Why Organizations Need to Invest in a Good Cybersecurity Culture

General Manager and Technology Leader, IBM Singapore

Businesses nowadays must ensure that every person or entity related to the organization is cyber-aware by making cybersecurity awareness, prevention, and practices a critical element of their culture. Cybersecurity has become a social and corporate necessity. In the ongoing fight against malicious actors and ransomware, cyber literacy and awareness are crucial. But how can we address the danger and/or resolve the problems?

Finding cybersecurity experts for this position is crucial, but considering how ransomware is spreading like wildfire, it is obvious that this has to be made a higher priority – and for every employee. The skills gap is being addressed by businesses in a variety of ways, including new university programs, technical and vocational programs, apprenticeships, certifications, early education, and government initiatives, but it doesn’t seem like enough is being done.

According to Frost & Sullivan, the rising disparity between the number of skilled cybersecurity experts that are available and the open positions will expand to 1.8 million by 2022. With competent experience, the battle against hostile cyber intent may start. To win the cyber battle, businesses must make cybersecurity knowledge, prevention, and practices an integral part of their culture.

CIO World Asia spoke with Colin Tan, General Manager and Technology Leader, IBM Singapore about the need to invest in a good cybersecurity culture.

Building Cyber Resilience

Making a plan for cyber resilience is more crucial than ever given the quick evolution of various types of cyber-attacks. Since its inception, ransomware has changed significantly and will keep doing so, which means that it will get better at achieving its evil objectives. It is becoming more advanced and destructive, and it will only grow worse. However, 2022 has seen a rise in the usage of wiperware, another cybersecurity danger that enterprises need to be wary of.

Cybersecurity is a foundation for cyber resilience. In the sense of, “Let’s lock all the doors to keep any bad actors out,” cybersecurity is preventive in nature. On the other side, the goal of cyber resilience is to succeed in the case of a cyber breach. Businesses must plan and get ready right away to carry on with business in the event of a breach. Cyber resilience, in essence, is a “Plan B” for when the attackers are successful and invaders. Protecting important data and enabling speedy recovery to resume regular corporate activities are the two goals of cyber resilience.

When cyber awareness permeates every part of the firm – People, Processes, and Technology – businesses may develop cyber resilience. It’s important to foster the idea that everyone has a stake in cybersecurity. The staff should receive training on cybersecurity techniques particular to their industry in addition to generic cyber awareness. An HR employee doing online interviews, for instance, has to be taught how to spot and respond to circumstances that are deep fakes. A developer should receive Secure DevOps training.

While the PR & communications department should have sufficient cyber understanding to issue a calibrated reaction in the event of a cyber crisis, a Security Operations Centre (SOC) analyst should be educated in technical elements of incident response. Being a cyberhero should be promoted for everyone. Cybertact, cybercoherence, and agility ought to be rewarded. A monthly Cyber Champion award might be given to honor exceptional deeds.

Importance of Instilling Cybersecurity as a Culture

This decade’s biggest challenge will be cybersecurity. The scope and complexity of cybersecurity threats will increase along with our dependence on technology. That’s where the money is for corporations. The cost of cybercrime, which is already in the billions of dollars, is rising each year as its frequency, extent, and degree of harm do as well. Some attacks are expensive and inconvenient, but others may be disastrous.

IBM Security X-Force noted that ransomware assaults against manufacturers, including those of food, medical devices, autos, and steel, increased more than any other industry in 2021, quadrupling against energy businesses from the year before. According to a recent survey by Coleman Parkes, there are 54 cybersecurity incidents reported by Singapore enterprises every day, and the risks are changing so quickly that 62% of the country’s cybersecurity experts find it difficult to keep up.

Every individual or entity associated with the firm must now be cyber-aware since cybersecurity has become a social and corporate necessity. Cyberawareness should be a top-down process in a company. The “lack of competent resources to assess and handle hazards” is one of the obstacles to managing these cyber threats that persist despite the efforts that have been made. One of the causes of this is human error, thus it is important to give reskilling and upskilling top priority to guarantee that employees are keeping up with the advancement of technology and the changing nature of the workplace. Employee burnout and exhaustion brought on by constant strain and worry from the pandemic, as well as outdated procedures, can be blamed for a significant portion of human mistake.

Continuous training, exposure to typical cyberthreats, and popular hacking techniques like phishing, swishing, OSINT (open-source intelligence), etc. are the greatest ways to raise awareness. Additionally, it will be crucial for all stakeholders to understand the business’s risk factors and what has to be done to restore it in the event of a cyberattack. In order to do this, cutting-edge cyber range facilities may be employed for ongoing training and playbook testing.

Dealing With Overwork and Demand of Professionals

Cyberattacks have evolved over the past few years, becoming more destructive as well as more frequent. Between 2020 and 2021, the number of cybersecurity incidents handled by the IR team at X-Force increased by over 25%. Additionally, according to research by Check Point Software Technologies, the weekly average number of network assaults would rise by 50% in 2021 compared to 2020. There are, however, a limited number of security experts who are qualified and skilled to respond to cybersecurity events, despite the sector being required to do so in response to an increasing number of cyberattacks.

As a result, businesses might not have the resources they need to mitigate and recover from cyberattacks while many IR teams are compelled to fight on many fronts. According to the IBM report, 68% of incident responders frequently need to address two or more cybersecurity events at once, underscoring how active the industry is. The vast majority of respondents stated they had a good support structure in place as incident responders handle the strain and demanding nature of cyber response.

But organizations can empower incident responders even more by prioritizing cyber readiness and developing strategies and playbooks that are tailored to their specific environment and resources, whether they be internal Blue Teams or external IR teams they engage in the case of a cyber disaster. As a result, an incident may be handled more quickly and agilely, and the burden on the entire company may be reduced.

Situational knowledge of their infrastructure is crucial in this regard. Businesses should concentrate on conducting simulation exercises to assess their level of preparedness. This will give them an idea of how their teams would respond to an attack and will also give them the chance to properly integrate the various teams involved in a cyber disaster.

Skills New Cybersecurity Professionals Should Acquire

There is a considerably greater need for skilled personnel in this industry than there are qualified job seekers. To address the world’s cybersecurity skills gap, the workforce must grow by about four million workers, or 145%. However, a poll found that just 9% of millennials desire to work in cybersecurity, therefore the sector needs to drastically alter its approach to bridge the gap. The disparity between needs and individuals will widen as a result of current messaging and the absence of professional opportunities.

Professionals in the cybersecurity field must possess both hard and soft abilities. In cybersecurity, there is a shortage of both “hard” and “soft” skills. When the majority of the workforce in the cybersecurity sector has a standard college education, it lacks the variety of thought necessary for tasks like threat detection, prevention, and prediction.