In an era where technology and security are in a constant state of evolution, and businesses are embracing digital-first approaches, the imperative of cultivating a resilient security ethos among employees has assumed paramount significance.
The most recent whitepaper from Lumen highlights the necessity for a methodical digitalization of every facet of a business, seamlessly integrating it into the broader organizational framework to truly embrace a digital-first stance. This includes the establishment of a robust culture of employee security.
Nevertheless, leaders in Singapore find themselves grappling with the challenge of instilling proper cyber hygiene practices within their organizations. As cyber threats grow increasingly sophisticated, the question looms: how can businesses ensure they are equipping both themselves and their employees for enduring success in this dynamic digital landscape?
CIO World Asia was given the pleasure to speak with Matthew Tan, Head of Security APAC, Lumen Technologies on building employee security through organisational transformation.
The Evolving Intersection of Technology and Security in the Digital-First Business Landscape
The evolving intersection of technology and security has had a profound impact on businesses striving to become digital-first. Digital transformation has fundamentally reshaped the way people conduct business and live their lives. It has become a driving force in daily activities, ranging from online grocery shopping to electronic bill payments and accessing government services. This transformation has led to increased consumer expectations for seamless, 24/7 access to digital services.
However, alongside the opportunities for growth and innovation that digitalization offers, there are also challenges. The expansion of digital business operations has created a broader attack surface, leaving businesses more vulnerable to various cybersecurity threats, including phishing, malware, cloud or network outages, the exploitation of routine vulnerabilities, and distributed denial of service (DDoS) attacks, among others. This has significantly heightened the complexity of cybersecurity, with cybercriminals actively seeking to exploit these vulnerabilities.
To address these challenges, companies providing digital services are increasingly motivated to exercise greater caution in the maintenance of their systems. They now have more opportunities to construct digital-first ecosystems that not only ensure the ongoing updating of systems but also educate individuals about the advantages and disadvantages of adopting a digital-first approach. In this landscape, where technology and security are intricately linked, businesses aspiring to become digital-first must navigate these evolving dynamics carefully.
Security Culture in the Digital Transformation Era
In the context of digital transformation, fostering a robust security culture among employees has become critical for businesses today. This shift in perspective acknowledges that security has always been essential, but digital transformation has added new layers of importance to this imperative. Data breaches represent a particularly pressing cybersecurity concern for companies in the region.
It’s now widely recognized that security breaches are not a matter of “if,” but “when.” The prevailing belief at Lumen is that a significant portion of cybercrimes can be attributed to the three M(s): Mistakes, Misconfigurations, and Mismanagement. Contemporary malicious actors are agile and continually evolving, relentlessly searching for vulnerabilities arising from these three factors, even within the most fortified digital environments. The value of an organization’s data makes it an attractive target for these actors, who methodically exploit vulnerabilities across the entire ecosystem, including vendors and suppliers.
Human nature introduces vulnerability to a range of infiltration methods, which remain favored by government-sponsored attackers and other actor groups. Black Lotus Labs, the threat intelligence and research arm of Lumen Technologies, closely monitors these activities on a daily basis.
The primary line of defense in safeguarding an organization now revolves around building a “human firewall.” This entails the establishment of robust security policies and a continuous commitment to educating and training employees to recognize and mitigate cybersecurity risks.
Challenges Faced by Singaporean Business Leaders in Establishing a Security Culture Framework
When business leaders in Singapore endeavor to establish the appropriate framework for nurturing a security culture among their workforce, they confront several specific challenges. These challenges often arise as companies embrace digitalization, where the emphasis on speed can overshadow the imperative of constructing a robust framework.
Among the hurdles they encounter is the potential for oversight in establishing a comprehensive framework due to the rush toward digital transformation. Furthermore, there is a tendency for companies to underestimate the complexities and obstacles involved in migrating their data and applications to the cloud. This migration process, particularly when dealing with legacy applications, entails significant challenges in seamlessly integrating them into the existing IT environment while modernizing IT and reducing complexity, which may prove more daunting than initially anticipated.
Another notable challenge lies in the realm of training and expertise related to cloud technology within the organization. A lack of familiarity and skill in this domain can impede the secure adoption and utilization of cloud services. Consequently, navigating the intricacies of managing cybersecurity in the context of a company’s specific business needs necessitates an emphasis on awareness and training.
In response to these challenges, business leaders must actively cultivate a security culture that not only safeguards their organization but also the sensitive data of their customers, protecting against both internal and external threats. This approach can be aptly described as building a ‘Human Firewall,’ wherein individuals serve as the primary line of defense against cyber threats. This ongoing journey involves the education of employees regarding the evolving risk landscape and their essential role in safeguarding the company and its customers. It fosters a culture rooted in vigilance and responsibility.
Preparing Businesses and Employees to Combat Increasingly Sophisticated Cyber Attacks
Matthew outlined various methods to address common pitfalls. These methods included regular software updates, adequate employee training, and the implementation of a zero-trust security strategy based on identity.
Matthew emphasized the importance of addressing human problems with human solutions. They pointed out that many organizations tend to focus on IT security solutions to mitigate human error when, in fact, they should prioritize establishing a “human firewall” as the first line of defense. Even with robust security solutions in place, Matthew noted that employee negligence or carelessness can still lead to security breaches.
To execute a proactive security strategy effectively, Matthew emphasized the need for expert assistance. Such a strategy should not only support seamless workflow but also provide clear guidance to staff regarding security policies within their work environment.
Matthew concluded by highlighting the value of partnering with a managed service provider to enhance security investments and ensure a proactive incident response. This collaborative approach, Matthew suggested, is key to fortifying businesses against the ever-evolving landscape of cyber threats and ensuring the safety of sensitive information and operations.
Key Takeaways and Immediate Actions to Strengthen Your Organization’s Security Culture
1. Vigilance in Email Attachments
To enhance security culture, individuals should exercise caution when opening email attachments. Vulnerabilities exist, and even the most cautious can fall prey to suspicious links, just as ancient Trojan Horses were used to infiltrate systems. Malicious actors often use seemingly legitimate emails with perilous attachments or hyperlinks to exploit this vulnerability.
2. Password Hygiene for Enhanced Security
Maintaining robust password hygiene is a crucial step. Attackers are well aware of the aversion to complex passwords. Employing “password spraying,” they can infiltrate corporate networks by creating lists of user accounts, often scraped from websites like LinkedIn, and using corporate email structures as a reference. They then test common passwords, such as “Password123,” in search of a match. Encouraging employees to change passwords regularly and utilize password managers for generating random passwords is essential. Additionally, implementing unpredictable user accounts with no direct ties to employees’ real names is advisable.
3. Timely Security Patchin
Neglecting security patches poses a significant risk. Many overburdened and understaffed IT departments are prime targets for attackers. When software vulnerabilities are publicly disclosed, attackers exploit the sluggish response of their victims by deploying patches. Therefore, prioritizing the speed of patching to match the threat level is a top IT priority.
4. Caution with Online Contacts
Exercising caution with online ‘contacts’ is paramount in today’s digital landscape. The removal of geographical and physical boundaries allows attackers to pose as local business contacts, despite being located halfway around the globe. Attackers excel at creating a false sense of security, making individuals vulnerable. It’s wise not to assume that online ‘contacts’ have genuine intentions and to be circumspect about the information shared online.
Ultimately, organizations that prioritize cybersecurity as a core business strategy are better equipped to protect their investments, mitigate data breach risks, and foster a pervasive security culture. This approach is fundamental to building cyber resilience and ensuring long-term growth.