Enhanced Information Security

A dedicated division was set up to strengthen information security management.

In view of the growing importance of information security and increasingly rampant cyber attacks‭, ‬WT set up a dedicated Information Security Department and installed a Chief Information Security Officer at the level of deputy general manager in 2022‭. ‬The Department‭, ‬composed of one dedicated director and two dedicated personnel‭, ‬is responsible for information security incident investigations‭, ‬system vulnerabilities disclosure‭, ‬and new information security architecture evaluation and introduction‭, ‬etc‭. ‬The main tasks that have been completed are as follows‭:‬

1‭. ‬The ISO/IEC 27001:2013‭ ‬and CNS 27001:2014‭ ‬verifications were obtained in 2022‭ (‬valid until October 31‭, ‬2025‭), ‬and the threats and impacts posed by information security incidents were reduced through standardized and systematic control and management‭;‬

2‭. ‬A dedicated information security mailbox was set up to receive external information security notifications from customers‭, ‬suppliers‭, ‬integrated cyber threat intelligence providers‭, ‬information equipment suppliers‭, ‬service providers‭, ‬etc‭.‬

3‭. ‬A dedicated person was appointed to collect‭, ‬analyze and keep record of information on important information security news‭, ‬vulnerability releases‭, ‬zero-day attacks‭, ‬and vulnerability utilization trends‭, ‬and rate incidents for severity‭. ‬Incident severity levels have been internally defined‭. ‬The contact person in the information division keeps record of incidents‭, ‬and‭, ‬in the case of a major information security incident‭, ‬immediately notify the Chief Information Security Officer‭. ‬The Information Security Department must verify‭, ‬eliminate and resolve the information security incident within the target processing time‭. ‬After the handling is completed‭, ‬the Incident Response team‭ (‬IR team‭) ‬must conduct root cause analysis‭, ‬track and record the implementation effectiveness of corrective measures‭, ‬so as to continuously improve the intervention methods and prevent recurrence of similar incidents‭. ‬In addition‭, ‬information security incidents have been divided into four severity levels‭, ‬and their response mechanisms and‭ ‬standard operating procedures are formulated respectively to speed up the recovery time of information system services‭.‬

0

spam emails intercepted

0

threats intercepted at endpoint

0

social engineering exercise messages

0

international information security certificates, and more than

0

intensive training session for core system related personnel and supervisors

0

threatening emails detected

0

system and software vulnerabilities repaired

0.

0

%

phishing hit rate in the latest drill

0

hour

of professional training

0

security awareness training session for all employees

ISO 27001‭ ‬certification was obtained and‭ ‬
employees‭’ ‬awareness of information security strengthened

The pandemic hit the world and changed the way we live and work‭. ‬Working from home and mobile office have become normal‭. ‬Corporate information security is exposed to breaches when employees are not working in the secure environment of the Intranet‭. ‬Strengthening employees‭’ ‬awareness of information security has thus become crucial to information safety‭. ‬Social engineering exercises‭ ‬were introduced in 2021‭ ‬to integrate security awareness into daily work for early threat detection and intervention‭. ‬In 2022‭, ‬social engineering exercises and training continued on a monthly basis with randomly selected scenarios‭. ‬Those insufficiently aware of information security were trained again and reported to their direct superiors‭, ‬and their training results tracked regularly‭. ‬In 2022‭, ‬118,297‭ ‬social engineering exercise letters were sent‭, ‬and the proportion of employees who were phished in the exercises dropped from 1.1%‭ ‬in 2021‭ ‬to 0.7%‭ ‬in 2022‭. ‬in October 2022‭, ‬a refresher training on information security awareness was organized for all the Group’s employees‭. ‬Of the 2,552‭ ‬employees required to complete the training‭, ‬19‭ ‬dropped before it ended‭. ‬They‭ ‬either applied for leave without pay‭, ‬began maternity leave‭, ‬or departed the Group‭. ‬A total of 2,533‭ ‬completed the course and passed the test‭ (‬100%‭ ‬pass rate‭). ‬Note that the employees of Excelpoint Technology were not on the training list as the merger happened in September 2022‭ ‬and the integration was not yet completed‭. ‬One session of intensive training for core system related personnel and supervisors was also completed‭.‬

Hacker attacks and intrusion methods are constantly changing‭. ‬In addition to constantly exploring system vulnerabilities‭, ‬they even use zero-day attacks to hack the system before the vulnerabilities are patched‭. ‬At the same time‭, ‬they steal employees‭’ ‬account usernames and passwords through social engineering and access the Intranet‭. ‬These non-conventional approaches can no longer‭ ‬be blocked by traditional signature-based protection‭. ‬In response‭, ‬WT introduced network detection response‭ (‬NDR‭) ‬and endpoint detection response‭ (‬EDR‭) ‬enabled by artificial intelligence‭. ‬The NDR blocks anomalous network activities that deviate from the baseline on the first line‭; ‬while the EDR contains a threat when the system failed to detect and block the threat before it made its way to an endpoint‭.‬

As information security threats are ongoing‭, ‬we use hosting services such as security operation center‭ (‬SOC‭) ‬and managed detection response‭ (‬MDR‭) ‬provided by third-party vendors to monitor information security threats in real-time 24/7/365‭, ‬and rely on ISO‭ ‬27005‭ ‬information security risk management on the basis of ISO 27001‭ ‬to identify suspicious threats‭. ‬We also adopt security design principles and in-depth defense approach to further strengthen security in such aspects as management‭, ‬data‭, ‬endpoint protection‭, ‬application‭, ‬network‭, ‬third-party supply‭, ‬etc‭.‬

ISO Information Security Risk Management Team

Information Security Management and Protection

Software‭, ‬hardware and network protection and monitoring

WT has a dedicated information security mailbox to receive external information security notifications from customers‭, ‬suppliers‭, ‬Taiwan Computer Emergency Response Team‭ (‬TWCERT‭), ‬information equipment suppliers‭, ‬service providers‭, ‬etc‭. ‬A dedicated person‭ ‬is also appointed to collect‭, ‬analyze and keep record of information on important information security news‭, ‬vulnerability releases‭, ‬zero-day attacks‭, ‬etc‭. ‬and rate incidents for severity‭. ‬Incident severity levels have been internally defined‭. ‬The contact‭ ‬person in the information division keeps a record of incidents‭, ‬and‭, ‬in the case of a major information security incident‭, ‬immediately notify the Chief Information Security Officer‭. ‬The Information Security Department must eliminate and resolve the information security incident within the target processing time‭. ‬After the handling is completed‭, ‬the Department must conduct root cause analysis‭, ‬track and record the implementation of corrective measures‭, ‬verify their effectiveness‭, ‬and use Plan-Do-Check-Act‭ (‬PDCA‭) ‬for continuous improvement and recurrence prevention‭.‬

10‭ ‬tips to improve personal cybersecurity

In addition to raising security awareness‭, ‬WT also provides specific methods for employees and suppliers to improve personal cybersecurity‭, ‬such as‭:‬

1.Implement anti-virus software endpoint protection for personal computers and servers‭, ‬update and scan regularly‭, ‬and enable behavior analysis modules for endpoint security‭.‬

2.Use external network firewall device with application identification capabilities‭, ‬intrusion prevention‭, ‬and advanced threat protection‭, ‬visualization‭, ‬and information security data monitoring to enhance the defense‭.‬

3.Use micro-segmentation and whitelisting of accessible services on the Intranet firewall to block improper access and reduce risk‭ ‬exposure‭.‬

4.Distinguish employees and visitors with identity recognition modules‭, ‬and separate their access paths‭.‬

5.Add an advanced threat protection module to the basic spam identification to improve the ability to diagnose contents of letters‭, ‬so as to effectively block spam or phishing letters‭, ‬and prevent the risk of sensitive data being stolen‭.‬

6.Introduce AI-enabled machine learning endpoint/network detection and response protection‭ (‬EDR/NDR‭), ‬which establishes a baseline‭ ‬of normal user behavior through self-learning‭, ‬and then detects and blocks anomalies‭.‬

7.Use outsourced SOC and MDR services for 24/7‭ ‬information security threat monitoring and analyses‭.‬

8.Use vulnerability scanning system to keep abreast of system vulnerabilities‭, ‬and continue to track and improve‭.‬

9.Introduce multi-factor authentication to reduce the risk of account usernames and passwords being stolen‭.‬

10.Keep on running social engineering exercises and training to enhance employees‭’ ‬information security awareness‭.‬

System backup and information security incident management

Backup and recovery plan in case of malicious intrusion

WT has comprehensive network and computer-related information security protection measures in place‭. ‬Nevertheless‭, ‬no matter how‭ ‬perfect the protection measures are‭, ‬they cannot 100%‭ ‬guarantee that the Company’s core system is safe from black swan or gray‭ ‬rhino incidents‭. ‬Therefore‭, ‬our top priority is to increase the Company’s resilience and ensure the system can be quickly brought back to operation‭. ‬Therefore‭, ‬in addition to further investing in information security software and hardware‭, ‬we continue to strengthen our continuous operation capabilities‭, ‬so that the Company’s operations can be resumed in the shortest time in the event of an information security incident‭.‬

Information security capabilities was further improved to equip the Company with first-class operating capabilities

WT’s operation is based on continuous delivery capability‭. ‬WT is committed to providing products and services that meet confidentiality‭, ‬integrity and usability requirements‭. ‬In order to be a first-class enterprise in the sector‭, ‬we apply and introduce international information security frameworks‭, ‬and continuously strengthens the security control measures to ensure a high level of‭ ‬information security protection capabilities‭. ‬We therefore constantly evaluate the information security protection mechanism from point‭, ‬line and plane‭, ‬and develop different technical combinations to shorten the system recovery time‭. ‬In addition‭, ‬information security management system verification and red team exercises‭, ‬etc‭. ‬were introduced to review and upgrade the system with‭ ‬the assistance of independent organizations‭. ‬In 2022‭, ‬a number of external power outages happened unexpectedly‭. ‬As a precaution‭ ‬against unexpected power outages‭, ‬WT conducted a power supply abnormality exercise to ensure that emergency generators can be activated immediately and normal operation of the facilities and systems can be maintained‭. ‬After the exercise‭, ‬it was confirmed that the emergency response procedures were appropriate and all the facilities and systems were in normal operation‭.‬

By strengthening information security and employees‭’ ‬security awareness‭, ‬there were no sensitive information leakage or major information service interruption incidents‭, ‬nor financial losses caused to customers or suppliers in 2022‭.‬

Information security concerns of stakeholders were addressed

Through annual routine information security self-assessment questionnaires returned from our customers and suppliers‭, ‬information security management evaluations conducted by the competent authorities‭, ‬and inquiries raised on specific information security‭ ‬topics‭, ‬the questions and concerns we heard from the customers in 2022‭ ‬were mainly about the handling of major vulnerabilities‭, ‬security controls and measures‭, ‬ISO 27001‭ ‬certification‭, ‬information security management for sustainable operation‭, ‬etc‭. ‬The Information Security Department has answered all the questions to meet stakeholders‭’ ‬expectations and requirements‭.‬

MORE MUST-READS

Stable Financial Performance

Continued growth in 2022! 28% increase in group operating revenue WT’s operating revenue increased by 28%‭ ‬from NTD447.9‭ ‬billion in 2021‭ ‬to NTD571.2‭ ‬billion in 2022‭. ‬The net profit for 2022‭ ‬was NTD7.6‭ ‬billion‭, ‬and the after-tax EPS was about NT$8.61‭ ‬based on the weighted average number of shares‭.‬ Continuous

Read more »

Analysis of material issues

The 19 sustainability issues were surveyed to understand stakeholders’ level of interest In order to understand key stakeholders‭’ ‬concerns and expectations on WT’s sustainability management‭, ‬the 19‭ ‬sustainability issues were made into a questionnaire asking respondents to rank the sustainability issues by their own level of interests and concerns‭. ‬The

Read more »

Action Guidelines for Sustainable Management

Determining the Company’s core sustainability management issues WT has sustainable policies and initiatives for environmental‭, ‬social‭, ‬corporate governance‭, ‬economic and trade compliance which‭ ‬were voluntarily formulated Sustainable Development Team and subsequently approved and published by the Chairman of the Board under authorization of the Board of Directors‭.‬ The Senior Vice

Read more »

SHINING HOP

A photography-inspired learning program by WT Foundation “We light up the children now, and the children will light up the world in the future.”- Program Manager Jay Hsu Passionate volunteers Reflect lens with lens, influence lives with lives “To me‭, ‬the nearly 55‭ ‬volunteers in Shining Hope are all chosen

Read more »