Vishal Salvi on New Threat Surface and Remote Workforce

Yulia De Bari: Between January and March 2020, there were almost 907,000 COVID-related spam messages, a 148% increase in ransomware attacks and 350% increase in phishing sites. Vishal, what do you think about these numbers? What has really changed since the pandemic outbreak?

Vishal Salvi: One of the things which has happened is that COVID has actually been a complete change of working environment from office to working from home. And that is seen by the fraudsters as an opportunity to go and attack and see whether they can exploit the fragility and the vulnerability that currently exists in a work from home or the transition that is going to be happening. Coupled with that, we also have a situation where COVID is a very trending topic. And so if you put anything related to COVID, that is a more likelihood of somebody falling prey to any social engineering attacks. So these two things coupling together are seen as opportunity by the threat actors, who exploit and therefore there is exponential rise in phishing attacks and ransomware attack.

Yulia De Bari: And that's what we're going to explore in today's conversation. Welcome to the Knowledge Institute Podcast: The CyberBites Edition, where we talk about some of the company's key responses to cybersecurity threats in the COVID era. The topic today is new threat surface and remote workforce. I'm Yulia De Bari, cyber security lead and podcast producer for Infosys Knowledge Institute. And today, our first guest is Vishal Salvi. Vishal is senior vice-president, chief information security officer, and head of the cybersecurity practice at Infosys. He has over 25 years of industry experience in cybersecurity and is responsible for the overall information and cybersecurity strategy and its implementation across Infosys group. He, additionally is responsible for the cybersecurity business delivery.

Yulia De Bari: Vishal, your role is very unique and this makes your perspective very unique because you are both in charge of Infosys' own security, as well as the security for our clients. I think it will be very interesting to know your experience. And if you can go back in your memory to two months ago, how did the company respond to the lockdown measures and social distancing restrictions? What were the measures that you took and what was the main challenge of enabling employees to work from home?

Vishal Salvi: Yeah, so I think when we were looking at the pandemic unfolding, one of the things that we decided early on as a part of our broader organization crisis-management team was that we are looking at eventual lockdown. And so we started preparing for that scenario well in advance. With 220,000 employees, and plus some additional subcontractors, it is a very challenging and a massive task to look at the eventual lockdown of our development center, some of them housing more than 42,000 employees, and required a lot of planning, both in terms of enabling the remote access infrastructure to be scaled up, to be able to have all the 220,000 employees to work from home, but also in terms of how do you create the necessary infrastructure which is required for such a massive shift? Which was never a scenario which was planned for, nor was the infrastructure stress-tested previously.

Vishal Salvi: The easy part was really to upgrade the backend technology infrastructure in terms of the concurrency of remote access to the increase in the bandwidth. And then we had to then quickly look at how many were mobile users having laptops and how many actually had desktops. And so we were looking at eventually having a large number of desktops to be also provisioned for them to be secure, as well as being able to have connectivity to work from home, and also ensure that they are dispatched before the lockdown is called out for it. And that was a massive exercise, which was orchestrated by all the different teams coming together, whether it is our HR, whether it's our technology teams or our delivery teams, and ensure that such a massive activity was carried out, which I'm very proud of, because eventually, before the lockdown was called out, we were 85% unable to work from home. And as we speak right now, we are at 96% working from home. So that's really how we executed that and all of these activities were executed in a short span of two and a half to three weeks, Yulia.

Yulia De Bari: Yeah. Thank you. And another question comes to my mind, were there any challenges from technical perspective, like for example, scaling the VPN capacity, how did it go for Infosys? And in general, how is the company dealing with this expanded threat surface that is a result of remote working?

Vishal Salvi: Yeah, so scaling the VPN and remote access infrastructure, because Infosys is not new for the concept of working from home, we already had Infoscions having the ability to work from home for at least one third period of the month, right? And so we had the necessary security models in place and what we had to do was to scale it up. But otherwise, it was a very secure model available.

Vishal Salvi: Now, what we saw was the sharp rise of the attack, which was unprecedented. And so we not only had to get our security monitoring and security controls working in this new, normal of working from home, but also we had to quickly respond to this changing threat landscape. And so we had to quickly identify the new risks, identify how do we articulate, how do we understand, how do we make them visible, how do we analyze them, and then how do we make sure all the stakeholders, whether it is leadership, board, technology teams, customers, the delivery teams and business teams coming together to deciding on a strategy of how we are going attack it? Because it requires again the whole power of the organization, once they understand it, to be able to do it.

Vishal Salvi: So it was not about the security team working in silos and trying to fix something, it's all about identifying, analyzing, and making it visible to every individual, every stakeholder in the organization, and then, in a very calibrated manner, executing its implementation. And that's really what we were doing in terms of being clinical in terms of how we go and execute all of these programs in terms of improvement, but also how do we make it more agile, more accelerated because the speed is the essence. And so that's really what we have been doing. And we are fairly comfortable in terms of what we had, what we have right now, and in terms of the roadmap that we are having, in terms of how we are going to keep on improving the security. Because, Yulia, security is all about being aware, it's sensing what's happening around you, and then making sure you have a clear and decisive plan in terms of its execution.

Yulia De Bari: Awareness and cyber hygiene has never been so important as they are today, and especially now with so many people working from their homes, connected to their home networks, remote work completely changes the dynamics and rules of the game. So employees who work from home don't really have the required firewalls or network-based intrusion detection systems, or any really other defenses that corporate network can provide. So if before COVID-19, less than 10% of workforce worked remotely, today it is 100%. Now, can you recommend some precautionary measures that people can follow to be safe from the numerous attacks that are happening today?

Vishal Salvi: Yeah. So before I talk about that item, that's excellent point, right? So I think if you look at the history of information security and cybersecurity, attackers always wanted to go and hack into your network, hack into your applications and servers. And when security started getting bigger and then better, it was easy to, rather than break the locks, to actually go for the keys. And guess what, the keys are actually with the users. Right? So, therefore it's quite natural that you will go and find out the various means, which are much easier to go and get the keys rather than break the locks. So that is one.

Vishal Salvi: And the reason it is easier is because if you look at it the whole history of humanity, dealing with digital and bits and bytes is a fairly new phenomenon, right? It's only 50 years old. So humans are not able to adapt to the way computer technology interact with you, because fundamentally, we are conditioned to behave very differently, right? If you see some fear, some danger coming your way, then you get out of your way because it's very physical. And computer systems do not allow you to do that.

Vishal Salvi: And that's the reason why a lot of people are more gullible and they don't really see a danger when they see an email or a phish. In fact, the lures are actually attracting them to fall prey more than actually otherwise. Right? So, those are fundamentally two reasons why social engineering attacks have significantly risen. And it's an issue of awareness, in terms of how do you engage your ecosystem, engage your students, your parents and the whole ecosystem citizens to make sure that they understand how to navigate this information highway called internet, and are aware of the pitfalls and are they able to take right decisions?

Vishal Salvi: But it is also about a challenge to security professionals like us to error-proof as much as security as possible, right? So that you don't allow a phishing mail to actually reach the user. If it is even reaching, you make sure that is a security wrapper around that, and so and so forth.

Vishal Salvi: So when actually deal with this, there is a defense in depth kind of a mechanism that is put in place, because 90% of the breaches or the incidents that have happened have actually email and a phish as its initial vector for an attack to be successful.

Vishal Salvi: So when you ask me this question about what are the things that people should keep in mind, there are some fundamental things, right? You have to be present. We have this message called think before you click. Right? And I think it's very, very important. The second thing is there are no free lunches and you need to understand that. If anybody's giving you anything free, whether it's an app on your mobile phone or some website, which is giving you a song, so you have to look at it with a huge amount of suspicion.

Vishal Salvi: I was a CSO for a bank for many years. None of the banks will ask you any information about yourselve because they already know. If they already have your account number, why would they ask your account number? And any email which is sounding urgent and asking you to do something, it's a simple thing is to call the person on the phone rather than respond immediately because you're not obligated to do that. And there's a last one, which is people actually phish some of your credentials and some of your information, which you have perhaps shared on a social network or somewhere else. And then use that information to send you a phishing attack, which looks very credible. And you can, again, fall prey to that because of the credibility of that attack, so you should not even fall for that.

Vishal Salvi: These are some of the few things that you should keep in mind. And if you do some of the basics right and you show your presence of mind, you can stay away from such social engineering attacks.

Yulia De Bari: So here we come to the end of our conversation. Can you leave our listeners with one major insight on what the future holds for us in general and in terms of cybersecurity?

Vishal Salvi: I think in general, I call this as a in-between era, right? From the pre-COVID to a post-vaccine kind of scenario is a in-between era and it can be anything between 12 months to 24 months. And so I think the humanity will learn to live with the virus for some period of time.

Vishal Salvi: But what I hope we don't have to do is to deal with a computer virus. But I think the most, most important message that I would like to give is that cybersecurity now is a fundamental mainstream requirement. And it has to be embedded in organization strategy in terms of how you deal with these threat landscape by having cyber as a foundation and fundamental element of your strategy and your day-to-day activities. And once you do that, you will be able to ensure that you are able to future-proof your organization from such attacks, you can go with the confidence that is required for you to be able to do this adoption of this digital, which has been such a powerful force to allow people to work from home. And we are now looking at staring at very large, massive sharp rise of the next transformation of digital, because we'll continue to have this in-between era, and cyber is going to be a strong foundation for that.

Yulia De Bari: Vishal, thank you for your time and the highly interesting discussion. Everyone, you can find details on our show notes and transcripts at Infosys.com/IKI in our podcast section.

Yulia De Bari: You have been listening to the Knowledge Institute: The CyberBites Edition, where we talk about some of the company's key responses to cybersecurity threats in the COVID era. And until next time, keep learning and keep sharing.