something you focus on only during a designated awareness month. While days like National Cybersecurity Awareness Month or special security observances in November raise important awareness, true security requires vigilance 24/7 to maintain a safe environment for the organization and its employees.
TAM: Attackers often exploit the natural tendencies of trust and helpfulness in employees. How can organizations work to retain a supportive work culture while equipping employees with the skepticism needed to counter social engineering attempts?
Preeti Singh: Employees indeed face significant challenges with social engineering, where attackers exploit their natural trust and helpfulness. Attackers craft sophisticated emails that closely mimic legitimate messages from leaders, HR, or even tax authorities during tax season, leading employees to fall for these traps and unknowingly share sensitive information or click on harmful links. This issue isn’t new; it has been a persistent challenge for years.
Addressing this threat is a collective responsibility shared by both employers and employees. Security should be seen as an integral part of employees’ daily tasks, incorporated into their key responsibilities. Employers, in turn, need to invest in the necessary tools, technology, and training to establish a strong security culture across the organization. Employees must be able to recognize phishing attempts and know how to respond appropriately. Without this awareness, sensitive information will continue to flow from organizational systems to the attackers’ hands.
Creating safe spaces for role-playing scenarios allows employees to practice identifying threats in a supportive environment. Recognizing and rewarding those who actively demonstrate security-conscious behavior further empowers employees. Speaking from 15 years of experience, I have consistently focused on establishing frameworks to identify training needs and implementing training programs with reward and recognition systems. For example, employees who complete security training, identify phishing attempts, or report phishing incidents can earn grades, and top performers may be rewarded at the end of the year. Motivating employees in this way encourages a stronger focus on security and prompt reporting of threats.
Many employees identify phishing emails but don’t report them, often unaware that reporting triggers IT or security teams to take preventive action, thereby reducing future risks. For better protection, it’s essential to implement a reward and recognition program to encourage employees to report suspicious emails.
Lastly, open forums for discussing security concerns are crucial. These promote trust and communication within teams, fostering a culture where employees feel comfortable sharing concerns and actively engaging in protecting organizational data. By balancing support with resilience, organizations can significantly strengthen their overall security.
TAM: With remote work and hybrid models becoming the norm, employees are increasingly exposed to off-network attacks. What specific measures or tools can companies adopt to protect employees from social engineering threats in decentralized environments?
Preeti Singh: Remote work has become the new norm, with many organizations adopting hybrid models. This arrangement often benefits both employees and employers—employees enjoy greater flexibility, and companies save on operational costs. However, allowing employees to work from home also introduces new security risks. Fortunately, these risks can be minimized if organizations take a proactive approach to remote work security by implementing the right controls.
First, employees should always use a VPN when working remotely to ensure secure access. Laptops should not allow unencrypted internet access, and devices should be password-protected, ideally with dual-factor authentication methods such as facial recognition or an authentication app.
Employee education is also critical. Employees should be aware of the risks of connecting their devices to public Wi-Fi, which can expose them to viruses and other threats. If employees work in public places, they should take precautions to protect their screens from prying eyes.
For those working from home, it’s important to secure the home Wi-Fi network with a strong password and use up-to-date encryption standards to prevent unauthorized access. Organizations should provide guidance on checking Wi-Fi security settings and password strength to help employees maintain a secure home network.
Implementing endpoint security solutions is essential for organizations to monitor devices for unusual activity. For example, if an employee’s IP address suddenly shows up in a different location, such as another country, this could indicate a compromised device. Endpoint monitoring tools should be able to detect and alert IT teams to any such anomalies, helping to identify potential threats in real-time.
These measures—enforcing VPN use, educating employees, securing home networks, and utilizing endpoint security solutions—are essential for safeguarding remote work environments, whether employees are working from home, in a hybrid setup, or from any location outside the company’s secure network.