Experts say growing cases of cyber attacks on employees can be a security hazard for companies, especially nascent startups.
Companies are running the risk of losing data through hacktools and malware, as work-from-home employees use personal devices to access restricted content.
A study from Cisco suggests 95 percent of people working from home currently use unverified devices to log into company software or access company data.
Anurag, founder of a football blog, said his company offers its employees access to Getty Images. But he admits there is a risk of his image catalogue, which costs around Rs. 50,000 a month, being hacked or used by someone other than his employees.
“My company offers Getty Images subscription to its writers and the images are used in our articles. But we have barred the writers to use it for other means and asked them not to log into more than one device. We also give out Grammarly Premium subscription, but even that can be easily shared by the writers or can be hacked,” Anurag added.
Company data usually ranges from databases of its operations, premium services that are usually paid for by the management, or products that are accessible only by the employees of the said company.
Another study from Cisco claims that 62 percent of business organizations have faced a security event that has impacted their business. Over 50 percent have faced data breaches and network outrages while 46 percent faced ransomware events.
Raghu, who works at the same football blog, said he uses his personal laptop and sometimes his iPad to write articles. He is logged into the company’s image portal and Grammarly accounts on both devices. Sometimes he even logs into an external device that is often accessed by members of his family.
Shreya (name changed), a cybersecurity expert at a major consulting firm said, security breaches at companies are often caused by employees’ data getting hacked by cyber attackers.
“Data hacks are quite common and the most common victims of this are companies that give very little importance to tech security. Pharma companies, in particular, are liable to this issue, but sometimes even the telecom companies can become victims of hacks,” Shreya said.
“Recently, one of the biggest telecom giants was the subject of a major hack as some of the employees had overridden their security breach. The news was not made public as it would harm the company’s image and hurt the trust of their consumers. This happens all the time across major firms,” she added.
Company data usually get hacked by malware. Malware is a type of software designed to steal information and personal data on a computer. This could include emails, passwords, and any information that is available on the system.
These stolen pieces of information are then sold on the Dark Web, which is an unregulated internet platform that serves as a marketplace for content that is otherwise banned on the internet. Dark Web cannot be accessed through a traditional internet browser and requires software like Tor browser that guards a user’s Internet Protocol (IP) access.
According to a report published by Virtual Private Network (VPN) service provider NordVPN in Dec 2022, five million people globally have had their data stolen, among which, 600,000 (12 percent) were Indians.
The stolen data were subsequently sold on the dark web and were taken from victim’s devices using bot malware. The stolen data included users’ login IDs, cookies, digital fingerprints, screenshots and other information. The average price for a digital identity was pegged at Rs. 490, reports Reuters.
Startups: the main victims
While well-established multinational companies have the capital to invest in tighter security, Shreya said it is often the startups and the not-so-well-funded companies that struggle to come up with essential measures to avoid such security breaches.
“In India, companies are still lagging behind when it comes to implementing necessary security measures to combat data hacks. While some tech-based startups actually have excellent and well-organized security, most of them lack the technological grasp and the capital to come up with proper measures to prevent employees from becoming a security liability,” Shreya said.
“These companies usually prevent employees from accessing information by banning certain websites, software, and browsers, but these can be easily breached because malware, nowadays, has gotten stronger, thanks to hackers using Artificial Intelligence (AI) to create new viruses,” she added.
Harsh Surana, Founder of an eight-month-old startup named Aagaaz, hires employees in a work-from-home module. But due to a lack of capital, his company is not in a position to issue laptops to its employees. As a result, his company also runs the risk of having its data hacked through employees’ devices.
“We do not have enough funds to issue laptops to our employees. So technically someone can hack their computers and gain access to our data as we share them through a common spreadsheet,” Harsh said.
However, Priya (name-changed), who works in one of the biggest multinational tech companies in the world, does not have to use her personal computer. This is because the workstation is provided by her company.
“When I joined the company, we were provided company laptops. We did require a couple of approvals to get access to all the necessary pages. But it was smooth. We have a lot of company security apps that basically need to be downloaded in order to access basic things such as Outlook, Teams etc. on other/ personal devices. From a breach perspective, one cannot access the data until connected to a certain secured link,” Priya added.
However, more and more employees are aware of these security breaches and what a cyber attack is, especially after the lockdown, said Shreya. “Although the rate of attacks has also increased, companies have become more vigilant as well, along with the employees. So the overall situation is improving,” she added.