All it takes is one cyber-untrained employee to pave the way for a cyberattack from which the organization may never recover.
With predictions of an acute shortage of digitally-skilled workers by 2025, and a third of workers in Asia confessing to the lack of digital security skills needed to remain relevant.
Also, the current unabating rush to digitalize operations amid the pandemic is not helping. Neither are the concomitant cyberthreats that feed on the lack of digital security awareness in remote workforces.
Furthermore, some studies have shown an unevenness in digital literacy between countries worldwide—what can countries and organizations do to level the playing field and boost worker competencies for mutual benefit rather than engage in competition for talent?
CybersecAsia had the opportunity to interview an expert in pro-human, pro-privacy cybersecurity, Ryan James Murray, Director, HUMAN (formerly White Ops), for ideas.
CybersecAsia: While not expecting employees to become cybersecurity experts or professionals, to what degree should all workers be trained in digital security? And why?
Ryan James Murray (RJM): Because many hackers are using increasingly complex means of deception, training all workers in digital security is absolutely necessary in order to help protect against the most common vulnerabilities.
For example, many of us can identify classic phishing attempts by spotting poor language or outrageous promises of money, but few can identify more sophisticated emails like spear phishing emails, which accurately impersonate specific individuals and roles from an organization. No worker should be expected to identify these on their own, so the onus falls on IT teams to train workers in this regard.
The training level required is linked to how seriously an organization takes digital security. This is because the ramifications of a data breach can wreak havoc not just on corporate user data but also those of other companies they are working with.
All workers regardless of function, should therefore possess a common set of skills and knowledge that cut the risks for IT. For those in technical, management or aspiring roles, professional industry certifications are essential.
CybersecAsia: Should there be different types or levels of training and awareness for different types of employees, and for different industries?
RJM: Baseline-level training for all employees forms the table stakes. However, while many cyberattacks are directed towards unsuspecting employees—often through phishing attempts or malware—detection and prevention of sophisticated insidious attacks are the responsibility of more specialized IT and information security experts. Therefore, companies should institute advanced training and specific certifications required for security and IT roles, as well as roles handling sensitive data.
In most industries, cybersecurity will increase in importance because of the high level of risk associated with failure to meet growing compliance regulations around the world. Industries such as those that rely heavily on big data are likely those most vulnerable and will thus require advanced grade security.
CybersecAsia: Regarding the varying inequality in digital literacy from country to country, what implications will this have in the future for enterprises in the Asia Pacific region?
RJM: The inequality currently largely exists between the more-developed and emerging Asian economies.
In the long run, this gap may continue to affect decision-making of multinational corporations about where to expand their workforce. For example, the 2020 e-Conomy report by Bain & Co., Temasek and Google had identified a lack of digitally skilled talent in Indonesia as a key barrier to further economic development. Eventually, this shortfall could also mean that innovation leadership may continue to centralize from established regional hubs instead of developing economies, thus widening economic inequalities between these countries.
CybersecAsia: What can organizations in this region do to improve digital security skills and awareness among their workforce?
RJM: Organizations should be equipped to enable basic security training. Such training is deployed to staff to deal with risks associated with everyday attacks.
First, identify known exposure risks (e.g., malware, scam emails) and ensure protocols and safeguards are in place to detect and prevent these. Quite often, solutions to many of these problems are simple, like using 2FA passwords or consciously examining the email addresses from the sender.
Then, advanced organizations can preemptively plan for unknown, sophisticated threats in high-reward vectors. After identifying high-risk vectors, organizations can then work towards defining their overall cybersecurity strategy and determine what offensive and defensive technologies to implement.
Well-equipped organizations can staff accordingly by recruiting talent with information security and information technology backgrounds to lead tactical executions.
CybersecAsia: How should organizations start in implementing a feasible digital security skills program for their employees?
RJM: Reskill and upskill staff. Given the ever-changing surface of what we know to be the Internet, it is important for organizations to ensure workers are continually debriefed with information pertaining to the latest cybersecurity threats, such as pandemic-linked phishing emails and social media advertisements.
Risk-averse organizations often create training sessions for workers and encourage participation regularly, instead of relegating cybersecurity courses to just part of the onboarding process.
During the next decade, more organizations will elect to place emphasis and subsidize professional cybersecurity learning through pursuit of certifications and advanced degree programs. In Asia, governments pitch in by subsidizing training costs and even organizing these courses themselves to ensure high standards.
Many such programmes establish a deeper understanding about information security and cybersecurity, which creates better returns on investment, reduces the cyber risks’ impact on the business, while creating upward career mobility for technical roles in the workplace.
CybersecAsia.net thanks Ryan for sharing his views with our readers.