Risk managers must focus on the awareness and actions of employees when tackling cyber threats

Technology is never going to offer 100% protection while people are still responsible for operating systems, according to senior vice president of risk management at Hong Kong-based telecommunications company PCCW, David Ralph.

Ralph has told StrategicRISK that risk management should be focusing on the people risk aspect of cyber risk.

“Regrettably, at the moment, the latest generation coming into the workforce do not have an appreciation of the issues we deal with on a corporate basis,” Ralph says.

“They are more laissez faire in terms of how they treat the security and confidentially, [and] in terms of how they protect their information systems. That is a big problem we are facing which still rolls out of that people risk issue.”

Ralph, who has a background in IT security before moving into risk management, says risk managers must keep promoting risk awareness to employees and explaining to them that the ultimate responsibility rests with them in terms of protecting company systems.

“We [PCCW] are a critical industry [to people] by being in communications,” he says.

“We need to keep pushing that message and drive home where the risks are coming from and what needs to be done.

“We [risk managers] must work with different business units when they are developing products and solutions to ensure those business units think about if their solutions, systems and processes meet the security which is required.”

Ralph adds that, especially in Asia, risk managers have to take a more active role in contributing to the management of the company.

“They [risk managers] have to be more proactive in coming forward with the solutions and identifying issues which need to be addressed,” he says. “Providing solutions, or recommendations, that could be adopted.

Ralph also suggests that risk managers look more broadly at what can be done to mitigate and transfers risks.

“At the moment there are too many people who are called risk managers, but effectively they do little more than an extension of a purchasing officer and therefore their contribution involves going out and buying the cheapest insurance they can get, thinking that is the answer to risk management,” he says.

“That is what we must work on trying to improve in Asia.”