Cybersecurity remains a high priority for businesses in India, but is that message getting through to employees? We asked over 1,200 of them to find out.

Cybersecurity report in India Capterra 2024

Our research has revealed that 61% of businesses in India suffered a data breach in the past 12 months. Unsurprisingly, we also discovered that 82% of companies have increased their investment in cybersecurity.

But protecting against cyber threats is as much about people as it is about technology. In this article, we continue to explore data from our survey of 1,264 employees in India to find out how their organisation engages them in cybersecurity. We also dive deeper into phishing attacks and their consequences, as well as the security awareness training that businesses provide to their workforce.

You can scroll down to the bottom of this article for a full methodology.

Most employees see cybersecurity training as key to engagement

Given that today’s cyberattacks often enter an organisation via an unsuspecting employee, it is vital that businesses provide their people with the skills, technology, and support to be the first line of defence.

This involves open conversations about cybersecurity between employer and employee, so that staff feel fully involved in the process. Overall, employees said that they would like to see a range of activities to help in this engagement, with training, interactive workshops, and phishing simulations all ranking highly.

How to engage employees in cybersecurity efforts

The desire for more training doesn’t mean that employees don’t already receive it, however. 97% said their company provides some kind of cybersecurity or data protection training. This was most commonly around data privacy (76%), general cybersecurity (71%), or social engineering (48%).

Different types of cybersecurity training which companies provide

Security awareness training is an ongoing exercise. 60% said they have refreshers every six months, and another 27% said they do training once a year. This reflects the fact that cybersecurity is constantly changing. Attackers are coming up with new threats all the time, and business practices (such as working from home) present new challenges to companies, which employees need to be aware of.

Because so many employees undergo cybersecurity training (and fairly frequently, too), employees themselves feel confident in their understanding of the cybersecurity landscape. 88% said they have a good or very good awareness of cybersecurity risks and best practices within their company.

Key takeaway: Businesses represented by the people in our survey clearly understand the value of regular cybersecurity training, and employees feel confident in the knowledge they have gained from this. However, there is a clear appetite for more, particularly in the form of interactive workshops.

Sessions where staff can experience solutions first-hand and talk to experts about the best way to protect their identities and data could be a good way to strengthen employee awareness and a company’s defences.

79% of businesses have been targets of phishing attacks in the last 12 months

Criminals use phishing attacks to trick employees into handing over sensitive data. They send messages (often by email, but they can also be via social media or text message) that appear to be from a legitimate source, like a supplier or a bank. The messages may contain an attachment, which instals malicious software onto a target’s computer, or a link to a page where employees are asked to enter confidential information like passwords or bank details.

These attacks are very common. Among the people we surveyed, 79% said that they or someone in their company had received a phishing email in the past 12 months. And 76% of those said that they (or someone else in the company) clicked on a link within one of those messages.

Phishing attacks can be particularly problematic for businesses when employees’ accounts are compromised. If a hacker gains access to usernames and passwords, they can access the same files, systems, and confidential data that their victim can. And this isn’t a rare occurrence. 43% of the employees in our survey said they have experienced an account takeover in the past 12 months (where someone used a stolen username and password to access any type of online account).

The risks related to an attacker taking over an account become higher if there is more data available to them. And many employees overall report that they have access to more data than they need. Around one-fifth (21%) said employees in their company have access to all company data, and 38% said employees have access to more data than is strictly necessary to perform their job.

Levels of data access which employees have

While the prevalence and potential risks of a phishing attack remain fairly high, companies are taking action. A majority (67%) of respondents said that their employer has carried out phishing tests in the past. These involve sending out safe emails that look like phishing attempts, and seeing how many employees are taken in.

Key takeaways:
  1. If companies restrict employees’ access to data, they also reduce the potential damage if that employee’s account is compromised. Privileged access management software lets businesses establish access levels for people, devices, and systems.
  2. Phishing tests can serve as useful education tools because they let employers know what proportion of the workforce is equipped to recognise and stop the threat (and report it if necessary). They also help employees stay vigilant against these attacks by regularly putting their skills of detection to the test. Plus, 53% of employees think it’s a good way for their company to better engage them in cyber efforts.

Confidence in employers’ security measures is high

Despite the high number of data breaches, phishing attacks, and ransomware attacks, employees in our survey felt that their employers are on the right track. The majority (64%) were very confident that their company is taking cybersecurity seriously, and another 26% were quite confident.

This may stem from the fact that communication between employers and employees on these matters seems to be open and productive. Most employees (79% overall) said they have raised cybersecurity concerns with their company’s IT department, to which the companies responded in a variety of positive ways.

Different company responses to employees raising cybersecurity concerns

The usual outcomes of reporting a cybersecurity concern were further open communication between the IT department and employees, transparency about cybersecurity incidents and the measures taken to prevent them, and reminders for employees about best practices. 

Nevertheless, while using company devices, most employees (75%) said they take additional steps to protect their online safety that go above the company’s standard practices. Employers can either see this as confirmation that their own protections are insufficient or an endorsement of the fact that their staff are so well trained that they actively seek greater protection when using IT systems.

84% of companies have protocols for employees to report attacks

A majority of businesses view employees as a key way to identify and flag attacks. While it’s true that many cybersecurity software products can do this, attackers can slip through the net and remain undetected on networks for months. But if an employee spots unusual activity, or accidentally clicks a link that leads to a breach (and reports it), security experts can act quickly to shut down the attack.

The vast majority (84%) of employees in our survey said that their company has protocols in place to report an attack. And 81% said there is a formal incident response plan in place.

Do companies have protocols for reporting cybersecurity breaches or an incident response plan?

And as a final line of protection, many companies may choose to take out cyber insurance. These policies can often cover the cost of identifying and recovering from an attack, ransom payments, damages incurred through business closure, reputational damage, and potential costs to third parties. A majority (77%) of the respondents who are responsible for, involved in, or fully aware of company cybersecurity measures said that their firm has taken one of these policies out.

Key takeaway: A channel for employees to report cyber incidents and an action plan to respond when they do are must-haves for businesses. Some cybersecurity tools (notably endpoint detection and response and identity threat protection and response software) specifically include features to mitigate damage if a breach occurs, and these actions can form part of a comprehensive response plan.

How can businesses in India engage employees in cybersecurity?

Our research has shown that employees in India are well trained on cybersecurity matters, are encouraged to participate in initiatives, and have confidence in their company’s approach.

However, the number of attacks remains high, and many simple practices (good password hygiene, restricting access to data) could be more widely adopted. And employees themselves would also like more training on cybersecurity.

By continuing to train staff about cybersecurity risks and controls —using a range of methods— companies can ensure that they’re well placed to protect their people and data against threats.

Looking for security awareness training software? Check out our catalogue.


Methodology:

The data for Capterra’s 2024 Data Security Survey was collected between November 10th and 26th 2023 and comprises answers from 1264 respondents. We selected our survey sample based on the following criteria:

  • India resident
  • Aged between 18-65 years-old
  • Full-time employee
  • Works for a company which uses cybersecurity software tools for protection and has some awareness of which tools are used