Nov. 30, 2016
Photo - During game (standing, from left) KPMG's Chan Siew Mei and Dani Michaux
As cyber security challenges faced by the public and private sectors continue to increase, gamification is one of the approaches being used to increase security awareness and develop new talent among students in Malaysia.
During KPMG's recent challenge for students in Malaysia, Chan Siew Mei, partner and head of Advisory, KPMG in Malaysia, said, "We see the importance of inculcating an early mind-set among the youth segment - especially students and undergraduates - on the importance of managing personal information and gaining a deeper insight into the intriguing and damaging effects of cyber security threats. The purpose of the KPMG Cyber Security Challenge, which is held annually is to encourage continued awareness of cyber security threats among the younger generation via an avenue of learning through a gaming environment of fun and education."
This second edition included challenges related to web & mobile application, cryptography and others, faced by students from universities such as Asia Pacific University, Multimedia University Melaka, Universiti Tun Hussein Onn Malaysia, University Kuala Lumpur, Universiti Teknologi Petronas, Uniten, Tunku Abdul Rahman University College, Taylor's College, University of Science Malaysia, University Malaysia of Computer Science & Engineering (UniMy), Kolej Universiti Islam Antarabangsa Selangor, Sunway University, University of Malaya, Universiti Teknologi MARA and Kolej Profesional Mara.
Also present, Dani Michaux, head of KPMG Asia Pacific's Cyber Security & chief information officer in KPMG Malaysia, said, "The Challenge enables us to look at the ability of our local students to recognise the threats of cyber security. It is not only awareness that we are creating through this Cyber Security Challenge but a platform where the students can gain knowledge of the real threats in today's advanced technology environment."
"Participating in the challenge provides students with simulation of such threats to create stronger awareness, which would help them mitigate personal risks as these students and youths are highly engaged in using technology tools and gadgets," said Michaux.
She said both private and public sector organisations find it difficult to believe they could be a target of cyber attacks. This "mind-set needed to change as the best offence is a good defence."
Securities Commission guidelines
Michaux said survey findings from KPMG's thought leadership publication 'CEO Outlook 2016' showed that chief executives globally, including those from Malaysia, continued to face challenges on risks associated with cyber breaches and being fully prepared for a future cyber event. CEOs recognise there is work to be done to protect their organisation, with 72 percent of CEOs not feeling fully prepared for a cyber event.
Recognising the changing cyber risk landscape, The Securities Commission (SC) in Malaysia recently issued the 'Guidelines on Management of Cyber Risk' (ref. SC-CL/2- 2016) with an effective date of 31 October 2016, focusing on the enhancement of the cyber resiliency of all market participants, said Michaux.
"We believe that many organisations today still fail to address the magnitude of the issues they are facing in relation to their cyber exposure," she said. "The reason for this is simple - many organisations believe that they are not exposed, but more often than not there has been very little assessment done in the adoption of emerging technologies and the completely new risks these have brought in. It is often difficult to answer a simple question - what is cyber risk and what it means to the organisation and who is accountable and responsible for it?"
"Often we observe struggle in definition of ownership of data and risks associated with it, with risk owners unable to understand the real impact and likelihood of potential cyber risks," she said.
Michaux said the SC Guidelines are defining an overall cyber resiliency framework requirement, which when implemented holistically across the organisation aims to provide a capability to become a more resilient organisation. The involvement of everyone from the Board of Directors, Board level committees, and the Corporate Communications and Operational team is crucial to ensure successful implementation of a comprehensive cyber resiliency framework.
"Developing these capabilities is key to ensure the organisations are able to prepare, protect, detect and respond to potential cyber events in the least disruptive manner, allowing the business to continue operating," she said. "However to ensure that the frameworks are well operationalised and institutionalised, it is also crucial to have key cyber security talent and teams within the organisation dealing with these issues on a daily basis and working hand in hand with the top management and board members on the solutions. Ensuring the next generation of professionals is well prepared for industry challenges is paramount."