The pressing concerns
The consequences of any cybersecurity breach are dire; it can harm important stakeholders, damage an organization’s finances, or could even become a matter of national security. For example, Google’s roughly 1 billion Gmail users worldwide were victims of a phishing attack seeking to gain control of their email. In India this January, hackers infiltrated the systems of three government owned banks, while at the same time in Singapore, the Ministry of Defence saw the personal data of 850 National Servicemen leaked.
Interestingly, a 2016 report found that the major cause of security breaches in organizations was not the expected “phishing” or “sophisticated hacking”, but plain human error. The alarming WannaCryptor worm that plagued the likes of Britain’s National Health Service and Spain’s Telefonica was not because of a technical error, but human error – clicking on a suspicious link, ignoring system updates or downloading programs from unverified sources.
An ideal solution would therefore be education on cybersecurity.
Education on cybersecurity
More often than not, workplace cybersecurity training is just rushed inductions with newcomers or perfunctory lectures. A co-operative and committed understanding to improving cybersecurity is necessary in order for steps in cybersecurity to succeed.
1. Have consistent, frequent and relevant conversations about cybersecurity
With the recent WannaCryptor attacks going after sensitive data from governments and large institutions, the topic of cybersecurity can remain distant and far-fetched to a regular employee. This is why employers need to realise cyberbreaches affect every department at every level, from the CEO to the university intern. Department-related cybersecurity sessions are useful to increase interest and avoid disconnect on the topic.
These training sessions should be “short but often” in order to remain engaging and effective, especially since 10-page-long handbooks, though clear and on hand, often get dumped after a week or two. Short bursts of activities to promote topic recalls, such as cybersecurity news in the company newsletter or regular chat sessions will help sustain the conversation and relevance of cybersecurity.
2. Communicate transparently
Frequent communication between the IT department and all other departments fosters a spirit of co-operation, instead of grudging compliance. From minor glitches to serious breaches, always keep employees in the loop. The IT department (or the department that experienced a glitch) could send a heads up all employees, listing the actions the IT department will take, as well as how the rest of the company can help. Follow up with a post-mortem sharing how the glitch occurred, and how employees can help to prevent a similar incident from happening.
3. User-friendly steps that help more than hinder
Task employees with simple steps they can take to secure their devices and data. For example, each employee could be tasked with adopting Password Management applications to create and manage different passwords for different portals, or to look out for software updates and co-operate with the IT department to update such software. This instils a sense of ownership in each employee, instead of relegating cybersecurity to the IT department. Other office policies could include using only company approved software on work devices, or specific rules regarding usage of devices during travel.
However, be sure that these cybersecurity policies remain simple yet purposeful. Mindless routines of monthly password changes to all company portals are not only irritating to employees, but could ultimately backfire when employees resort to extremely simple passwords to circumvent troublesome rules.
Cybersecurity won’t work if the Directors are too busy or if the Marketing department finds it too much of a hassle.
4. Simulation exercises for practice
Train employees to identify social engineering and other scams by putting them to the test. A “fire drill” of sorts, the IT department could simulate a breach or phishing attack, and thereby practise with employees what are recommended steps to take to protect data, stop the spread of the attack, and recover.
5. Never disapprove of well-meaning employees
Though cybersecurity requires proactive steps to succeed, there are some things that organisations should never do, such as criticising or making fun of an employee who genuinely raises a concern, even if it turns out to be a red herring. This defeats the purpose of creating urgency and awareness of cybersecurity, and could also discourage employees from speaking up in the event of a genuine cyberattack. Instead, use the opportunity to educate the employee. If false alarms happen often, re-think the current training approach.
Nurturing professionals in the industry
In order for any of the above to take place, it is clear that seasoned, well equipped professionals are needed to develop, run and maintain secure organisations.
Worryingly, the industry is also facing a lack of skilled cybersecurity professionals qualified to educate individuals on cybersecurity. According to Singapore’s Ministry of Communications and Information, there were 15,000 cybersecurity vacancies in the ICT sector, which has remained unchanged since 2014. An ISACA survey revealed that 87% of respondents agreed India was facing a shortage in cybersecurity talent.
It is therefore not surprising that a lack of cybersecurity skills leaves organizations vulnerable. Proactively, it inhibits organizations from developing and deploying effective prevention. For example, poorly constructed firewalls and outdated software provide porous barriers that hackers can easily manipulate. Reactively, a lack of cybersecurity skills degrades an organization’s ability to respond to incidents.
A change of mindset is needed as it seems unlikely that overall cybersecurity awareness will improve until company directors and C–level management take it seriously and lead by example. Governments and enterprises need to set the example by rolling out robust, comprehensive cybersecurity led by qualified professionals. For example, the Singapore government recently announced a Cybersecurity Professional Scheme, commencing this July, to attract cybersecurity experts to the public sector, and to develop and retain them. At the industry level, organizations can support these initiatives by sending their IT staff for training to upgrade their skills. Partnerships with cybersecurity vendors to supply tools and conduct employee training programs can also prevent human errors that cause the deadliest of security breaches.