Data is showing that ‘people problems’ weigh heavily in mind, at employee cyber-training level and at the Board level

The fact that increasingly-common hybrid-work policies and cloud usage have made more organizations vulnerable to cyber threat is a hot topic among CISOs.

Cloud account compromises (Microsoft 365, Google Workspaces) and WFH employees’ exposure to more phishing/business-email compromise attacks are just a few of the many ways that cybercrooks can infiltrate corporate networks and supply chains.

Since these work and social trends are here to stay, what can CISOs in the region do to spruce up the defense perimeters while providing the least friction to worker productivity?

According to Yvette Lejins, Resident CISO (APJ), Proofpoint, while juggling the maximization of cybersecurity with minimizing productivity frictions, CISOs also have to grapple with people-centric issues. She tells CybersecAsia.net more in the following Q&A.

CybersecAsia: What challenges are CISOs in the region facing when tasked to balance cybersecurity with the evolving challenges of hybrid/remote-work and talent shortages?

Yvette Lejins (YL): The majority of CISOs surveyed recently in 2022 Voice of the CISO research were (after more than two years of the pandemic) more experienced in dealing with breaches and implementing coherent and intentional cybersecurity policies—as opposed to the stop-gap measures when remote-working and hybrid-working started gaining traction.

In terms of the remaining challenges, the respondents (CISOs) indicated that they had less support from their Board when it came to cybersecurity issues. Only about half indicated that they saw eye-to-eye with the Board on cybersecurity matters in 2022—a sharp decrease from 59% the year before. Those in the large organizations (>5,000 employees) felt this change the most.

In response to these challenges, CISOs globally (including those in APAC) had begun implementing more strategic cyber defence policies by enhancing information protection solutions and security awareness training, both of which will be vital in long-term hybrid work environments.

Half had increased the frequency of cybersecurity training for employees because the leaders are now more aware than ever that people are the new perimeter of their organization, which means taking steps to equip them to defend it accordingly.        

CybersecAsia: Is addressing employee security awareness and preparedness enough, and what more can be done in the region?

YL: Our data shows that people remain the biggest risk factor, as most cyberattacks require people to actually do something, such as click on a link, open an attachment, or disclose a password. 

In APAC, our data shows that both Australia and Singapore have seen a rise in the understanding that human error is the biggest cyber vulnerability in 2022, with Australia noting a 69% increase and Singapore seeing a 43% increase over 2021. Only Japan saw a drop, with only 46% of CISOs responding that human error was their biggest vulnerability, down from 65% in 2021.

CISOs wanting a positive cyber cultural awareness change in their organization need to understand that not all users are equal. Questions they need to ask:

• How and where will they be attacked?
• Who are their most vulnerable users?
• What employees in their organization would cause the most impact if they fell for a phish or were socially engineered by a dodgy email?
• Who are their heavily targeted users?

By doing a risk-based assessment, CISOs will be able to effectively target the most vulnerable areas and people of their organization and strengthen their defenses where it is needed most.

Other areas that CISOs in the region and beyond can look at would be re-evaluating their risk of a supply chain attack, which is associated with risk being attributed to supplier vulnerabilities (e.g., vendors, service providers, and other corporate partners), since organizations will likely face difficulties in enforcing data security practices for external parties.

Overall, it is also crucial to have an understanding of the importance of people-centric security, which would help CISOs to assess threats targeting their most attacked people, and adapt their strategies and controls to the changing landscape.

CybersecAsia: With warnings of Disease X and future pandemics ahead, if hybrid/remote-work are here to stay, how can CISOs stop their apprehension and start making positive plans to boost cybersecurity without hampering staff productivity?

YL: People are our new perimeter: CISO can no longer can rest on their laurels and expect that the office firewall will stop adversaries. Instead of studying our network topologies, attackers are now checking out staff LinkedIn profiles, company annual reports! They are targeting people as their vector, not infrastructure. So CISOs need to pivot their way of thinking to make sure their defence strategy is people-centric.

With hybrid/remote-work here to stay, it is vital that CISOs do two things:

• Develop a robust and comprehensive people-centric cybersecurity strategy. This involves bolstering cyber preparedness and education for employees as well as boosting critical cyber defense for their people.
• The second is for CISOs to ensure that they have support from their C-level executives and the Board in order to effectively implement these defense strategies. 

This CISO alignment with the board of directors is critical, and without that, their ability to implement effective cyber defense policies can be hampered, which may in turn hamper staff productivity.              

CybersecAsia: Can you share any further unique insights on the challenges that each country in APAC has to grapple with, in securing hybrid-work/remote-work?

YL: Compared to global counterparts in the report, APAC CIS)s have quite a few unique challenges ahead. 

For instance, there is a lack of consensus among CISOs in the region as to the most significant threats targeting their organization.

• While both Australia and Japan CISOs surveyed felt that insider threats (whether negligent, accidental, or criminal) were the most significant threat, in Singapore DDoS attacks topped the list. This means that CISOs in each country need to be well versed in the kind of threat that is most prevalent in their country and take the necessary steps to protect themselves.
• It may be worth noting that CISOs surveyed in APAC seemed to be more conservative in their outlook on cyber preparedness compared to other global counterparts in say, France, the UK, Canada, etc). Although ​​organizational cyber preparedness had improved, it had remained a key concern among APAC organizations, with 77% of Australia CISOs believing they were unprepared for a targeted attack, followed by Japan at 62% and Singapore at 53%. This is despite the fact that employee security awareness is on the rise thanks in part to an increase in frequency of cyber training.

Respondents in all three countries still felt that employees were not adequately skilled for holding a stake in the organization’s cyber defence—with three in four CISOs in Australia considering human error to be their organization’s biggest cyber vulnerability, followed by Singapore (53%) and Japan (46%).

CybersecAsia thanks Yvette for sharing her research insights.