Cybersecurity Awareness in Bhutan: Key Findings and Training Initiatives
Cybersecurity refers to the practices, technologies, and processes designed to protect systems, networks, and data from cyber threats, such as hacking, malware, and data breaches. It encompasses a wide range of measures, including firewalls, encryption, antivirus software, and user education.
A recent survey conducted by Bodhi Media and Communications Institute (BMCI) reveals concerning trends in cybersecurity practices among Bhutanese users. The study found that 45.6% of respondents rarely change their passwords for online accounts, while 12.3% do not change their passwords at all. This highlights a significant vulnerability in online security habits.
The survey, which targeted general IT users, indicated that 75.4% regularly use computers and 70.2% utilize smartphones, with 66.7% accessing WiFi networks shared with others. Despite 70.2% of users taking precautions to secure their connections, only 54.4% employ Two-Factor Authentication (2FA) for their important accounts. This discrepancy underscores a varying level of cybersecurity awareness among users.
While incidents of cyber attacks in Bhutan remain relatively low, there is widespread apprehension regarding the misuse of personal information. The data emphasizes the urgent need for enhanced digital literacy. Notably, all respondents expressed a desire for cybersecurity training, reflecting a recognition of its critical importance.
Among IT personnel surveyed, 55% identified authentication as a key element for securing Internet Protocol Virtual Private Network (IPVPN), while 14% emphasized the importance of encryption. IT officials reported a higher incidence of attempted breaches compared to actual incidents, reinforcing the necessity of proactive security measures.
Infact, 47% of organizations reported facing cybersecurity threats, including Document Management Systems (DMS) server breaches, phishing attacks, ransomware, and hacking attempts. Although over 80% of respondents demonstrated proficiency in installing firewalls and conducting data backups, many lacked the skills to recognize suspicious activities and understand social engineering attacks.
The training needs assessment revealed a unanimous desire for cybersecurity education among all respondents. According to BMCI, “Targeted education and training initiatives are essential to address these knowledge gaps comprehensively, safeguarding individuals and organizations against evolving cyber threats among both IT and non-IT personnel.”
As part of their ongoing efforts, BMCI trained 80 network engineers specializing in cybersecurity, providing them with International Certificate in Digital Literacy (ICDL) certification at the Royal Institute of Management. Additionally, over 90 non-technical professionals participated in three workshops focused on Cyber Hygiene. Media awareness campaigns are also being conducted in collaboration with the Cyber Security Division of the GovTech Agency.
This research, training, and awareness initiative has been supported by a grant from the Asia Pacific Network Information Centre (APNIC) Foundation through Information Society Innovation Fund (ISIF) Asia, aiming to strengthen cybersecurity practices across Bhutan.
Under the Digital Transformation Programme, led by the GovTech Agency, digital infrastructure will be strengthened while undertaking key initiatives to strengthen cybersecurity. To protect critical information infrastructure and improve cybersecurity culture and society, a comprehensive National Cybersecurity Strategy will be developed and the necessary legal and regulatory frameworks will be put in place. Cybersecurity capabilities will be built to support the implementation of cybersecurity standards and technologies.
Priority attention will be given to implementing robust cybersecurity protocols, fostering a culture of cyber resilience, and safeguarding digital assets. There are many advantages of cybersecurity like protection of sensitive information, preventing financial loss, maintaining trust, compliance with regulations, safeguarding reputation, business continuity, and adapting to evolving threats.
Cybersecurity safeguards personal, financial, and confidential business information from unauthorized access and theft. Data breaches can lead to significant financial losses for individuals and organizations due to fraud, recovery costs, and fines. A strong cybersecurity framework helps build and maintain trust with customers and clients, as they feel secure when sharing their information.
Many industries are subject to regulations regarding data protection. Effective cybersecurity helps organizations comply with these laws, avoiding legal penalties. A cyber incident can damage an organization’s reputation. Effective cybersecurity measures help protect against incidents that could harm public perception.
Cybersecurity ensures that businesses can continue operating even in the face of attacks or breaches, minimizing downtime and disruptions. As technology evolves, so do cyber threats. A robust cybersecurity strategy helps organizations stay ahead of potential risks and respond effectively to new challenges.
Cybersecurity is essential in today’s digital world, where threats are becoming increasingly sophisticated and pervasive.
The Royal Audit Authority’s (RAA) Performance Audit Report on Preparedness for Cybersecurity 2023 reveals a surge in cybersecurity incidents reported by government agencies in recent years, with 611 cyber security incidents reported in the 12th FYP period alone. These incidents, ranging from phishing attempts to data breaches, pose significant risks to the government’s digital infrastructure and the general public. Current regulations governing data privacy are not robust enough to protect Bhutan from cybercriminals.
Furthermore, the nation’s ability to combat cyber threats is hampered by the lack of a well-defined national cybersecurity strategy. The diverse range of 1,184 incidents and vulnerabilities handled by the Bhutan Computer Incident Response Team (BtCIRT) since 2016 underscores the urgent need for developing and implementing a robust National Cybersecurity Strategy.
Among these incidents, vulnerabilities detected in application systems accounted for 839 incidents making it the highest category every year. This poses significant risks, especially with the launch and mainstreaming of Bhutan’s National Digital Identity (NDI).
Meanwhile, the GovTech Agency and BtCIRT conducted the first ever cybersecurity conference in the country on October 25 in Thimphu on the theme ‘Educate, Empower, Secure: Building a Cyber-Safe Bhutan’.
By Tashi Namgyal, Thimphu
