The Playbook on Cybersecurity
In the words of our founder and chairman Tan Sri Dr. Jeffrey Cheah, “we cannot overcome the challenges of the digital age using analogue mindsets.”
To put a foothold in the challenges of cybersecurity, Sunway has upped the ante, especially in this pandemic landscape, to provide better online safety for the Sunway community.
Digitalisation is a fickle thing. It has revolutionised the world in numerous, wondrous ways that were undreamt of, especially in the past 10 years.
But with revolution, comes change. Alongside the innate ability to access the world with a simple touch or a click, it has placed huge question marks on our safety in the cyberworld, more so towards large conglomerates or corporations harnessing gargantuan volumes of data through their businesses, and even more so now that the pandemic has accelerated digitalisation.
Sunway is aware of the risks – as well as the duty to safeguard data across our 13 business divisions against threats and hackers.
At the Innovation@Work Asia Week organised by The Economist, Sunway Group chief information officer Kevin Khoo shared his insights on how Sunway has fortified cybersecurity measures across the organisation, providing a secure remote work experience for our people.
Diversification: The Digital Transformation Strategy amid Pandemic
Sunway is a conglomerate with its finger in every pie, with 13 diversified businesses such as real estate, malls and healthcare. As a house containing a variety of businesses, a one-size-fits-all strategy is highly improbable to achieve the best outcome, hence the test to implement a strong cybersecurity makes it a captivating challenge for Kevin.
The COVID-19 pandemic that hit our shores on March 2020 has also greatly emphasised the need for digital mobility and data availability, as well as propelling a shift in security strategies across the Group.
Kevin says that “as we put more data to our users, we also need to find the right balance.”
He further gave the comparison of cybersecurity being akin to physical security, and how it poses a similar conundrum.
“We want to protect our homes and where we stay. Hence, in order to increase security, we would implement biometrics, stronger locks, alarm systems and the whole works. But does that make sense in the grand scheme of things? You would probably need five to ten minutes to get into your house. Similarly, cybersecurity requires the right balance between security and accessibility,” explains Kevin.
Hence at Sunway, though cybersecurity systems vary across different divisions, we use the information security management system (ISO: 27001 standard) as our guiding principle on information and cybersecurity. This standard enables organisations of any kind to better manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties, providing the necessary framework for safety in the digital space.
How is Sunway Spreading the Word?
It is one thing to have a sound cybersecurity system in place, and another to make sure every employee is on the same page in ensuring their online safety and security.
To continuously proliferate the awareness and knowledge of Sunway’s digital advancement, we have stepped up to the plate by implementing four key strategies to educate our people, working alongside with our Group’s human resources, communications and internal audit department to strengthen the message.
Practice Makes Perfect
The first strategy trains our people in the fundamentals of cybersecurity by conducting a yearly phishing simulation exercise.
“At specific times throughout the year, we would blast out mail to our staff with typical phishing baits such as ‘you have won a new iPhone’ or ‘you have won a vacation’,” described Kevin about the phishing simulation exercise.
He further adds that to up the ante, the team gets creative and utilise different styles of emails, such as “your ID is expiring in three days, please submit your data here”. From there, Group IT provides training for those who have unsuspectedly submitted the data, creating a targeting awareness session for the “victim” to educate them.
Kevin concludes by saying that there has always been a year-on-year improvement, with this report being presented to the board of directors to show that we are continuously upgrading ourselves to be more vigilant against phishing.
Spreading the Word on Virtual Cybersecurity
Sunway has also conducted numerous forums, seminars and virtual sessions, as well as inviting speakers to continuously raise awareness and knowledge on cybersecurity topics.
“We wanted to increase the range of cybersecurity subjects not only to those related to work, but also for topics such as child safety on social media platforms or password security. Having a wide scope will pull in interests for more people and raises awareness on various cybersecurity issues for our people, especially outside of the workplace,” says Kevin.
Communicate. Communicate. Communicate
“It is stated in our KPI published in monthly newsletters circulated to all our staff, especially during festive periods,” said Kevin.
He further adds that this is important not just when they are on leave, but also for those returning to work who may get lost in the deluge of emails. Thus, before any festive season, we send email blasts to warn what could happen.
It is said that in order to infiltrate a stronghold, you must first locate its weak spots.
Unfortunately for a company as diverse as Sunway, the most susceptible to cybersecurity attacks are especially, new employees who join our ranks as they would be deemed the least informed on the cyberspace of their new workplace. Hence, as part of their onboarding procedure into the Group, they are made aware of cybersecurity hygiene and threats associated with it.
A Perspective on Cybersecurity from a Diversified Business
“As a brick-and-mortar company housing different businesses from hospitals, to malls and universities, and as we journey further into the digital space, we have to think about data security and data privacy, more so now with the launch of Sunway eMall or telemedicine consultations at our hospitals. We need to be careful and structured in how we manage our customer information,” affirms Kevin.
Kevin further adds that a committee was formed to further buttress this initiative. Led by members of the board, and chaired by our president, Tan Sri Chew Chee Kin to oversee our Group’s ESG initiatives, there have been extensive discussions on the sharing of data, setting proper guidelines to govern data sharing, and how we share the data properly without infringing General Data Protection Regulation (GDPR) or Personal Data Protection Act (PDPA) policies.
We have also established an extensive governance framework comprising committee representatives from all our business units. We also hold meetings every month to discuss issues, challenges and potential breaches that may arise from this.
Sunway continuously champions and advocates the UN-SDGs, as well as the ESG principles in our day-to-day job scopes and KPIs, amalgamating sustainability alongside our digitalisation initiatives. By aligning our cybersecurity goals with the ESG framework, we ensure that regardless whether at home or in the office, we will always provide a safe and conducive work space for our people.