An In-depth Study on Security

One-on-one In-depth Interviews
Interviewees	Head of IT dept. or person in charge of IT management in the target industry.
Number of Interviewees	6
Interview Duration and Time	The interviews were conducted in April and Aug 2020, one hour per session.
Interview Location	Phone interview, video conference, interviewee's office, or other convenient locations.
Key Interviewer	IX team

Internet Survey Methodology
Target	Supervisors or employees who have Internet-connected systems* and the authorization to maintain or make decisions for the systems in Taiwanese enterprises.
Target Population	Taiwanese enterprises with Internet-connected systems - hospitality and manufacturing.
Survey Duration	Pretest: May 22 - May 25 2020 Formal Test: June 1 - June 23 2020
Number of Samples	The minimum sample size is 529, with 95% of the confidence level and ±4.26% of the sampling errors.
Sampling Design	Purposive sampling and random sampling (increase the exporsure of questionnaires via newsletters and sample repositories adn then select qualified interviewees from questionnarire respondents)

Short-Term Goal: Promoting Incident Coordination and Handling
Long-Term Goal: Establishing Preventive and Protective Mechanism

Continuous efforts to engage and improve	TWCERT/CC serves as a bridging organization for domestic and overseas partners by exchanging security incident information. In Taiwan, it is the coordinator of incident reporting for private companies and a enthusiastic promoter to raise people's security awareness. It also provide services to a wide range of partners from governmental agencies, enterprises and the general public for their security requirements.
Training and raising awareness	TWCERT/CC not only consolidates and shares information, creates security publication, and assists in handling reported incidents, it also works as a security missionary by carrying out security literacy education with easy-to-understand videos/infographics to improve social network effects on information diffusion, whether it's for the general public or segmented audience.
Coordination, handling and bringing together resources	Since security outsourcing has become the norm for companies in the private sector, TWCERT/CC can do more than referral or bringing together collaboration, it can also set industry standards or provide industry-wise/requirement-wise guidelines for those seeking security solutions.
Preventive / protective mechanism	TWCERT/CC has also built a mechanism of assistive prevention service, with which companies can join the alliance for free or for a small fee. In case any security incidents occur in the future, the company can apply for the alliance fund and services. On the other hand, this approach is advantageous for alliance members because the requirements from SMEs can be consolidated first before price negotiation with solution providers for economy of scale, which will not only bring down the cost but also bring vitality to the market.

To Continue Providing Security Consultation Services/Sharing Info/Identify Service Req. from the Surface Downward

83.0% are aware of the existence of TWCERT/CC. 32.9% have had interaction with it, whereas 50.1% are only aware of the organization but never have any interaction before. Reasons for not having any interaction include having no such demand, not knowing the contact info and not familiar with TWCERT/CC services.

‘Report and response’ not only has the highest service demand rate, but also has the highest service recognition rate and the most interaction. The high interaction rate shows TWCERT/CC's incident report and response service strikes to the core and fulfills the actual enterprise need. From the interviews, we found respondents might have heard about the name of TWCERT/CC, but not necessarily familiar with what it actually does. When they do interact with TWCERT/CC, they do not always contact the person in charge of incident report and response.

Instead, more than half of the respondents contact TWCERT/CC for 'security consultation', but the actual interaction rate is as low as 15%. Despite nearly 40% of demand and awareness, 'information sharing' only has 10% of interaction rate.

n=529
Source: This report (2020)

	Req. fulfillment rate (C/A)	Interaction conversion rate (C/B)
Reporting and response	39.9%	38.2%
Security consultation	28.6%	36.7%
Incident coordination and handling	29.9%	33.9%
Info consolidation	29.9%	30.0%
Info sharing	27.6%	27.8%
Seminar	50.8%	51.4%

n=265
Source: This report (2020)

Enterprises Should Provide Diverse Education/Training from Security Literacy for Employees to Nationwide Security Education

When it comes to the company's attitude towards security planning, 'staff training', 'regular courses', and 'information update' are the top priorities. This coincides with the point given by one respondent from the convergence analysis ─ 'Cyber-security has become common sense. In the past, security topic might be some sort of knowledge or expertise that is nice to acquire. However, as the network technology is advancing at incredible speeds, now security literacy is equal to the common sense that everybody should have.

Internal Security Priorities

Staff

Staff training, regular courses, information update

Hardware

Using security-related hardware/equipment and taking preventive measures

Software

Using security-related software appliances and taking preventive measures

n=529
Source: This report (2020)

Enterprises to proactively enhance the employees' security literacy

In addition to regular training courses and seminars, some companies send phishing emails to their employees to check if they stay alert with potential security threats and include security awareness as part of performance review.

Security training, no matter how many hours are required in a year, is made compulsory for users. Despite taking all the mandatory courses, some of them still get fooled by the phishing email we sent. When an employee takes the bait, there will be punishment - more security training and a demerit in performance review, which might affect their bonus amount.

Offer diverse training courses based on the requirements

For hospitality businesses, their entry-level staff or front-line service persons will have direct access to customer personal information. Therefore, they put strong emphasis on entry-level staff's training. Besides giving in-person lectures for training, developing training materials in a user-friendly, easy-to-share way also fosters the enhancement of employee security literacy.

IT personnel could be the cause of security issue because IT staff has the highest level of authority to the system. If this person lacks proper security literacy, he/she is the system vulnerability himself/herself. If IT staff is well equipped with security awareness, they can also give lectures and help colleagues from other departments. If you ask a manager to attend the training, he/she will not pass on the information to others.

Take incident reporting for example, people with no knowledge about this topic won't even bother to check what it is. Since this is the service we are offering, we could come up with a more effective way in delivering the information, could be push notification, or send (animated) videos to people's mailbox instead of an article. People don't have much patience reading through articles.

Getting certified means the company attaches significance to security protocols

Whether the company outsources security services, more than 40% have been certified. This means even though some companies have already outsourced their IT system to spread the management risk, in general, they still value the importance of the standard protocol of security management.

With Half of the Enterprises at Risks, it is Imperative to Understand the Req. and Create Industry Guidelines

84.1％

of the IT systems are connected to the Internet

n=629

64.8%

are with outsourced IT system

n=529

84.1%

of the IT systems are accessing personal information

n=529

58.3%

are outsourcing their security operation

n=343

Source: This report (2020)

All industries are facing security risks

57% of the enterpriseshave IT system and their Internet connection rate/personal information access rate are more than 80%. Among all, more than 70% of the businesses have IT systems in the following four industries - finance and insurance, information and communication, electricity and gas supply and manufacturing. Unlike companies in the first three business types, who already have IT security audits conducted by their respective competent authorities, businesses in manufacturing are of the highest security risk. Besides, risks facing hospitality businesses are also higher than average.

IT outsourcing is common and requirements iffer greatly. However, there are no industry uidelines to follow or to be used as reference

With sufficient technical manpower and rich resources, large enterprises are more capable of selecting appropriate vendors because they constantly face high level of risks. To release the burden of manpower and spread the risk, purchasing or subscribing professional security software turn out to be a better solution for them. SMEs, in contrast, do not have as many resources and have no guidelines to follow. They might have a hard time choosing the right vendor because they have concerns about being overcharged or not able to afford the software or having no funds to handle security breach.

Pushing Forward Industry Guidelines

The guidelines should define straightforward system security specifications compliant with global standards. Besides, they should be simpler than ISO 27001 standards, so it's easier for SMEs to be certified. The guidelines should also be the Taiwanese equivalent to EU/USA security standards, so as to increase Taiwanese companies' competitiveness when they promote businesses in the global market with recognized Taiwanese security capabilities.

To request enterprises finish implementing security guidelines	To ensure all domestic businesses are fully compliant with the security guidelines by offering tax discount or incentives.
To stress that different supporting measures are available for enterprises of different sizes	The guidelines should serve the purpose for enterprises of different sizes. For large enterprises, the guidelines should include incident reporting and handling process with legal validity. For middle-sized companies, compliance means to be certified by the government while basic services will be made available for small companies.
To make self assessment forms available for all enterprises	It will also be effective to create an evaluation questionnaire for SMEs, so they can perform self-assessment and further understand their own security capability and requirements.

Legal Awareness in Security Training and Specific Assistive Prevention Service Plans

While security-related laws and regulations continue to evolve, enterprises should also keep up and stay up to date with the latest legal developments more quickly by continuously improving their own security capabilities and striving for healthy and sound social function on the Internet. Therefore, security-related laws will also be a part of security literacy.

On one hand, TWCERT/CC can help enterprises fully understand the legal framework so they can urge internal security response. On the other hand, TWCERT/CC can report current business practices and scenarios to the legislative organization for them to identify the catalyst/friction for business development to further foster win-win cooperative relations.

To accommodate private companies' outsourcing requirements, TWCERT/CC can do more than security service vendor referral and recommendation. It can address the needs by building a mechanism of assistive prevention service, in which companies can join the preventive mechanism for free or for a small fee. In case any security incidents occur afterwards, the company can access the fund and services provided by assistive prevention first. On the other hand, TWCERT/CC can take the opportunity to offer more comprehensive services, understand company-specific requirements and help companies develop the habits of proactive incident reporting for better interaction.