CenturyLink APAC Director Product Management Security and former Member of Cloud Security Alliance Singapore Cheah Wai Kit sheds light on common misconceptions around security and why it is important for business leaders to instill cyber security awareness and responsibility among employees.
By Cheah Wai Kit
Staying home has been central in efforts to combat the spread of the novel coronavirus in the past months. Perhaps, a similar approach can be taken when dealing with cybersecurity threats. ‘Home’, literally and figuratively, is where organizational threat defense efforts need to start and be ramped up at a time when remote working is the new norm and mandated.
Since the pandemic, there has been an estimated 70 percent increase in remote work across the globe. Deloitte projected that up to 47.8 million people across ASEAN could permanently shift to working remotely over a multi-year horizon, as organizations look to drive productivity and lower costs. This can create more vulnerabilities for cybercriminals to hack into home networks and implicate an enterprise’s as well.
COVID-19 has certainly driven home the significance of cybersecurity. However, businesses need to move away from the traditional and outdated mindset that the responsibility of an organization’s security falls on the IT team. It is time we empower employees so they can play their part in building cyber resilience for their organizations.
Cybersecurity starts with people
In my experience, there are three ‘M’s culpable for cybersecurity breaches in an organization: Mismanagement, Misconfiguration, and Mistakes. Of these, I have found that people are usually the weakest link, particularly because there may often be a lack of awareness, lack of competencies, and lack of care.
Take phishing for example. It is one of the most common and effective methods of social engineering and has become increasingly sophisticated in recent years. People fall prey to phishing scams easily because they are either unable to distinguish a phishing message from a legitimate one or are indifferent or uneducated about such attacks. The Cyber Security Agency of Singapore has detected over 47,500 phishing URLs with a Singapore link in 2019 alone – a concerning 200 percent increase from the previous year.
With so many employees working remotely, it is imperative that not just organizations, but employees need to be aware that their home and enterprise networks are more vulnerable than ever before.
Security is also a people business, and never has it become more important to place some of that responsibility into the hands of your own employees. A virtual workplace translates to an expanded perimeter that are more difficult to manage; in efforts to maintain business as usual, remote workers are now accessing more data and critical business software and systems from networks, and maybe sometimes even devices, that are not wholly managed or issued by their organization.
Business leaders should dive deeper into a people-centric approach towards security. We need to move away from the belief that cybersecurity is just an IT department’s responsibility. There needs to be a fundamental shift in securing an organization’s data and intellectual property and that lies in equipping individuals with the right knowledge, awareness and tools to detect, manage, and mitigate risks.
One way to equip employees with the know-how is to develop and improve cyber intelligence and cyber literacy among a workforce. This is especially relevant and important for home-based workers to reduce cyber risks stemming from internal sources. This does not mean that the onus lies only with employees to protect the business, rather, it is about establishing adequate education, proper systems and protocols that work, to ensure adherence to security policies.
Constantly evolving policies and strategies
For most organizations, the view on cybersecurity is piecemeal and very technology focused. Effective cyber defense does not mean just deploying products or technologies. An average enterprise uses a massive 75 security tools, but breaches are still taking place. Using more technology services and products is not the magic bullet to approach one’s cybersecurity strategy. A robust connected security model involving people, processes, and technology is what will.
Enterprises are gradually realizing that the evolution of the threat landscape cannot be managed by just their employees and IT team. Working with managed security service providers (MSSP) is the way forward for many digital business today. Support from trusted partners can help ease the workload and greatly strengthen an organization’s security posture. Threat-defense capabilities can be extended through adaptive threat intelligence solutions for data analysis providing insights that you can act on, and managed security behavioral analytics solutions to help you monitor breach of access privileges and network activity for detecting potential threats.
MSSPs are better equipped with both the technologies and knowledge to accurately diagnose, detect, and troubleshoot any potential threat. This frees up resources for businesses to focus on their main operations and not be burdened by security challenges.
Businesses can also consider adhering to a cybersecurity framework to better manage against attacks. One example is a guide provided by the Multi-State Information Sharing & Analysis Center to help organizations better apply and advance their cybersecurity policies.
Lastly, organizations should widely adopt training tools designed to help employees understand the security implications of their actions and change their behavior needs. Improving cybersecurity awareness among employees has also been valued by our global customers over many years.
Building a cybersecurity-minded organization
Creating a culture of security cannot be expected to happen overnight. It is a transformation that begins by demystifying technology and preparing your employees to be vigilant of cyber threats in its myriad forms. Cyber threats are always evolving, but the constant vulnerability of an organization remains its employees.
Although security measures such as antivirus software, firewalls, and system updates are managed by IT departments, I cannot stress enough that employees can be empowered with the knowledge to detect a threat or prevent one from becoming a breach.
Security upskilling and accountability within the workplace will in the long run translate to better customer satisfaction, brand loyalty, and digital trust. These are the values that need to be constantly communicated, inculcated, and upheld in your workforce to reinforce the overall importance of cyber security and demonstrate why mitigating cyber security risks starts at ‘home’.
(Ed. Featured image by Photographer Andrea Piacquadio.)