Companies Can Empower Their Cybersecurity by Empowering Their Employees

Written by: Martin Dale Bolima, Tech Journalist, AOPG

The human aspect of cybersecurity is vital. In fact, it can spell the difference between cybersecurity that works and one that doesn’t.

People, unfortunately, continue to be the weakest links when it comes to gullibility, always vulnerable to being exploited and at times gullible to social engineering ploys, like phishing and smishing. And, when just one weak link is attacked successfully, the entire organisation suffers–even if it has a robust, innovative security architecture.

Yes, that is how critical the human aspect is to cybersecurity —so much so that even the most advanced technologies available, like Artificial Intelligence and Endpoint Detection and Response, will find it extra challenging to contain an attack originating from an exploited human vector.

Employees Are Part of Cybersecurity

The critical role of humans in cybersecurity was discussed at length and emphasised repeatedly by Uzair Ahmed, Co-Founder of and CTO at Right Hand Cybersecurity, in an exclusive virtual interview with Cybersecurity ASEAN.

“Employees are basically considered as the weakest link in the cybersecurity chain right now. They are the most critical element of this [cybersecurity] chain as well because they are the only layer that you have in the company whose capabilities are not exposed to the outside world,” Ahmed pointed out. “The technologies out there, anyone can understand the capabilities of the technology layer. But your employees are the only layer of defence that no one can get an idea of, so even if your technologies fail, if your employees are properly trained, they can still protect your company.”

Put simply, organisations more or less know what cybersecurity technologies can do. They understand, for example, how Artificial Intelligence (AI) and Machine-Learning (ML) can transform cybersecurity from reactive to proactive and predictive, studying threats, taking note of patterns and identifying suspicious behaviours.

Employees, on the other hand, are a mixed bag and generally unpredictable, and that makes some of them exploitable—to the detriment of the entire organisation. This is why Ahmed is adamant employees are a crucial part of a company’s cybersecurity, and that they need assistance so they can serve as an added layer of defence, not as a point of attack that hackers will routinely go after until they succeed.

A Bit of Nurturing Is Necessary

Transforming weak links into strong enough chains does not happen overnight. Neither does it happen without doing anything about it. Instead, there ought to be a process of cultivation involved, along with building a strong culture that looks at cybersecurity holistically.

“This important layer of defence requires a little bit of nurturing as well,” noted Ahmed. “This is where we say that just the technology of cyber awareness is not a solution. What we need is a cyberculture and behaviour change, which is not something we can achieve abruptly. It’s a very gradual process but that is something we need today.”

That process has to start somewhere, somehow . . . and sometime real soon. And if it were up to Ahmed, he would want organisations to start now. They should have started already, actually. But, since this culture building is a process, it must also be done repeatedly, with consistency, year-round. It cannot be a one-time thing, a bi-annual exercise or even a once-every-quarter initiative. It must be ongoing and targeted, with the end-goal of empowering these so-called weakest links.

Offering a Helping Hand

Ahmed strongly believes that unless companies have a dedicated team of cybersecurity experts that can take point in the year-round cultivation of employees’ cybersecurity know-how, they are generally better off getting help from a third-party vendor. With that in mind, he co-founded Right Hand Cybersecurity in 2019 with fellow cybersecurity expert Theo Nasser, with the aim of helping businesses bridge that gap.

Veterans in the industry, Ahmed and Nasser were impacted heavily by the cybersecurity and data policy mandates implemented in progressive Singapore, dubbed the “Silicon Valley of Asia.” Among these mandates is the Personal Data Protection Act 2012, which set Singapore up as the country of choice for startups in the cybersecurity sphere.

And as Ahmed and Nasser plotted their own cybersecurity startup, they had observed a common thread in the way companies approach cybersecurity: They would invest heavily in the technology, particularly in perimeter defence but they were not doing nearly enough to empower their employees as that additional layer of defence. As a result, many of these companies would still get hit by cyber attacks despite having the most advanced cybersecurity technologies available.

With that in mind, Ahmed and Nasser configured Right Hand to focus on helping companies “create a cyberculture in their organisation” through a human-centred technology platform. This platform, according to Ahmed, incorporates three core elements—spaced learning, Artificial Intelligence (AI) and gamification.

The Right Elements for Empowering the Human Capital

Spaced learning, originally popularised in the academe, is essentially a learning paradigm where retraining or reeducation is provided even before previous learnings are forgotten. This ensures that employees retain whatever they learn about cybersecurity, as the ideas are reinforced over and over.

The power of AI, meanwhile, enables Right Hand to overcome the global talent shortage in cybersecurity, which is so pronounced that over 1.3 million cybersecurity-related jobs remain unfilled as of today, according to Ahmed. As a consequence, cybersecurity teams are often understaffed and are, thus, unable to conduct the necessary training for employees on a consistent basis. In response, Right Hand is using AI to automate an organisation’s cyber awareness programs where all IT teams need to do is configure certain parameters, and the Right Hand platform will do the rest using interactive, multi-device approaches.

Last but not least is the element of gamification, which makes the learning process much more interesting. By gamifying the whole process, Right Hand is essentially incentivising not only participation but also actual learning. Organisations can opt to give a rewards program as well to further persuade employees to participate actively in institutionalised training programs.

Empower Those Employees Now

The human aspect of cybersecurity is rarely discussed extensively, with most of the talk oftentimes focused on the technological aspect— AI, ML and every innovation designed to fortify cybersecurity. But things cannot stay that way forever, not when cybercriminals are getting more sophisticated, themselves emboldened by the technologies available to them as well as the knowledge that they will always have a weak link or two to exploit.

It is time to put an end to that paradigm. It is time to turn those weak links into strong chains. It is time to empower those employees.