Cyber risk is becoming a growing concern amongst businesses and institutions. Data breaches and hacking have been problematic among some sectors, predominantly financial services, for some time. These risks are now often talked about under the broader heading of "Cyber Risk" and this issue is now listed as one of the top business risks in 2015. Companies in Asia are generally considered as less prepared for the increasing number of cybercrimes than counterparts in other regions like the USA.
When a security breach involves the loss or leakage of personal data, this also becomes a significant data protection and regulatory issue and can lead to fines, legal or regulatory sanction and reputational damage. This is particularly in a market environment where individuals (be they customers or employees) are becoming increasingly aware of their privacy rights and identity theft issues. With the arrival of the "Internet of Things", the importance of data security will become even more prominent. The consequences of not protecting your business sufficiently from cybercrimes can be huge.
Despite the challenges faced by many companies, some of these risks can be identified and avoided at an early stage. Whilst most companies are aware of the firewalls and technology they need in place to protect themselves, many are unaware of other 'soft spots' that may also be contributing to the risks in a major way.
'Soft spots' include employees who unintentionally open 'phishing' or spam emails, disgruntled or former employees who deliberately take confidential information and other issues that come with BYOD ('Bring Your Own Device').
There are ways to deal with these 'soft spots', including improved governance and compliance, training for employees and tighter security solutions. However, a top-down approach is needed and senior management, including board members, need to make cyber security more of a priority.
Here are the top tips in dealing with cyber risks from an employment perspective:
Governance and Compliance
- Identify highly sensitive and classified information, customer and staff data kept by the company.
- Identify ownership of the data (e.g. human resources department, finance, a specific business team) and the security measures put in place.
- Identify all the data processors used by the company, check which of these data processors are engaged to handle the company's highly sensitive and classified data.
- Identify the legal and compliance requirements in relation to the use and security of data, and the legal and regulatory consequences of a data breach.
- Perform risk assessment: identify those risks where the consequences of data breach are extremely serious. Implement measures to mitigate those risks.
- Roll out policies on data security and use of IT. Consider including it as part of the company's staff regulations.
- Implement the data security and use of IT policy, including taking disciplinary measures, if there is a serious violation of the data security and use of IT policies.
Employees need to understand that they have an important role in keeping both the network and the data safe.
- Train employees to watch out for suspicious emails. If it is a hoax, report it.
- Promote awareness: learning is continuous, as cybercrime can manifest itself in many different ways.
- Instil information security behaviour that affects risk positively.
- Ensure only secured wireless network is used.
- Tighten the security measures on use of mobile devices.
- Use email security solutions that help filter and examine the contents of emails.
- Consider using surveillance technology to detect fraud and serious misconduct. This should only be used after conducting the privacy impact assessment.