When it comes to cybersecurity, people, and not just a technology, matter. Thus, companies must build a “human firewall” to combat internet-related security issues, says Mhycke C. Gallego, Advisory Practice Leader of P&A Grant Thornton, one of the leading audit and professional services firms in the Philippines.
“People are our first line of defense. It is best to upskill their competence and capabilities on cybersecurity and help them reduce the risk of security breaches,” he says.
Gallego, a certified risk and information systems control (CRISC) and risk management assurance (CRMA) professional, offers these five tips so companies can empower their workforce to tackle cybersecurity issues.
- Keep a close watch. Make your employees more vigilant against real-life cybersecurity attacks, particularly in this increasingly digital world. This demands going beyond compliance with information, technology and cyber security training requirements.
- Empower people. To strengthen the human firewall, the organization should undergo a change management process “so people will be able to manage the shift brought about by digitalization, as well as understand its impact to the overall IT governance process,” Gallego says.
- Keep your people informed and engaged. Organizations and enterprises must stay up-to-date and educated on relevant cybersecurity awareness content. One way is to tap online service platforms like Vigil@nt Cybersecurity, which draws on P&A’s own years of experience in running information, technology, and cyber security learning and development sessions for its employees. Vigil@nt Cybersecurity helps businesses and organizations design, implement, and monitor their internal cybersecurity awareness and training programs. It offers an online learning and phishing-simulation platform that makes learning more fun, interactive, and effective.
- Embed a risk culture. Firms must influence employee behavior and reduce information, technology and cyber security risk at every level of their organization. In designing cybersecurity learning and development sessions, P&A Grant Thornton considers the readiness of the client’s organizational structure (e.g., if a separate cybersecurity unit is present within the company), its risk assessment protocols (i.e., identifying areas exposed to cybersecurity and people who hold critical information) and focus on areas that are critical, and identifies appropriate control activities (business, fraud, technology) and learning intervention.
- Get buy-in from the top. As cybersecurity is not just a technology issue, it’s important to get the buy-in of all the key decision makers, and not just those from the company’s IT department. In the Philippines, Gallego says there is still a gap in promoting cybersecurity awareness. “More matured and technology-enabled companies have more advanced cybersecurity awareness programs. On the other hand, small and medium-scale enterprises, considered the economy’s backbone, may be less aware and their existing processes are perhaps more prone to cybersecurity challenges,” he notes.
While P&A is known more for its role as an auditor and business adviser, he says it also conducts information, technology, and security audits to clients. “We have also been providing vulnerability assessments, penetration testing, and technology security assessment and other reviews to our clients. This enables us to bring our wealth of experience, as well as tap from resources within Grant Thornton’s global network, in our interaction with clients,” he adds.
However, this is bound to change as more companies embrace industrial revolution 4.0 and embark on a digital transformation journey to survive and thrive in the “next normal” or post-pandemic recovery, he points out.