People are the first and the strongest line of defence against cyber threats. The more informed they are, the more responsibly they can navigate the digital world. At a workplace, that line of defence is its employees. Yet today, many of them lack even basic cyber security awareness. In Sri Lanka, this is the most glaring weakness, said Welford Systems Limited Director Shafee Abdul Raheem, an experienced Solutions Architect in the United Kingdom (UK) with a strong track record in cyber security.
Welford Systems Limited Director Shafee Abdul Raheem
“Without proper training, it is easy for a public servant or a banker to fall for a phishing email promising an exciting offer. One careless click can bypass even the most sophisticated defences. Throughout the history of cyber attacks, the majority can be traced back to uninformed or careless human actions.
People must be educated about phishing, social engineering, and other common tactics, not just once, but through continuous, repeated training. In today’s world, cyber security awareness is not optional, it is a basic necessity,” he said.
Like national defence
In an interview with the Sunday Observer, he encouraged the Government to develop a framework to arrange the cyber security governance in the country and set up a dedicated government body to oversee its implementation.
“A lone thief in a black hoodie breaking into computers is what comes to the mind of many when talking about cyber threats, but that is only a small fraction of the real threat. In today’s context, it is like national defence. Just as a government is responsible for protecting its citizens and businesses from physical threats, it must also safeguard them from cyber attacks.
“Sri Lanka has several laws such as the Personal Data Protection Act and the Computer Crimes Act to deal with cyber security issues, but it lacks a Governance, Risk, and Compliance (GRC) framework to integrate these three aspects into a unified approach to protect the industries or government institutions from cyber threats.
“In the UK, the National Cyber Security Centre (NCSC) has established a framework that all organisations are expected to follow, implement, and become certified in. Without this, a business cannot engage with larger organisations or government bodies. For instance, to bid for any government-related project, a company must have at least the Cyber Essentials certification—a government-backed program that sets out basic standards for cyber security. The reasoning is simple: when a company works with the government, it handles sensitive government data. If that company’s systems are secure, it helps protect not only their own data but also reduces the risk of a breach affecting the government itself.
“In Sri Lanka, a number of agencies work on this area in small scale, but not properly coordinated. What the government does is very limited. There is talk about spending millions to build infrastructure and bring experts, but there are some basic things the governments can do,” the tech professional said.
Pirated software
Raheem, who has been working in the field of cyber security for nearly 25 years, said Sri Lanka has become a hotspot for cyber crime. “Most of the Sri Lankan companies I have worked with have experienced some form of cyber attack,” he said. “Some were not even aware they had been breached, while others stayed silent due to reputational concerns. In some cases, companies have paid ransom to regain access to their data, while others were forced to wipe everything and restore from previous backups.”
Shafee said that Sri Lankan companies are more vulnerable to cyber threats due to the widespread use of outdated and pirated software. “It is common for people to buy pirated CDs with cracked keys from places like Liberty Plaza or Unity Plaza. These often come bundled with ransomware or viruses. Even if a company has strong defences elsewhere, using cracked software provides attackers with a direct way in.
“I have seen leading companies in Sri Lanka still relying on unlicensed, outdated versions of software. When software reaches its end-of-life, it no longer receives updates or security patches. If a vulnerability is exploited, even if detected, there is often nothing that can be done, especially when the software is pirated. This also leads to the rise of ‘shadow IT’ within organisations, where unapproved or unmanaged systems create further risk,” he added.
Be proactive
“Many companies treat cyber security as a reactive issue, addressing it only after something goes wrong,” Shafee said. “Instead, it needs to be embedded into their core operations and service offerings from the outset.”
He said that Identity and Access Management (IAM) is underdeveloped in many Sri Lankan organisations, with identity governance being almost nonexistent. “This is a major gap, especially in sectors like banking, where Governance, Risk, and Compliance (GRC) frameworks need to be much stronger,” he added.
“Whether you operate in a hybrid environment or are fully cloud-native, you still need to protect your systems and data,” Shafee said. “Many people mistakenly believe that once data is stored in the cloud, it is automatically secure. That is simply not true.”
He said that the cloud shared responsibility model defines the division of security responsibilities between the cloud service provider and the cloud service consumer. “When applying for Cyber Essentials certification in the UK, one key question they ask is whether you have read the shared responsibility model of your cloud provider,” he added.
Shafee recommended the CIS Controls framework—developed by the Center for Internet Security—as a solid starting point for cloud-native or hybrid organisations. “It provides a prioritised set of cyber security best practices to help organisations strengthen their defences against common threats,” he said.
Considering the relatively limited cyber security workforce in Sri Lanka, Shafee highlighted the need for Universities to make their graduates industry-ready by the time they leave university. “Universities should actively research emerging cyber security threats and ensure that their undergraduate and postgraduate course modules are regularly updated,” he added.
