Cybersecurity is everyone's business, but how can IT leaders get both the employees and management work together to strengthen the organisation's cyber defence?
This was the highlight of the panel discussion at the Computerworld Philippines Security Summit in Manila last Tuesday (25 April 2017). It was participated by Lilia Guillermo, Assistant Secretary and CIO of the Department of Budget and Management (DBM); Tessie Cua, Senior Assistant Director of University of the East Ramon Magsaysay Memorial Medical Centre (UERMMMC); and Alain Duminy, IT Advisor and Head for IT Governance and Portfolio Management Unit of the Asian Development Bank (ADB).
Duminy shared that ADB is rolling out programmes that engage employees while helping raise their cybersecurity awareness. This includes sending them security campaigns via e-mails, conducting online security trainings, and issuing security quizzes.
Besides that, Duminy said ADB also sends fake phishing emails to its employees to test their awareness on such threats. If an employee clicked on it, a message will pop out informing them that the mail is a phishing attack, before providing them with tips on how they can recognise and avoid becoming victims of such attacks moving forward.
For UERMMMC, cybersecurity initiatives are focused on two aspects: education and their hospital services. According to Cua, the current biggest challenge in the hospital is protecting the patients' records after digitalising it.
On the side of education, Cua recalled that there was no network firewall when she first arrived in the university. As such, malicious applications and websites are popping out on their internet service. "Because of this, the President is complaining why these things are popping out. I told him that we should have a firewall so we bought one," she said.
After deploying the firewall, Cua said they were able to regulate the applications and websites that can be viewed inside the school premises.
Meanwhile, Guillermo suggested forming an information security steering committee to help engage both the employees and top management in cybersecurity. The committee, composed of the top management and a technical group, should address security issues in the organisation.
"In addressing employee behaviour in securing data, especially in the government, this steering committee [needs to issue a policy] that states that we have to tell employees what critical data we have, what data are confidential, and what data can be given [especially in instances of] the Freedom of Information versus data privacy, as data is of our concern," Guillermo explained.
She added the top management will be the one to identify and appoint the security officers who will be included in the organisation.
Sign up for CIO Asia eNewsletters.