Connect with us

Hi, what are you looking for?


Change the culture to deal with cybersecurity threats, say IT experts

The global cost of cybercrime reached $600 billion in 2018, and is expected to reach $3 trillion by 2020. Because of the layers of issues that coalesce when tackling the cybersecurity landscape that IT experts say cultural change needs to happen to effectively deal with cyberthreats.

SAN JOSE, CALIFORNIA – Security is harder than everyone thinks, according to Vikram Phatak, founder of NSS Labs, here at NetEvents 2019: Global IT Summit.

This is not surprising because the global cost of cybercrime reached $600 billion in 2018, and is expected to reach $3 trillion by 2020. Current top targets for cybercriminals include government agencies, healthcare industry, and financial industry – where, according to Phatak, “there’s money.”

Thomas Edwards from the US Department of Homeland Security noted that “cybercrimes are driven by profit.” Cybercriminals, for instance, are after personal identification, and then turn this into profit; or are after credential theft, but then again eye to monetize this (credential).

Surprisingly, cybersecurity spending is pegged at only $124 billion in 2019, and only growing to $188.4 billion by 2023.

Phatak noted that there continues to be various issues affecting how companies respond to cyberthreats. There is skills shortage, for instance, with “not enough trained cybersecurity experts”, and labor-intensive solutions requiring these experts. Also, “new attack vectors (force) us to compromise ourselves (since) situational awareness is lacking.” And then “we have to consider where we’re headed – e.g. cloud, IoT, 5G, and what happens when attacks jump from the virtual world to the physical world?”

But exactly because of the layers of issues that coalesce when tackling the cybersecurity landscape that IT experts say cultural change needs to happen to effectively deal with cyberthreats.

Advertisement. Scroll to continue reading.


According to Michael Levin, CEO and founder of Center for Information Security Awareness, “We’re not training our people about cybersecurity until there’s a problem.” For him, therefore, “how do we create a culture (that is aware of cyberthreats)?”

This is because for him, “when you think of cybercrimes, you also need to think of social engineering.” This means that the crime can be done in many ways – e.g. it could be over the phone, over social media, or over emails. “There are so many ways (for cybercrimes to be done), so that you have to come up with mechanisms for employees to be always on the lookout. We need to come up with simple mechanisms to deal with these crimes.”

Threats could come from various sources, but Levin said that it doesn’t matter where these come from. In the end, “you still have to train your people (how to deal with the threats).”

Ted Ross, CEO and co-founder of SpyCloud, recommends the establishment of a “zero-trust culture”.

“People underestimate cybercriminals’ ability to innovate,” he said, noting that cybercrimes have long been associated with emails. But “fairly sophisticated criminals can access data” so there is a need to teach employees to “treat everyone as an adversary.”


Advertisement. Scroll to continue reading.

Some of the cyberthreats are actually easy to discern if employees “take it slow.”

Levin, for one, said that people need to heed the “sense of urgency” of an act (e.g. an email). “This forces people to think quickly, and this results in fraud. For instance, we click links and attachments (when we think they’re urgent).,” he said. “Now how do you get people to think, and to slow down.”

For Levin, there is a need to create policies and procedures for this.

Edwards added that “employees need to know that it’s okay to commit mistakes (by having an) open culture.” This way, employees are “transparent with their cyber hygiene.” With the transparency, they are therefore empowered; which will prove beneficial to the company in the long run.


Paul Kraus, VP for engineering of NetScout Systems Inc., said that companies need to know what they have (their assets). “(It starts with) gathering of inventory of what you have. How valuable is the asset? Secondly, can you monitor? Does the security team even understand what’s out there?”

Edwards from the US Department of Homeland Security similarly noted that without sharing of information between the private and public sectors about cyberthreats, “we’d lose the battle eventually; so information sharing is important.”

Advertisement. Scroll to continue reading.

Nowadays, “security is like a gym membership,” Phatak said. “You join, but do you really use it?” And in the end, to really deal with cyberthreats, “you need to use this membership.”


Like Us On Facebook

You May Also Like


The combination of Sophos Intercept X with Snapdragon compute platforms will provide users next-generation security through an always on, always connected PC environment.


Providing a sense of security for its subscribers has pushed Converge to also provide quick access to online support while raising awareness through online...


Poll shows how people are managing the pandemic as we approach the one-year anniversary of the start of large-scale quarantines that forced millions of...


Despite a global improvement in perceptions around gender representation, over a third (38%) of women claim that a lack of women in the tech...


The Philippines slipped two notches down from its previous ranking in the latest top 10 global list of countries with the most web-borne threats...


According to the research, employers have an ongoing task to understand the challenges employees continue to face and to provide the necessary resources for...


bluedog was launched two years ago to make professional cybersecurity services accessible to a wider audience – including businesses in Asia and smaller firms...


The remote setup had employees bringing home their workstations, taking devices out of the protection of cybersecurity systems found inside offices and leaving them...