article banner
From Where We Sit

The strongest link in cybersecurity

If you receive an email resembling a familiar email format and address and saying the Covid-19 pandemic assistance fund would be released today, and it asks you to log on through a link to know more about the fund’s computation, what would you do?

Such emails have regrettably become common. In recent years, we have seen a sharp increase in the number of cyberattacks that caused exponential financial losses for and inordinate reputational damage to the high-profile individuals, governments, financial institutions and other organizations they targeted.

Cybersecurity is not a new concept, but rather an unceasing concern for governments and companies. Despite the growing level of awareness about cybersecurity risks, and corresponding preventive and detective measures deployed by organizations, why do cyberattackers still manage to penetrate and exploit the information technology (IT) systems and networks of their targets?

The answer lies in the most valuable yet most vulnerable assets of every organization: its employees.

Several studies say the majority of cyberattacks are executed with the help of unknowing employees. The most common scheme used by cyberattackers is phishing, which involves sending fraudulent communications, usually emails, that appear to originate from a legitimate and reputable source. Its aims to steal sensitive information, such as employee log-in information, credit card details, customer master data and other confidential information. It may also lead to the installation of malware in the target’s computer, which can be used to disrupt, damage or gain unauthorized access to an organization’s computer systems.

Cyberattackers use phishing not only to obtain financial gain, but also to commit more advanced cybercrimes against them.

The need for cybersecurity trainings

Cybersecurity threats remain a major challenge to organizations across various industries, and as technology advances and more complex business processes are introduced, more innovative cyberattack schemes surface.

There is no single solution that can fully prevent cyberattacks from happening, but an effective cybersecurity strategy can be of great help. It involves appropriate controls to maintain an adequate base level of security among employees, which is supported by trainings.

For employees to spot and prevent security breaches, they need to be educated on the different ways cybersecurity threats present themselves. Companies must arm their employees with the right knowledge and proper behavior in dealing with cyberattacks.

Employees need cybersecurity trainings to protect not only themselves, but also the entire organization against cyberattacks by making them aware of such threats and the proper way of handling them. By doing so, we are reinforcing the most vulnerable links in the chain.

What we do best at P&A Grant Thornton

As more processes are being transferred online and with the introduction of flexible working arrangements under the new normal, the risk of cybercrimes becomes more prominent and employees are becoming more susceptible to cyberattacks.

Within our organization, we understand the risks associated with cybersecurity and how it can affect both our employees and the firm in general. As a countermeasure, our firm implements a robust cybersecurity awareness program for its over 1,000 employees to help promote, maintain and improve a security-conscious environment. It uses an advanced online training platform that enables them learn cybersecurity concepts and experience simulated phishing firsthand.

The antiphishing simulation training includes test scenarios based on the typical daily activities of the firm’s employees, including receiving emails, fieldwork in a different location, working from home, and use of mobile devices and public internet hotspots.

The results are evaluated to identify which areas need more improvement. As a response to the threats posed by these areas, more controls will be deployed.

Dynamic cybersecurity trainings

Every organization needs a dynamic cybersecurity training and awareness program that is tailor-fit to their respective industries. It must be a comprehensive and integrated solution that delivers results.

There are tons of cybersecurity solutions available in the market nowadays, but choose one that understands your needs as an organization and can help your organization cost-effectively reduce cybersecurity risks and incidents, and relieve you from the tedious process of setting up your own cybersecurity awareness program and hiring process.

Choose a solution that is simple, flexible and scalable.

Refuse be the weakest link

So what do you do when you receive an email resembling a familiar email format and address? Do not panic and do not click on any links. It is best to handle emails you’re unsure about with utmost caution. Verify the email address of the sender and consult with the concerned department.

Be skeptic. Be vigilant. Become the strongest link in cybersecurity.

Clyde Drexler Duque is a senior lead consultant of the Advisory Services Division of P&A Grant Thornton. P&A Grant Thornton is one of the leading audit, tax, advisory and outsourcing firms in the Philippines, with 24 partners and more than 900 staff members. We’d like to hear from you! Tweet us: @GrantThorntonPH, “like” us on Facebook: P&A Grant Thornton, and email your comments to or For more information, visit


As published in The Manila Times, dated 05 August 2020