Human resource or human capital is the greatest asset of an organisation but over the last few years, lack of skilled employees as well as complex information systems have made that greatest asset one of the greatest risks for an organisation, Prof. Mathew Warren, Deputy Director at Deakin University Centre for Cyber Security Research of Deakin University, Australia said recently.

He made these remarks at the fourth EC-Council Cyber Security Summit 2016, co-organised by CICRA Holdings – Sri Lanka’s pioneering cyber security training and consultancy provider – and Daily FT. Addressing the gathering, he explained the importance of building a cyber-receptive workforce within an organisation.

Think like a villain to beat a villain

“An organisation should not only focus on their staff individually but collectively. To face modern cyber threats, you need to develop them in terms of their skills, knowledge and experience. In a cyber-security breach, the organisation’s human capital would react collectively and not become victims of a certain cyberattack. Your human capital should be aware of what is going on in the cyber sphere and polish their skills on different technology changes as new threats loom.”

Prof. Warren explained the complexity of modern systems that runs inside organisations has become a major point of bringing many cyber security risks and threats, due to the low capacity of skilled and knowledgeable employees.

“All of a sudden, the systems that your employees need to protect have become much more complex. Your organisation might have several information systems, scalar systems or control systems which controls key industrial activities. It will be more challenging for the employees if your system is a part of country’s critical infrastructure or a platform that collaboratively functions with several other companies. Organisations have invested millions of dollars in high-level automation systems to accelerate their processes but they bring so many security risk and security threats because organisations don’t hire capable employees to operate these systems or they tend to invest less in training employees,” said Prof. Warren.

Global statistics show that 75% of cyber incidents against critical infrastructure are all intentional, said Prof. Warren. “The main reason for this is devices which haven’t been properly configured according to proper security protocols. People have various devices to enter into systems but they are not knowledgeable or poorly trained on how to use these devices. In many cases, employees are not aware of security issues, which is becoming a greater issue for organisations. You are very proud of the human capital but the question is how many of them would actually survive in a cybersecurity disaster,” he said to the audience.

Overtime, organisations want to improve their security. According to Gartner’s Security Maturity Model, organisations are looking at developing from a stage of reacting to cybersecurity threats in an ad-hoc manner to having properly placed cybersecurity policies, security controls and situational awareness. However, Prof. Warren said that this could happen the other way. Depending on how your employees react to new types of threats, a maturity of an organisation gets decreased, which is a potential threat for the future.

Developing human capital

He talked about how organisations could develop its human capital. “Organisations can always recruit people but this is where the problem lies. Are they the best people? Do they have the skills and knowledge? Organisations also have issues when their long-time employees go and join the competition. Will you lose all your secretly-kept information? Will you be able to find the perfect person to replace him or her? The time of impact is also important. Inside a boardroom, resolution for a problem will be discussed but the question is how fast you could resolve it. Can you resolve your issue today? It would take time for many companies to implement strategies and it takes time to train and recruit correct people. The time is the issue that we all face in regards to cybersecurity.”

Pulling out some global stats again; Prof. Warren said that CISCO publically told the Australian Government that there is a global shortage of million cyber security specialists and professionals. Symantec CTO Michael Brown has also revealed that by the year 2019, there is going to be about a 17 million shortage of cyber security professionals. In terms of human resources, cyber security is becoming a huge issue and companies are finding it hard to acquire skilled employees to protect their systems, said Prof. Warren.

“CISCO has identified that G20 countries lose 1% of their GDP per year due to cybercrime activities. For Australia, that would be an estimated 17 billion dollars. From an economic point of view, that is a huge loss.”

He explained about Australia’s 2016 cybersecurity strategy which talks about a natural cyber partnership between the government and industries, strong cyber defences, global responsibility and influence by sharing expertise with other countries, growth and innovation. The aim is to growth cybersecurity industry in Australia and become a cyber-smart nation. The Australian Government is looking to promote science, technology, engineering and mathematics from school level and also looking at introducing cybersecurity professional studies through universities. Competitions and internships will be used as mediums to further promote cyber security throughout the country. The total spending for the entire initiative is a thumping A$ 230 million which equals to Rs. 25,550 million.

“What you are seeing globally is that countries are realising that they are having problems. Sri Lanka is the same. When you put up policies to face these threats, it should be always a crystal clear partnership between the government and industries. I was very impressed by the measures which Sri Lanka is taking to protect the country from cybercrimes and building links between industries and the government,” said Prof. Warren.

Prof. Warren further talked about the transformation from information security to cybersecurity. “It is about protecting entire functions within an organisation, rather than focusing on organisation’s technology aspects. When we talk about cyber skills, it is not just about technology skills. Understanding technology is important but organisations now want their IT employees to understand Office of the Council of Europe security from a policy perspective as well. Organisations now need people who would understand the human aspect of security and develop awareness programmes so that they could explain certain elements to non-technical employees.”

“One of the interesting aspects of global security is that it is a global job. It means that I could work in Australia or I could work in Sri Lanka; you have the ability to move around the world with those cyber security skills. We have also seen a huge salary increase for cyber security professionals as well because organisations are realising that they are not able to attract that human capital easily so they are putting up a big salary for those individuals. The risk is that they may be employing people who do not have the best skills and qualifications. That is going to be a worried issue into the future,” said Prof. Warren.



Capacity building on cybercrime

Delivering the guest speech, Dr. Matteo Lucchetti, Project Manager, Cyber Crime Program, Office of the Council of Europe in Romania talked about building capacities in Sri Lanka to effectively contrast cybersecurity crimes. He used some statistics which he had borrowed from the Sri Lanka Computer Emergency Readiness Team (CERT) to analyse patterns and trends of Sri Lanka.

“When talking about human capital, we really believe that capacity building, administrating proper education and developing programs which can develop capacities are of importance. If we look at CERT statistics, we can see the increasing pattern of cybercrimes which is a global phenomenon too. Cybercrimes are happening everywhere and they have to be dealt in everyday life. When you look at these statistics, it is evident how cybercrimes spread within the landscape in different names. In 2015, Sri Lanka has seen an evenly-distributed histogram of cybercrime activities which means that public and private organisations as well as individuals have been affected by different types of threats,” Dr. Matteo said.

According to a survey done by CERT in 2015, 35% of the respondents believed that their information is of no use to hackers. This showed that the users were unaware of the value of personal information, especially in the hands of third parties or cybercriminals who could misuse such information in various ways.

He explained the audience about the Budapest Convention on Cybercrime which was formed in 2001. It is the first international treaty seeking to address Internet and computer crime by harmonising national laws, improving investigative techniques, and increasing cooperation among nations. It was drawn up by the Council of Europe in Strasbourg, France, with the active participation of the Council of Europe’s observer states Canada, Japan, South Africa and the United States.

As of March 2016, 49 states have ratified the convention, while a further six states had signed the convention but not ratified it. Sri Lanka became a fully-fledged member of the convention in September last year, becoming the first to do so in South Asia.

“Sri Lanka ratified the convention on 29 May 2015. Country’s accession to the Convention was the fastest by any country, not least because of its earlier groundwork on international cooperation against cybercrime. This was made through the great collaboration we had with the ICTA who took the lead and paved their pathway to the Convention. Other non-Europe Council countries who have ratified the convention include USA and Australia, whose presence is quite useful when it comes to cybercrime specifications.”

Budapest Convention’s scope is very vast. It addresses criminalising conduct which includes illegal access and interception, data interference, child pornography, misuse of devices; procedural tools such as search and seizure, interception of computer data and international corporation. All these elements bring harmonisation among its members, Dr. Matteo explained.

GLACY and beyond

He spoke about Europe Council’s role in capacity building whereas in 2013, committee ministers decided to open a special office in Bucharest, Romania, in order to support countries worldwide to strengthen criminal justice capacities on cybercrime and electronic evidence. He also spoke about GLACY, a Europe Union/Council of Europe project on global action on cybercrime which was set up to enable criminal justice authorities to engage in international cooperation on cybercrime and electronic evidence on the basis of the Budapest Convention on Cybercrime.

“This was started in 2013 November with a duration of 36 months. The budget for the whole initiative was EUR 3.35 million and Sri Lanka was a priority country as well. Some of the components of GLACY was judicial training, international cooperation, building law enforcement capacities, information sharing and harmonisation of legislation. During last April, we conducted another activity in Sri Lanka where we trained trainers using and introductory course on cybercrime and electronic evidence for the judiciary. Overall, we have done more than 60 projects during 2015,” Dr. Matteo shared with the audience.

Dr. Matteo shared details about GLACY+, a new initiative is to extend the experience of the GLACY project, which supports seven priority countries in Africa and the Asia-Pacific region including Sri Lanka. These countries may serve as hubs to share their experience within their respective regions. Moreover, countries of Latin America and the Caribbean as well as others in Africa may now also benefit from project support. The total investment for the project will be EUR 10 million with a duration of four years. Dr. Matteo said that Sri Lanka will be named as a hub under this project.

“Under GLACY+ framework, Sri Lanka will play the role of a hub for the whole South Asian region. We will look forward to work with Sri Lankan authorities in years to come and all the cybercrime related activities will revolve around Sri Lanka,” Dr. Matteo said.

The initiative will have three main objectives; promoting cybercrime and cybersecurity policies and strategies, strengthening the capacity of police authorities to investigate cybercrime and enable criminal justice authorities to apply legislation and prosecute and adjudicate cases of cybercrime and electronic evidence and engage in international cooperation.

A consistent act for computer crimes

Attending the panel discussion, ICTA Sri Lanka Director and Legal Advisor Jayantha Fernando explained how the Computer Crimes Act will be redefined, after Sri Lanka’s accession to the Budapest Convention.

“In terms of our law is concerned, the Computer Crimes Act No. 24 of 2007 embodies the principles of the Budapest Cybercrime Convention. We have seen the provisions based on the Budapest Convention which means that the defences that are identified in the Computer Crimes Act of Sri Lanka are consistent with the Budapest Convention. What is more important is that the procedure for investigations in the Computer Crimes Act is based entirely on the features of the Budapest Convention.

“As you know, we need to review the implementation, based on cases heard at various levels and cases tried before the High Court and then evaluate the performance of the law as we go along. We need to also look at how best our law could adapt to growing challenges and threats resulting from offenses committed on the internet. Sri Lanka’s standard so far meets international norms but it needs to do the next step of capacity building,” said Fernando.

Vivek Srivastava, Security Lead – Commercial, India and SAARC for Cisco spoke about how corporates should take on capacity building in cybercrime.

“When you analyse a threat; the way to stop it would be the way how you respond to it. Then you need to look at how to bring down the effect of the threat. One basic element is that you want less people to be victimised. If you look at the corporate world, they work very closely with governments especially through CSR initiatives. For example, Indian Government has recognised the importance of cybersecurity. We had a discussion with the government and we wanted to something around this subject.

“ We have invested good $ 60 million and we met academies and encouraged them to promote cybersecurity among students. This will focus primarily on building cybersecurity expertise. We are also looking at bringing other corporates so that we could build a pool of resources and expertise. Our aim is to build a cyber-reach, kind of a simulation office which simulates cyberattacks in real time. Corporates do play an important role in terms of capacity building,” said Srivastava said at the panel discussion.

The EC-Council Cyber Security Summit 2016 was co-organised by CICRA Holdings – Sri Lanka’s pioneering cyber security training and consultancy provider – and Daily FT.  Supported by the ICT Agency, the strategic partners of the 2016 Cyber Security Summit were Microsoft and CISCO, the electronic payment gateway was LankaPay, the insurance partner was Sri Lanka Insurance, the creative partner was BBDO Lanka, the printing partner was OfficeMax, the hospitality partner was Cinnamon Lakeside and the electronic media partner was MTV and MBC Radio. Deakin University and EPIC Lanka also extended their support to the Summit.

Pix by Samantha Perera and Nirmala Dananjaya

Untitled-6 Untitled-7 Untitled-8 Untitled-9 Untitled-10

Key initiative in partnership with Australia’s top-ranked Deakin University Six million cyber security job openings by 2019 CICRA Campus, the pioneering cyber security training provider, in partnership with Australia’s top-ranked Deakin University, is introducing the first Bachelor of Cyber Security degree in Sri Lanka. “Parents should consider a cyber security degree for their ambitious child as an alternative […]

Targeting 5,000 individuals, CodeCraft, an online competition to find Sri Lanka’s most secure coder was launched in Colombo recently. The competition will be held under two categories which are for the corporate sector and the university students engaged in software development. It is held aimed at supporting Sri Lankan government’s mission to earn US $ […]

CICRA Consultancies Ltd., Sri Lanka’s pioneering information security training and consultancy provider, participated in the 2016 United States Pacific Command’s Pacific Endeavour conference for the fourth consecutive year from 22 August to 2 September in Brisbane, Australia. Nearly 250 military communication experts, non-government organisations and academic advisers from over 20 allied and partner nations were […]

Central Bank Governor Dr. Indrajit Coomaraswamy, while speaking at the Cyber Security Summit 2016, said that taking measures to eradicate looming cybercrime should be considered a national responsibility. “The cybercrime industry, which seeks these ICT-based services for vicious purposes, has already overtaken the illicit drug trade and is appearing as a prominent revenue generator. Many […]

At the Session 03 Panel from left Asia Policy Partners LLC, Hong Kong Managing Partner Michael R K Mudd, Microsoft Sri Lanka and Maldives Country Manager Brian Kealy, NDB Bank PLC Chief Operating Officer Rohan Muttiah and Moderator Daily FT Editor Nisthar Cassim  Daily FT-CICRA Cyber Security Summit puts spotlight on vulnerability of banking and […]

Answering to a question from Daily FT about the progress of the Data Protection Act, ICTA’s Legal Adviser Jayantha Fernando said that the implementation of the much-talked act looks very positive with the enactment of the Right to Information Act in the Parliament. “The discussion has been going on for many years. It also weighs […]

Human resource or human capital is the greatest asset of an organisation but over the last few years, lack of skilled employees as well as complex information systems have made that greatest asset one of the greatest risks for an organisation, Prof. Mathew Warren, Deputy Director at Deakin University Centre for Cyber Security Research of […]

Daily FT-CICRA Holdings fourth annual Cyber Security Summit’s inaugural session sets the stage for sharing of new knowledge and insights The EC-Council Cyber Security Summit 2016 organised for the fourth consecutive time kick-started on Tuesday with high-profile international IT security experts from Sri Lanka and the region. The EC-Council Cyber Security Summit 2016 is co-organised […]

Chief guest Telecommunications and Digital Infrastructure Minister Harin Fernando addresses the Summit Telecommunications and Digital Infrastructure Minister Harin Fernando checks his mobile as he is led to the ceremonial opening of the Daily FT-CICRA Cyber Security Summit. CICRA Holdings CEO Boshan Dayaratne, Daily FT Editor Nisthar Cassim, Summit’s strategic partner Cisco Lead for Sri Lanka […]

Telecommunication and Digital Infrastructure Minister Harin Fernando addressing the Cyber Security Summit 2016 Forging ahead in building digital infrastructure, the Government has closed the largest-ever information system tender for a National Digital Identity system budgeted at $ 100 million to provide every citizen with a cryptographic private key, a top official said yesterday. Telecommunication and […]

Several global and local experts will share key insights on the latest threats and challenges to the cyber security of companies, institutions and individuals next week at the fourth annual summit organised jointly by the Daily FT and CICRA Consultancies. Dedicated this year to focusing on the internal and external threats and challenges confronting organisations, […]

Sri Lanka Insurance Deputy General Manager – Marketing Niroshini Pethiyagoda hands over the partnership letter for the Cyber Security Summit 2016 to CICRA Holdings Director/CEO Boshan Dayaratne as SLIC AGM – Marketing and Corporate Communications Namalee Silva looks on Sri Lanka Insurance Corporation (SLIC) yesterday announced its partnership with EC-Council Cyber Security Summit 2016 as […]

Lanka Clear Ltd., the operator of LankaPay – The National Payment Network, yesterday announced its partnership with the EC-Council Cyber Security Summit 2016 as the Payments Security Partner. Organised for the fourth consecutive year, this year’s summit is scheduled to be held on 9 August in Colombo and will comprise a Cyber Security Summit for […]

Microsoft Head of Corporate, External and Legal Affairs, South East Asia New Markets Shalini Ratwatte hands over the Strategic Partnership letter for the Cyber Security Summit 2016 to CICRA Holdings Director/CEO Boshan Dayaratne Microsoft Corporation, the worldwide leader in software, services and solutions, helping people and businesses realise their full potential has joined the ‘Cyber […]

Cisco Lead for Sri Lanka and Maldives Gerald Vethanayagam (right) hands over the sponsorship letter for the Cyber Security Summit 2016 to CICRA Holdings Director/CEO Boshan Dayaratne For the fourth consecutive year, Cisco, the worldwide leader in Information Technology is sponsoring the ‘Cyber Security Summit 2016’. The summit on 9 August in Colombo, held for […]

By Kiyoshi J. Berman The sixth Ethical Hackers Forum of Sri Lanka took place recently in Colombo addressing a very topical issue of ‘Enterprise Mobile Security Challenges and Strategies’. The key resource person for the evening was Sinnathamby Shanmugarajah (Shan), Former Director, Mobile Architecture, WSO2 Sri Lanka Ltd. Mobile computing devices are changing the game […]

Applications are called for the second batch of Executive MSc in Information Security program offered by CICRA Campus of CICRA Consultancies Ltd. and awarded by Asia e University, Malaysia and the lectures are scheduled to be commenced 4 June. Executive MSc in Information Security was launched in 2015 with the view of producing skilled and […]

Supports CICRA-Daily FT ground breaking initiative of first-ever nationwide search for best secure software engineer MillenniumIT, leading financial software and technology solutions provider and member of London Stock Exchange Group (LSEG) has joined the ‘Code Uncode Sri Lanka’ competition as the strategic partner to support the first ever nationwide hunt for the best secure software engineer. […]

The fifth Ethical Hacker’s Forum organised by CICRA Holdings was held recently in Colombo focussing on ‘A Lawful Cyber Sphere – Review of Legal Frameworks in Information Security’. ICTA Sri Lanka Program Director/Legal Advisor Jayntha Ferndo delivered the keynote speech with a quick snapshot of the legal landscape concerning computer related crimes in Sri Lanka. […]

Ethical Hackers Forum of Sri Lanka will discuss the latest impact on cyber laws on the information security industry during their fifth session on Friday, December 11 at 6 pm. Titled ‘A lawful cyber sphere: Review of legal frameworks in information security’, the forum will be held at CICRA Auditorium, Eighth Floor, Unity Plaza Building, Colombo […]