Cyber risk is becoming a growing concern amongst businesses and institutions. Data breaches and hacking have been problematic among some sectors, predominantly financial services, for some time. These risks are now often talked about under the broader heading of ‘cyber risk’ and this issue is listed as one of the top business risks in 2015. Companies in Asia are generally considered less prepared for the increasing number of cybercrimes than counterparts in other regions like the USA.
When a security breach involves the loss or leakage of personal data, this also becomes a significant data protection and regulatory issue and can lead to fines, legal or regulatory sanction and reputational damage. This is particularly in a market environment where individuals (be they customers or employees) are becoming increasingly aware of their privacy rights and identity theft issues. With the arrival of Internet of Things, the importance of data security will become even more prominent. The consequences of not protecting your business sufficiently from cybercrimes can be huge.
Despite the challenges faced by many companies, some of these risks can be identified and avoided at an early stage. Whilst most companies are aware of the firewalls and technology they need in place to protect themselves, many are unaware of other ‘soft spots’ that may also be contributing to the risks in a major way.
‘Soft spots’ include employees who unintentionally open ‘phishing’ or spam emails, disgruntled or former employees who deliberately take confidential information and other issues that come with Bring Your Own Device (BYOD).
There are ways to deal with these ‘soft spots’, including improved governance and compliance and training for employees and tighter security solutions. However, a topdown approach is needed and senior management, including board members, need to make cybersecurity a priority.
Top tips in dealing with cyber risks from an employment perspective include:
Governance and compliance
- Identify highly sensitive and classified information, customer and staff data kept by the company.
- Identify ownership of the data (for example human resources department, finance, a specific business team) and the security measures put in place.
- Identify all the data processors used by the company, check which of these data processors are engaged to handle the company’s highly sensitive and classified data.
- Identify the legal and compliance requirements in relation to the use and security of data, and the legal and regulatory consequences of a data breach.
- Perform risk assessment: identify those risks where the consequences of data breach are extremely serious. Implement measures to mitigate those risks.
- Roll out policies on data security and use of IT. Consider including it as part of the company’s staff regulations.
- Implement the data security and use of IT policy, including taking disciplinary measures, if there is a serious violation of the data security and use of IT policies.
Employees need to understand that they have an important role in keeping both the network and the data safe.
- Train employees to watch out for suspicious emails. If it is a hoax, report it.
- Promote awareness: learning is continuous, as cybercrime can manifest itself in many different ways.
- Instil information security behaviour that affects risk positively.
- Ensure only secured wireless network is used.
- Tighten the security measures on use of mobile devices.
- Use email security solutions that help filter and examine the contents of emails.
- Consider using surveillance technology to detect fraud and serious misconduct. This should only be used after conducting the privacy impact assessment