Cybersecurity education is a problem that must be addressed from the top down. Despite rising cybersecurity expenditures and self-assessed the maturity in South Asia and Pacific organizations over the previous year, just 52% of Bangladeshi companies surveyed believe their board genuinely understands cybersecurity.
The top two threats of concern for APJ organizations are addressable by ongoing education and awareness campaigns: phishing or ransomware attacks, and weak or compromised employee credentials.
Survey respondents say the key cybersecurity challenges organizations in Bangladesh face are ransomware, phishing, and data breaches. The trends in Bangladesh match global trends, including the worldwide surge in ransomware attacks. Various reports claim that businesses globally lost an average of $8,500 per hour as a result of ransomware-related downtime.
“With ransomware attacks continuing to become more complex organizations need a genuine, actionable cybersecurity education program. The current reactionary tendencies we’re seeing have created an ‘attack, change, attack, change …’ cycle regarding cybersecurity strategies, which is putting cybersecurity teams constantly on the backfoot. Shifting priorities to become more proactive must start at the top and requires direction from executives, including investments in awareness and education across entire organizations,”
The single biggest obstacle to improving cybersecurity posture is a lack of budget, the survey shows. Other key obstacles include a lack of skilled workers and a lack of support from the management. The skills shortage is still wreaking havoc. Fifty-one percent of Bangladeshi IT companies questioned expect some difficulty finding cybersecurity workers in the next 24 months. Fifty one percent anticipate a significant obstacle. With recruiting continuing to pose issues, companies have identified the priority areas they feel skills and capabilities need to be increased for internal security specialists. These include: Cloud security policies and architecture ‘Train the trainer’ employee and executive cybersecurity training skills Software vulnerability testing Staying up to date with the latest threats Policy compliance and reporting
Cybersecurity professionals’ top frustrations The survey also highlights that cybersecurity professionals face challenges and frustrations in their roles, most of which are related to awareness, perception, messaging, and education. The top three frustrations in Bangladesh are:
1. Cybersecurity is frequently relegated in priority
2. There is not enough budget for security
3. Executives assume cybersecurity is easy and cybersecurity personnel over exaggerate threats and issues
Additional frustrations experienced by cybersecurity professionals across the region include:
1. Executives thinking there is nothing that can be done to stop attacks
2. Inability to keep up with the pace of security threats
3. Not enough investment and time into training general staff
“Cybersecurity professionals continue to face many frustrations in their roles this year, with many feeling their warnings and messages fall on deaf ears. Apart from lacking skilled security specialists, many of the other frustrations are directly addressable through education and awareness programs, starting at the executive and board level. The challenge for cybersecurity professionals faced with low levels of security understanding among company boards is that many are unlikely to invest in the necessary programs to alleviate these frustrations
“Increasing spending on cybersecurity won’t help unless organizations understand from the top down the true nature and critical threat that cyberattacks constitute to their organizational capabilities, their customers and their own existence.”
Cybersecurity education must become a focus. The following is a five-step approach to help bring organizations up to speed on cybersecurity education:
1. Boards need help to understand it’s impossible to protect everything, and learn to prioritize the most critical information, data, and systems to protect.
2. Education courses on basic principles, the genuine likelihood of an attack, attack vectors, threat actors, and other terminology should be available to all staff.
3. Once basics are clearly defined, organizations need to develop strategies and integrate them with digital transformation programs.
4. The focus then becomes more operational in nature: applying legislation, breach response protocol, ransom payment policy, gap assessments, and future roles and obligations.
5. Businesses need to clearly understand compliance, the regulatory environment under which the business operates, what’s legally required when breached and what are the appropriate controls around data security and management.
Not many Bangladesh enterprises are cloud mature. If institutions want to improve the user experience, cloud adoption is no longer an option – it’s a must-have. More than 60% of organizations in the survey said they either did not know or could not show return on investment to the board. Practitioners should be able to show return on security investments to the business as only then will the management value security decisions and allocate more budget.
The nation’s National CIRT and the central bank have taken the lead by releasing revised IT security guidelines for institutions, requiring organizations to develop an actionable cybersecurity road map that’s approved and monitored by management. Key steps organizations need to take include:
- Go beyond a focus on compliance. In Bangladesh, government regulations drive many security decisions. A proactive defense strategy is essential. Experts recommend adopting the Security Access Service Edge, or SASE, model to build an aggressive defense strategy.
- Give cybersecurity-related decision-making power to the CISO. Organizations need to give their CISOs the power to make decisions on their security strategies as well as lead incident response efforts. Ideally, CISOs should report to the board rather than the CIO, because security is not only an IT function but also a risk function and the board can relate to risks appropriately.
- Implement secure software development best practices. Organizations in all sectors need to adopt secure software development best practices, such as secure coding and code review, when using agile development methods and DevSecOps practices.
- Continue the shift to the cloud. COVID-19 has fueled cloud adoption to support the remote workforce. Close to 35% of enterprises are in the process of making a shift to the cloud, and the chances of other enterprises following suit are good. But adoption of the zero trust model to help ensure security in the shift to the cloud is essential.
- Adopt the “security as a service” model. According to a research report from MarketsandMarkets, the global market for MSSPs will grow from $24.05 billion in 2018 to $47.65 billion by 2023. The security as a service model enables organizations with limited budgets to gain 24/7 security coverage supported by skilled professionals and advanced tools.
- Build awareness-raising programs. The BGD e-GOV CIRT designs awareness campaigns and publishes relevant information. Unfortunately, these programs have not gained much traction. An information-sharing platform as part of a global community forum would help in enhancing practitioners’ cybersecurity skills.
