Expert Opinion: Cybersecurity Awareness Month

“Thanks to the news we see (cybersecurity) events on a daily basis. We see organizations are increasing their awareness. Most of them are taking steps to be more secure. I break down cybersecurity awareness into two portions: one is being aware of the field, which I think the state is pretty good as everybody knows what it is and they are concerned about it. The second part of it seems to be a problem — how well organizations know about the threats they are facing, specifically based on what they do. The risk that they are introducing with the actions they take or with the data they are collecting —  or even with the social media posts their employees are doing. Risks are evolving or are introduced with third-party organizations they do business with. That is where most organizations are falling short. Although they know about cybersecurity awareness, I wish they would know specifically what matches their need, what matches their gaps, and what they need to do, tailored to their need and expectations. That’s where they have a lot of work to do.”

“Looking at the trends and what’s going on with cybercriminals and cyberattacks over the past couple of years, I see organizations struggling to be aware of their situation and also how to mitigate cybercrimes. Cybersecurity awareness is a way for individuals to be able to be aware of the latest trends about how cybercriminals are attacking them. It is also about mitigating these threats. During the pandemic and over the years, we notice that organizations are struggling with cybersecurity awareness. It is not because they lack the resources to do it, but they need to identify what kind of awareness training they want to give to their employees. They ask how will the training impact the employees and also the organization. How do the employees engage themselves in that kind of awareness? Those are some of the bigger challenges organizations are facing. As per a report, there were four million data breaches this year. The Internet Security Consortium says 30% of these threats were caused due to human error. It is coming from phishing, malware, and social engineering. So how do organizations understand what is going on and then equip their employees to be able to mitigate some of these threats?

Even though we have technology like intrusion detection systems and all the technology in place to make sure that cybercriminals don’t attack our networks — humans are the weakest link People just click on links in unknown emails, without knowledge from where those emails are coming from.

We also need to be aware of our personal security awareness. We can all become targets to adversaries. We unknowingly put our PII into the garbage bin and somebody could get it and then we become a target. And it is also your family and the organization who are at risk. So security is everybody’s responsibility.”

“In the past, there were many statements like cybersecurity is a shared responsibility or cybersecurity in the workplace is everyone’s business. But most stakeholders didn’t know much about cybersecurity; they did not do enough to protect the business’ information assets. However, the increased volume of cyberattacks is a significant warning that every business is at risk of a cyberattack; they could be victims of a cyber attack or breach. As the result, there are collaborative efforts between government and industry to raise awareness about the importance of cybersecurity and to ensure that all stakeholders have the resources they need to be safer and more secure online. According to many data breach investigation reports, most cyberattacks were traced back to human errors. Obviously, CEOs, business directors, and managers want to keep their data safe or protect their business’ information assets against cyberthreats, so they have to educate their colleagues and create a workplace culture surrounding cybersecurity awareness.

In my opinion, most organizations have already acknowledged business risks related to cyberattacks; but they lack the ability somehow to identify, prevent, detect and respond to cyberthreats. They are facing many difficulties, not only due to limited budgets for technology investment, lack of well-defined processes for building and optimizing, and also skilled security personnel.”

“I see two elements when we speak about the state of cybersecurity and the threats associated with it. One is the readiness of the skills, the training that is required, and from that perspective, we still have a long way to go. There are special schools sponsored by corporates that are looking at advancing the skills because as you know, one of the key threats when working from home is ransomware, malware. So employees are possibly your largest failure points. If you look at some of the research, they quote anywhere from 40% – 50% in terms of the employees’ willingness to click on a link that will then introduce malware into the system. We still have a long way to go in terms of that. One of the things we are doing to improve the state of cybersecurity within our region is to partner with specialist companies, as well as bring in those skills that through training currently, advance the capabilities within the organizations. On a scale of 0 – 10, I would give it a rating of 6.5 — as you know the cybersecurity threats keep advancing and we have to advance with it. So I think the state of readiness will always be in flux.”

“Cybersecurity has been important in Pakistan for the past 10 years. We got our first policy 10 years ago, and we are celebrating cybersecurity awareness month here in our university. In my previous role, I was heading the cybersecurity department at a leading university. The higher education commission encourages the universities to have events on cybersecurity. At the moment there are campaigns going on about cybersecurity awareness. The good news is that last month we had a consultation document for our privacy policy that was approved by our parliament; it is currently a draft but is expected to become a law by the end of this year. Our government wants to ensure that every citizen is aware of their privacy rights. This is very similar to GDPR. So, this is really important when you have a policy, governance, and the involvement of the parliament. It comes from the highest office.”

“Initially, there was not much cybersecurity awareness in Ghana. It started gaining ground in 2018 and as a result, the Government of Ghana developed laws and legal documents, and regulations for some of the sectors. In early 2018, the financial sector, and notably the Bank of Ghana gave a directive to regulate the banking industry. It wanted every bank to institute cybersecurity to ensure that every bank is well prepared to deal with cybercrime. The Government of Ghana launched the cybersecurity awareness month program and it also took the opportunity to launch the Cybersecurity Act from the national cybersecurity authority. And for cybersecurity awareness month we have a series of programs for each sector. Because of the directive and proactiveness of the Bank of Ghana to regulate all the financial institutions to be aware of what is going on, because of all the cyberattacks in Africa. So we have an annual program to sensitize all our staff. We organize at least two training sessions for our staff every year. This was organized for the past two years. So the awareness level for our staff has increased. And they understand all the various threats and the sources of cybercrime. Awareness is increasing but we still have some way to go for complete awareness. It is gaining ground.”