With cyber threats on a rise and shortage of skilled cybersecurity talent posing security concerns as regards protection of confidential organisation data from data leaks and cyber thefts, we at HR in ASIA chanced on an opportunity to interact with Foo Siang-tse, Managing Director, Quann to derive insights on the cybersecurity landscape in Asia – the threats, challenges and opportunities presented by the industry for the future workforce.
Without underscoring the importance of HR in creating a culture of cybersecurity awareness and cyber wellness in organisations, Foo Siang-tse clears the misconceptions firmly held about cybersecurity being a technology or IT problem. “Cybersecurity is everyone’s responsibility and not just that of IT professionals. Cybersecurity is a “human” issue – where often the “human” is the most critical aspect in defending an organisation.” Read on…
Employees are actually relatively vulnerable to cyber-attacks. In fact, they are considered as the organisation’s weakest link from a cybersecurity standpoint. According to IBM’s 2016 Cyber Security Intelligence Index, 60 percent of all cyber-attacks monitored from over 100 countries in 2015 were undertaken by insiders, either those with malicious intent or those who served as inadvertent actors.
Malicious insiders are rare, but they still have the ability to cause significant damage owing to their level of access. In fact, administrators with privileged identities pose special risks.
Furthermore, as it becomes increasingly common for businesses to outsource services such as IT, payroll, accounting and marketing, they will have to pay further attention to external contracted parties who are granted access to sensitive data and personally identifiable information.
Succinctly put, because the human element is vulnerable to cyber-attacks, employee training must therefore be a critical element of security. However, a recent study conducted by Trend Micro found that almost half of the 300 organisations surveyed across Asia Pacific have little to no security awareness programs in place.
Companies need to understand the value of helping their employees internalise the importance of protecting customer and colleague information. Companies should also possess a basic grounding in other risks areas, and understand how to exercise good online judgement. Most importantly, employees need to know the Internet safety policies and practices to which they are expected to adhere in the workplace.
Practice and prevention are critical in helping companies protect themselves. I would strongly recommend simulation and tabletop exercises so that employees can be familiarised with what can go wrong and practise their roles. This is no different from how companies conduct regular fire and evacuation drills – such discipline should likewise be applied to the cyber domain.
It is more helpful to think in terms of strategy in this case than to identify any particular measure. The most important thing to do is to centre the company’s cybersecurity strategy on its human resources.
One concrete step is that the firm’s leadership must lead by example to showcase cybersecurity is everyone’s responsibility. They should also formulate cybersecurity policies that are both effective and easily implemented such that they do not impede day-to-day operations.
Here are some best practices that companies can implement to make employees become more cyber aware
The common misconception among organisations about cybersecurity is that it is a technology and IT problem. On the contrary, cybersecurity is a “human” issue – where often the “human” is the most critical aspect in defending an organisation. This underscores the crucial role HR plays in creating a culture of cybersecurity awareness and cyber wellness.
In a similar vein, HR drives and enforces employee-related policies, including those relating to cyber security, at a company-wide level. This places HR in a strategic position to ensure company-wide compliance to these policies.
HR is also in a position to drive employee education on cybersecurity, monitoring as to how training is also part of this department’s responsibilities. Additionally, HR can also consider offering incentives to employees who perform well in phishing exercises or spot potential breaches and vulnerabilities.
HR is uniquely placed to protect the firm from malicious insiders. Malicious insiders facilitate cybercriminals reconnaissance and entry. These insiders, either knowing or manipulated, are involved in more than half of all cyber-attacks.
Hackers identify them through social media, and then groom them in preparation of using them to assist their hack. They might target those who are predisposed to break security protocol, such as those who react poorly to authority. They might then wait for a trigger event, like a workplace conflict or dismissal and then leverage on this event to egg the individual into assisting them.
This process means that HR teams are very well placed to prevent malicious insiders from helping hackers, as they could potentially play a role in identifying employees who could be involved in such malicious activities.
The shortage of cyber security talent only underscores the importance of empowering employees to be the first line of defence against cyber-attacks. Companies cannot rely only on their in-house IT team to secure its digital assets.
Cybersecurity is everyone’s responsibility, not just that of IT professionals. Having said that, companies can still reap the numerous advantages brought about by going digital by putting in place practices and policies that promote cybersecurity, and train employees to be able to identify and avoid risk.
In light of the chronic shortage of cybersecurity talent worldwide, many companies now partner with external managed security service providers who have the scale, technology, skillsets, and knowhow to protect them.
Organisations need a 360 degree approach to cybersecurity. This ranges from risk assessment and penetration testing, to having round the clock real-time threat monitoring, to being able to recover quickly with minimum losses. Firms should already have remediation measures to make sure that these breaches do not happen again.
While having the best technology can help organisations to protect themselves from known and unknown threats, cybersecurity is still contingent on humans, and not just on technology alone. The challenge in implementing many security solutions is that trade-off with convenience and operational effectiveness. For example, data encryption solutions may have latency effects.
Hence, employee engagement is critical to inform employees of the importance of these measures and the value they create for the company before the deployment of such solutions. Otherwise, employees may simply bypass the proposed measures in favour of the status quo.
Cloud-based resources are becoming increasingly vital for businesses, especially with the proliferation of digital transformation. According to a recent study by the Ponemon Institute, companies are now using the cloud to store data such as customer information, emails, consumer data, employee records and payment information types.
Here is a non-exhaustive list of measures organisations can adopt in order to mitigate the security risks:
Companies should encrypt their data to secure it on the cloud. This way, hackers will be unable to easily access the data stored in the cloud even if they successfully hack into the server. Cryptographic schemes are used to transform plain text to an otherwise unintelligible form known as ciphertext. In order to decrypt the information, a secret value known as the key is required. This can help to prevent unauthorised access to sensitive information in case of a data breach.
In addition to encryption, companies should also be encouraged to adopt a multiple layer security approach. Using two or more authentication factors is widely recognised as one of the most secure software authentication methods, and this greatly increases the level of protection against attacks.
Be sure to review the Cloud Service Provider’s security history and references and ask about its known security vulnerabilities. Ensure that the service agreement includes adherence to current industry standards, and that they have up-to-date knowledge of these standards.
Work with an expert on a regular basis to ensure cloud security. This could either be employing a consultant, or having a service company perform independent third-party audits to ensure that your Cloud Service Provider is compliant with your industry’s standards of security, and that your data stored in the cloud is not liable to falling into the hands of cybercriminals.
Cybersecurity awareness training programmes are critical in empowering employees to be the company’s first line of defence against cyber-attacks and creating a culture of cybersecurity within the organisation.
Without such training programmes, it is unlikely that employees will be properly trained and equipped with the knowledge, much less be motivated to adhere to the firm’s cybersecurity protocol. These programmes need to be carried out regularly to ensure that best practices are internalised and up-to-date information on potential threats are disseminated.
It is vital for companies to create a culture of cyber security amongst employees. This means that cyber security training programmes and updates should be seen as part of the company’s way of doing business and should not be implemented on an ad-hoc basis. With threats evolving all the time, it is imperative that organisations continuously update employees with new ways on how hackers might target employees to steal information.
This also means that HR may need to update the policies from time to time to ensure that their latest policies are able to address the threats of the day.
Beyond providing cyber security awareness training to students, academic institutions play a fundamental role in equipping tomorrow’s cybersecurity experts with the proper training they need to navigate the increasingly complex cybersecurity industry.
To address the shortage of cybersecurity talent in Singapore, Quann partnered with the National University of Singapore (NUS) and Singapore Management University (SMU) in March 2016 so as to develop enterprise cybersecurity training modules for students and professionals. Under this partnership, Quann works with NUS and SMU to develop course content covering network knowledge, essential cybersecurity techniques, and advanced threat detection and assessment.
Additionally, Quann also offers internship and recruitment programmes for undergraduates, thus providing students the exposure to real world cyber threats and operations, and the opportunity to work alongside Quann’s security professionals.
Quann is also taking concrete steps to retain cyber security talent. The company provides fresh graduates with a multitude of career pathways and exposure to multiple business units, allowing them to eventually specialise in their area of interest, such as threat analysis, reverse engineering, research and development, sales or management.
Content credits: This exclusive interview coverage and content is produced by HR in ASIA. Any redistribution or reproduction of part or all of the contents in this interview is strictly prohibited. You may not, except with our express written permission, distribute or commercially exploit the content.
Image credit: freedigitalphotos.net