[BreachExchange] How IT leaders can get everyone involved in cybersecurity

Destry Winant destry at riskbasedsecurity.com
Thu May 4 00:59:05 EDT 2017


Cybersecurity is everyone's business, but how can IT leaders get both the
employees and management work together to strengthen the organisation's
cyber defence?

This was the highlight of the panel discussion at the Computerworld
Philippines Security Summit
in Manila last Tuesday (25 April 2017). It was participated by Lilia
Guillermo, Assistant Secretary and CIO of the Department of Budget and
Management (DBM); Tessie Cua, Senior Assistant Director of University of
the East Ramon Magsaysay Memorial Medical Centre (UERMMMC); and Alain
Duminy, IT Advisor and Head for IT Governance and Portfolio Management Unit
of the Asian Development Bank (ADB).

Duminy shared that ADB is rolling out programmes that engage employees
while helping raise their cybersecurity awareness. This includes sending
them security campaigns via e-mails, conducting online security trainings,
and issuing security quizzes.

Besides that, Duminy said ADB also sends fake phishing emails to its
employees to test their awareness on such threats. If an employee clicked
on it, a message will pop out informing them that the mail is a phishing
attack, before providing them with tips on how they can recognise and avoid
becoming victims of such attacks moving forward.

For UERMMMC, cybersecurity initiatives are focused on two aspects:
education and their hospital services. According to Cua, the current
biggest challenge in the hospital is protecting the patients' records after
digitalising it.

On the side of education, Cua recalled that there was no network firewall
when she first arrived in the university. As such, malicious applications
and websites are popping out on their internet service.  "Because of this,
the President is complaining why these things are popping out. I told him
that we should have a firewall so we bought one," she said.

After deploying the firewall, Cua said they were able to regulate the
applications and websites that can be viewed inside the school premises.

Meanwhile, Guillermo suggested forming an information security steering
committee to help engage both the employees and top management in
cybersecurity. The committee, composed of the top management and a
technical group, should address security issues in the organisation.

"In addressing employee behaviour in securing data, especially in the
government, this steering committee [needs to issue a policy] that states
that we have to tell employees what critical data we have, what data are
confidential, and what data can be given [especially in instances of] the
Freedom of Information versus data privacy, as data is of our concern,"
Guillermo explained.

She added the top management will be the one to identify and appoint the
security officers who will be included in the organisation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170503/61a6ddca/attachment.html>

More information about the BreachExchange mailing list