The advancement of AI is propelling businesses into a new era of digital transformation; increasingly more organisations today are looking to leverage AI to enhance their digital infrastructure, streamline operations, and ultimately drive growth. However, this digital revolution has also unleashed a new generation of cyberthreats, with increasingly sophisticated actors exploiting AI for malicious purposes. A recent case in Hong Kong, where AI-powered deepfakes were used to orchestrate a US$25 million scam, serves as a stark reminder of the evolving threat landscape.
As businesses embrace technologies like the Internet of Things (IoT), machine learning (ML), and AI, they also inadvertently expand their exposure to potential cyberattacks. Traditional security measures like firewalls and antivirus software alone cannot protect against the complex and evolving tactics employed by today’s cybercriminals. It is time for a paradigm shift in our approach to cybersecurity, one that recognises the critical role of employees in safeguarding our digital assets.
The human element can be both vulnerability and strength
Human error and oversight remain the leading causes of security breaches. Employees, often unaware of the latest cyberthreats, can fall victim to phishing scams, social engineering attacks, and other malicious tactics. A recent study by KnowBe4, the 2024 Phishing by Industry Benchmarking Report, found that almost one in three employees in Asia are likely to click on a suspicious link or comply with a fraudulent request. As we connect more devices and expand our digital footprint, the potential for human error multiplies.
However, employees are not simply a vulnerability to manage; they are also our greatest asset in cybersecurity. By empowering them with knowledge and tools, business leaders can transform their workforce into a powerful first line of defence.
Cultivating a culture of security awareness
An organisation’s culture starts from the top; thus, leaders must make the effort to visibly prioritise cybersecurity within the organisation, and actively participate in training programs. By setting a positive example and adhering to security policies themselves, leaders demonstrate that security is everyone’s responsibility. Having regular audits and assessments can help identify gaps and areas for improvement along the way.
While awareness is rising and investment in training is increasing, many organisations struggle to ensure that employees internalise and apply the training they receive. There is often a disconnect between education and actual employee behavior, as employees may not fully understand the implications of their actions or may be taking the training lightly. This is compounded by cultural factors in some regions where questioning authority or reporting potential issues might be discouraged.
Organisations must invest in fostering a continuous learning environment where employees are actively engaged in cybersecurity. This can include more interactive training programs that simulate real-world cyberattacks. Phishing simulations, social engineering scenarios, and data security challenges can effectively reinforce best practices and cultivate vigilance. Organisations in Asia-Pacific are already making headway in this direction, with 64% investing in cybersecurity awareness training with ongoing and relevant content in 2024, up from 54% in 2022, according to research by KnowBe4.
Additionally, employees must also be kept up to date and aware of crucial developments in the cybersecurity space, such as the Network and Information Security 2 (NIS 2) directive which came into force last month. While such initiatives may be confined to certain geographies — such as the European Union (EU) in this case — being aware of the impact of such standards can only help employees and their companies elevate their competitive advantage on a global level.
Open communication channels must be established. By encouraging a culture of transparency and open dialogue around cybersecurity, organisations reinforce a positive security culture where employees feel comfortable reporting incidents without fear of blame. This is particularly critical given that over 50% of employees fear reporting cybersecurity mistakes due to potential repercussions from their organisations — such as disciplinary actions or negative performance reviews — according to research by People Matters.
Embracing zero-trust principles
While employee awareness and training are essential, organisations must also leverage the right tools and technologies. This is where a zero-trust security framework comes in. Rather than assuming trust, zero trust verifies every user and device attempting to access the network. By treating every access request with scepticism — regardless of location — and only granting access to those who require it, organisations can minimise the potential damage caused by compromised credentials or devices. This approach not only strengthens the overall security posture but also reinforces the message that security is a shared responsibility.
Conclusion
Digital transformation and cybersecurity are inextricably linked, and in today’s digital landscape, cybersecurity is no longer just an IT issue but a business imperative. By fostering a culture of security awareness, empowering employees with knowledge and tools like zero trust, and continuously adapting security measures and training programs, organisations can more confidently embrace digital transformation and unlock its full potential. Employees are not just users; they are also a critical line of defence, and their active participation is essential to building a secure and resilient future.