With cyber threats on a rise and shortage of skilled cybersecurity talent posing security concerns as regards protection of confidential organisation data from data leaks and cyber thefts, we at HR in ASIA chanced on an opportunity to interact with Foo Siang-tse, Managing Director, Quann to derive insights on the cybersecurity landscape in Asia – the threats, challenges and opportunities presented by the industry for the future workforce.

Without underscoring the importance of HR in creating a culture of cybersecurity awareness and cyber wellness in organisations, Foo Siang-tse clears the misconceptions firmly held about cybersecurity being a technology or IT problem. “Cybersecurity is everyone’s responsibility and not just that of IT professionals. Cybersecurity is a “human” issue – where often the “human” is the most critical aspect in defending an organisation.” Read on…

1. How vulnerable are employees to cyber-attacks and how can organisations equip their employees with knowledge and skills necessary to address this global challenge?

Employees are actually relatively vulnerable to cyber-attacks. In fact, they are considered as the organisation’s weakest link from a cybersecurity standpoint. According to IBM’s 2016 Cyber Security Intelligence Index, 60 percent of all cyber-attacks monitored from over 100 countries in 2015 were undertaken by insiders, either those with malicious intent or those who served as inadvertent actors.

Malicious insiders are rare, but they still have the ability to cause significant damage owing to their level of access. In fact, administrators with privileged identities pose special risks.

Foo Siang-tse, Managing Director, Quann

Furthermore, as it becomes increasingly common for businesses to outsource services such as IT, payroll, accounting and marketing, they will have to pay further attention to external contracted parties who are granted access to sensitive data and personally identifiable information.

Succinctly put, because the human element is vulnerable to cyber-attacks, employee training must therefore be a critical element of security. However, a recent study conducted by Trend Micro found that almost half of the 300 organisations surveyed across Asia Pacific have little to no security awareness programs in place.

Companies need to understand the value of helping their employees internalise the importance of protecting customer and colleague information. Companies should also possess a basic grounding in other risks areas, and understand how to exercise good online judgement. Most importantly, employees need to know the Internet safety policies and practices to which they are expected to adhere in the workplace.

Practice and prevention are critical in helping companies protect themselves. I would strongly recommend simulation and tabletop exercises so that employees can be familiarised with what can go wrong and practise their roles. This is no different from how companies conduct regular fire and evacuation drills – such discipline should likewise be applied to the cyber domain.

2. What are some of the key measures, employers and HR managers should take to minimise employee vulnerability to cyber-attacks?

It is more helpful to think in terms of strategy in this case than to identify any particular measure. The most important thing to do is to centre the company’s cybersecurity strategy on its human resources.

One concrete step is that the firm’s leadership must lead by example to showcase cybersecurity is everyone’s responsibility. They should also formulate cybersecurity policies that are both effective and easily implemented such that they do not impede day-to-day operations.

3. Please share some industry best practices that companies can implement to help employees become more cyber aware.

Here are some best practices that companies can implement to make employees become more cyber aware

• Educate employees about scams and teach them how to spot bogus emails from phishing sites.
• Don’t forget mobile devices: they also need to be secure because data leaks can also occur outside of the workplace.
• Educate employees on possible cyber threats that come with the use of free and public Wi-Fi hotspots.
• In developing cyber security policies, consider company culture and how this could possibly lead employees to overlook cyber threats and compromise on the organisation’s systems.
• Keep a clean machine. Your company should have clear rules about what employees can download onto their work computers.  Make sure they understand and abide by these rules. Unknown outside programs can open security vulnerabilities in your network.
• Have a firm policy on password creation and enforce regular password updates. A strong password is at least 12 characters long and contains upper and lower case letters, numbers, and symbols. Having separate passwords for every account helps to thwart cybercriminals. At a minimum, they should separate work and personal accounts and make sure that critical accounts have the strongest passwords.
• Employees should be educated to not open suspicious links in emails, tweets, posts, online ads, messages, and/or attachments – even if they think they can trust the source. Employees should be instructed to use the company’s spam filters, and educated on how these can be used to prevent unwanted, harmful email. It also helps to have a hotline or service desk they can call so that these potential threats are spotted early and others can be warned.
• Backing up employees’ work: Whether the company has set employees’ computers to back up automatically or ask that they do it themselves, employees should be instructed on their role in protecting their work. 

4. What is the role of HR in ensuring cyber security in organisations?

The common misconception among organisations about cybersecurity is that it is a technology and IT problem.  On the contrary, cybersecurity is a “human” issue – where often the “human” is the most critical aspect in defending an organisation. This underscores the crucial role HR plays in creating a culture of cybersecurity awareness and cyber wellness.

In a similar vein, HR drives and enforces employee-related policies, including those relating to cyber security, at a company-wide level. This places HR in a strategic position to ensure company-wide compliance to these policies.

HR is also in a position to drive employee education on cybersecurity, monitoring as to how training is also part of this department’s responsibilities. Additionally, HR can also consider offering incentives to employees who perform well in phishing exercises or spot potential breaches and vulnerabilities.

HR is uniquely placed to protect the firm from malicious insiders. Malicious insiders facilitate cybercriminals reconnaissance and entry. These insiders, either knowing or manipulated, are involved in more than half of all cyber-attacks.

Hackers identify them through social media, and then groom them in preparation of using them to assist their hack. They might target those who are predisposed to break security protocol, such as those who react poorly to authority. They might then wait for a trigger event, like a workplace conflict or dismissal and then leverage on this event to egg the individual into assisting them.

This process means that HR teams are very well placed to prevent malicious insiders from helping hackers, as they could potentially play a role in identifying employees who could be involved in such malicious activities.

See: Hacking the Cybersecurity Skills Shortage

5. With an alarming shortage of cybersecurity talent globally and lack of skilled manpower, how can organisations embrace going fully digital, while ensuring complete data security?

The shortage of cyber security talent only underscores the importance of empowering employees to be the first line of defence against cyber-attacks. Companies cannot rely only on their in-house IT team to secure its digital assets.

Cybersecurity is everyone’s responsibility, not just that of IT professionals. Having said that, companies can still reap the numerous advantages brought about by going digital by putting in place practices and policies that promote cybersecurity, and train employees to be able to identify and avoid risk.

In light of the chronic shortage of cybersecurity talent worldwide, many companies now partner with external managed security service providers who have the scale, technology, skillsets, and knowhow to protect them.

6. How can organisations create a culture of cyber security at work through strategies and tools such as data encryption solutions and securing networks etc.?

Organisations need a 360 degree approach to cybersecurity. This ranges from risk assessment and penetration testing, to having round the clock real-time threat monitoring, to being able to recover quickly with minimum losses. Firms should already have remediation measures to make sure that these breaches do not happen again.

While having the best technology can help organisations to protect themselves from known and unknown threats, cybersecurity is still contingent on humans, and not just on technology alone. The challenge in implementing many security solutions is that trade-off with convenience and operational effectiveness. For example, data encryption solutions may have latency effects.

Hence, employee engagement is critical to inform employees of the importance of these measures and the value they create for the company before the deployment of such solutions. Otherwise, employees may simply bypass the proposed measures in favour of the status quo.

7. With companies now moving business data to the cloud (both public and private), security threats have further increased. How can organisations ensure that their confidential data on third-party networks is secured and hacker-proof?

Cloud-based resources are becoming increasingly vital for businesses, especially with the proliferation of digital transformation. According to a recent study by the Ponemon Institute, companies are now using the cloud to store data such as customer information, emails, consumer data, employee records and payment information types.

Here is a non-exhaustive list of measures organisations can adopt in order to mitigate the security risks:

• Implement Cloud Encryption

Companies should encrypt their data to secure it on the cloud. This way, hackers will be unable to easily access the data stored in the cloud even if they successfully hack into the server. Cryptographic schemes are used to transform plain text to an otherwise unintelligible form known as ciphertext. In order to decrypt the information, a secret value known as the key is required. This can help to prevent unauthorised access to sensitive information in case of a data breach.

• Use Multi-Factor Authentication

In addition to encryption, companies should also be encouraged to adopt a multiple layer security approach. Using two or more authentication factors is widely recognised as one of the most secure software authentication methods, and this greatly increases the level of protection against attacks.

• Perform effective due diligence when researching a cloud service provider

Be sure to review the Cloud Service Provider’s security history and references and ask about its known security vulnerabilities. Ensure that the service agreement includes adherence to current industry standards, and that they have up-to-date knowledge of these standards.

• Employ Trusted Third Parties

Work with an expert on a regular basis to ensure cloud security. This could either be employing a consultant, or having a service company perform independent third-party audits to ensure that your Cloud Service Provider is compliant with your industry’s standards of security, and that your data stored in the cloud is not liable to falling into the hands of cybercriminals.

8. How important is it to provide your employees and professionals with cyber security awareness training programmes?

Cybersecurity awareness training programmes are critical in empowering employees to be the company’s first line of defence against cyber-attacks and creating a culture of cybersecurity within the organisation.

Without such training programmes, it is unlikely that employees will be properly trained and equipped with the knowledge, much less be motivated to adhere to the firm’s cybersecurity protocol. These programmes need to be carried out regularly to ensure that best practices are internalised and up-to-date information on potential threats are disseminated.

9. How often do you think, should organisations keep their employees posted about cybercrime incidents in order to make them more alert and aware?

It is vital for companies to create a culture of cyber security amongst employees. This means that cyber security training programmes and updates should be seen as part of the company’s way of doing business and should not be implemented on an ad-hoc basis. With threats evolving all the time, it is imperative that organisations continuously update employees with new ways on how hackers might target employees to steal information.

This also means that HR may need to update the policies from time to time to ensure that their latest policies are able to address the threats of the day.

10. How important is the role of academic institutions to provide cyber security awareness training to students and groom the talent for technically advanced future?

Beyond providing cyber security awareness training to students, academic institutions play a fundamental role in equipping tomorrow’s cybersecurity experts with the proper training they need to navigate the increasingly complex cybersecurity industry.

To address the shortage of cybersecurity talent in Singapore, Quann partnered with the National University of Singapore (NUS) and Singapore Management University (SMU) in March 2016 so as to develop enterprise cybersecurity training modules for students and professionals. Under this partnership, Quann works with NUS and SMU to develop course content covering network knowledge, essential cybersecurity techniques, and advanced threat detection and assessment.

Additionally, Quann also offers internship and recruitment programmes for undergraduates, thus providing students the exposure to real world cyber threats and operations, and the opportunity to work alongside Quann’s security professionals.

Quann is also taking concrete steps to retain cyber security talent. The company provides fresh graduates with a multitude of career pathways and exposure to multiple business units, allowing them to eventually specialise in their area of interest, such as threat analysis, reverse engineering, research and development, sales or management.

Also read: Digital Transformation Waits: Keys to Bridging the Cyber Security Gaps and Bolstering the Existing System

Content credits: This exclusive interview coverage and content is produced by HR in ASIA. Any redistribution or reproduction of part or all of the contents in this interview is strictly prohibited. You may not, except with our express written permission, distribute or commercially exploit the content. 

Image credit: freedigitalphotos.net