SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Cybersecurity: Starting with the human factor
Wed, 3rd Jul 2019
FYI, this story is more than a year old

These days, it is difficult to dodge the topic of digitalisation in Singapore.

With the “Smart Nation” initiative in full swing, Singapore is set to reap the full benefits of digitalisation.

A study by the Economist Intelligence Unit (EIU) last year ranked Singapore as one of the most technologically ready economies for the period of 2018 – 2022.

Yet, as more of Singaporeans' data moves towards digital platforms, there is also a broader surface area for cyber threats to prey upon.

In a recent report by Dell EMC, it was discovered that data-loss incidents cost Singapore organisations an average of US$1.4 million over 12 months.

This is higher than the global average of US$939,703.

Coupled with the fact that Singapore has also experienced high-profile data breaches such as the SingHealth hack in 2018, it is obvious that cybersecurity is an issue.

Whenever a data breach occurs, people usually see and hear of repercussions affecting the organisation's C-suites.

However, cybersecurity is the collective responsibility of everyone in an organisation. A chain is only as strong as its weakest link.

The best technologies, infrastructure and legislation mean nothing if cyber threats target the human actor in the security chain.

It is no surprise the majority of the high-profile leaks that have taken place in the past year were all facilitated by some form of human lapses.

To ensure a robust and cohesive security strategy, cybersecurity consciousness must be fostered in the company culture and throughout the organisation.

Starting with organisational culture

Driving a culture change is not impossible but it would require a comprehensive cybersecurity awareness programme.

The first step toward creating a successful cybersecurity awareness programme is to recognise that it is not a project with a defined timeline and an expected completion date, nor is it something to measure with KPIs.

A successful cybersecurity awareness programme should focus instead on permeating the cybersecurity consciousness throughout the company culture.

This requires constant education and vigilance.

Typically, the most effective programmes are those that educate users upon initial hire and every quarter that follows.

This training should educate all users, especially those at the executive level who are considered high-value targets.

A mature programme should also be shaped by a keen understanding of the organisation's culture.

This will not only help set the tone for the material but will be informative for coaching and guiding individuals to change their cybersecurity competence and behaviour.

Beefing up awareness training

For most organisations, awareness training is done infrequently and is stale.

Most people candidly forget the majority of what is presented in a cybersecurity training programme because such programmes often fail to leverage a variety of presentation styles and content format. Furthermore, such training probably happens only once a year.

Kick the cadence up to three or four times a year and allow programme managers to take creative liberties with the content to better suit their audiences and demographics. What works for one group may not work for another.

Consider visuals (whiteboards, videos and ideation), use conversational auditory engagement about the subject matter and try role-playing certain concepts so students can move around and engage with each other.

The aim is to make awareness training as intuitive as possible for employees instead of your typical orientation sessions.

A recent report from Gartner and Cybersecurity Ventures even backs up the notion of organisations using a multipronged approach for cybersecurity awareness programmes.

They estimate an employee's cybersecurity competency will increase by 40 percent by 2020 through the use of different programme tactics.

Awareness training is the most underspent sector of cybersecurity, but it is also the cheapest risk-reducing measure an organisation can invest in.

Create guidelines and tips for email and social media usage

Malicious cyber-actors are constantly developing new and creative ways to fool people into handing over their most precious data.

Be it corporate emails, social media platforms or a phone call, employees need to be on constant alert.

For any service used, take advantage of any two-step verification that is provided. With this turned on, a user enters their login ID and password and then the app texts them a code. The only way to gain access is by entering that final code.

Employees should also look out for phishing attempts. Email phishing is a scam typically carried out by making unsolicited emails appear to originate from legitimate sources.

Attackers prey on unsuspecting victims, seeking to elicit personal and financial information. For an organisation, these fraudulent emails pose a considerable security risk, as the embedded links they contain can become conduits for the installation of malware on corporate assets.

Once an attacker has established a permanent presence on the corporate network, further exploits can occur, including exfiltration of sensitive data or destructive activities that can negatively impact business operations.

Employees must be made aware of such “creative” cyber threats and guidelines should be in place to combat these attempts.

Employees should constantly exercise vigilance, especially in these days where cyber threats can take the guise of email or even a phone call.