People: A cybersecurity asset or risk? Experts say both

IN celebration of Cybersecurity Awareness Month, a forum organized by Punongbayan & Araullo (P&A) Grant Thornton, titled "Cybersecure 2024: Empowering innovation and securing the digital frontier," highlighted the pivotal role of human factors in the cybersecurity landscape.Held at the Makati Diamond Residences on Oct. 9, 2024, the event brought together experts, who underscored the importance of cultivating a culture of awareness within organizations to effectively mitigate cyber risks and enhance overall cybersecurity resilience.Romualdo Murcia III, P&A Grant Thornton chairman and managing partner, underscored in his opening remarks that an organization should not be solely dependent on its leaders and the information technology team when it came to cybersecurity. Rather, it would be the responsibility of all the people in the organization to be cyber secure, comply with the appropriate policies and maintain awareness of potential cyber threats.Murcia stated: "We must establish a culture where everyone understands the role in protecting the organization's data and systems. In conclusion, leadership and security mindset go hand in hand in protecting the people and the business."From the government's point of view"No firewall is stronger than a workforce trained to think critically, adapt rapidly and respond decisively," said Jeffrey lan Dy, Department of Information and Communications Technology (DICT) undersecretary for Infrastructure Management, Cybersecurity and Upskilling.In his presentation, Undersecretary Dy specified top 10 emerging cybersecurity threats for 2030, which included supply chain compromise of software dependencies, human error and exploited legacy systems within cyber-physical ecosystems, artificial intelligence (AI) abuse and advanced disinformation campaigns, among others. Most of these threats were related to or fueled by AI.Undersecretary Dy noted while AI could be beneficial in various industries such as health care, it has been prevalently used to deceive systems and people, raising concerns about deep fakes, robocalls, academic dishonesty and challenges in coding.Dy also highlighted the risks AI posed to cybersecurity, mentioning issues such as algorithmic bias, AI hallucinations — which he defined as "untruth masquerading as truth"— privacy concerns, nonattribution of information and tunnel syndrome.On the flip side, he said AI could also be used by organizations to detect threats and automate responses.In response to these growing threats, the government formed the National Cybersecurity Plan 2023 to 2028, and outlined three outcomes: technological controls, capacity building and policies.The second outcome concentrated on improving cybersecurity workforce capabilities in both the public and private sectors.The discussion circled back to the importance of people with Dy stressing that humans in cybersecurity could be a source of great strength or a considerable weakness.He said, "There is no automated vulnerability assessment and penetration tool better than a very good black cat practitioner."The undersecretary said with the rapid evolution of AI, the workforce should also evolve to develop "a workforce that can defeat your AI."Despite these emerging threats, Dy noted the Philippines has been making progress in cybersecurity, citing an increase in the country's overall cybersecurity score from 77 in 2020 to 93.49 in the 2024 United Nations Global Cybersecurity Index.Telecom giant's standpoint"It's a scary time for us. The crossroads of AI and cybersecurity has now arrived," said Alexis Bernardino, field chief information security officer and head of Enterprise Consulting Practices at PLDT Enterprise and chief cybersecurity evangelist at ePLDT.Bernardino explained, "The problem is that the adversaries first used AI — while we are still in the process of adopting the productivity side of AI — to attack us. We are two steps or three steps behind."The security officer asserted, however, that if employees were properly trained and aware of the latest cybersecurity trends, tactics, techniques and procedures used by hackers, they could be the "first line of defense [and] force multiplier in protecting the whole company."With ransomware attacks increasingly targeting enterprises and companies, Bernardino urged all members of companies to take ownership and accountability, viewing cybersecurity as a team effort to prevent, detect, predict and respond to cyber threats efficiently and effectively.Bernandino concluded that proactiveness, vigilance and paranoia would be three essential cybersecurity intangibles that could help save organizations from these threats."So, for me, the message really is that the future of cybersecurity should be adaptive right now. AI will be a definitive factor in the battle against AI-powered threats," he said.Fostering human-centered cybersecurityP&A Grant Thornton Director and Chief Information Officer Leonard Duque emphasized a human-centric approach in cybersecurity by prioritizing people as a key factor to strengthen digital defense.Duque advocated for simpler security advisories that avoided technical jargon for everyone in the company to understand. He also suggested that cybersecurity training courses should be more engaging and effective for all.To illustrate his point, he referenced Apple's strategy when releasing software updates, which consistently highlighted new emojis and appealing features to entice users to install the new updates while subtly pushing the main goal of enhancing security on devices."Think outside the box. Let's look at training modules that are relatable to our audiences, to our people [and] to our organization," Duque said.However, it wasn't just the capabilities of the current workforce that were a concern but also the workforce gaps. Duque stated that this gap would, likely, widen when the next generation of workers entered the field.Data presented by Duque indicated that the Philippines only had 200 cybersecurity professionals in 2022 with 80 of them working overseas, according to DICT Secretary Ivan John Uy as cited by Duque. This figure was significantly lower than Singapore's 2000 cybersecurity experts.It was for this reason that Duque stressed the need to bridge the workforce gap by focusing on upskilling teams in using AI as a cybersecurity defense tool, increasing the number of cybersecurity professionals by investing in cyberlearning programs, simulations and training, and implementing retention programs for cybersecurity practitioners.Duque also said partners, senior executives and leaders should serve as an example in adhering to cybersecurity policies and programs."They really need to own the responsibility and accountability of cybersecurity, meaning they have to be the drivers because if they don't, then employees will frequently demand exemptions," explained Duque.Undersecretary Dy also mentioned that the government has been actively pushing for the provision of scholarships to enhance access to formal cybersecurity education and the organization of hackathons; all in pursuit of increasing the number of cybersecurity professionals in the country.In his closing remarks, P&A Grant Thornton Vice Chairman and Deputy Managing Partner Olivier Aznar shared his key takeaways from the forum, summarized by an acronym, PAGT, which stood for preparedness, awareness, governance and technology.Aznar said organizations had to adopt a proactive stance by developing comprehensive cybersecurity plans that would include risk assessment and incident response strategies.He reiterated that everyone in the organization from C-suite executives to entry-level staff and even interns needed to be on the same page in understanding the value of cybersecurity.To complement this, he said there needed to be a robust cybersecurity framework to clearly define roles and responsibilities and ensure accountability while fostering collaboration across departments.