View internet security as a business challenge: RSA
Back in 2014, Sony suffered a major cybersecurity breach involving the loss of data, which included previously unreleased films, private customer information and sensitive employee documents leaked to the internet. This breach dominated global news headlines, and while various sources revealed it was nowhere close to the magnitude of other online attacks that year, it shook the confidence of consumers worldwide and showed how vulnerable organisations were to cyber threats.
Targeted cyberattacks are not a new thing. Malicious software (or malware), phishing scams, and denial-of-service (DoS) attacks (where a machine or network is temporarily or indefinitely disrupted) have been ongoing since the rise of the internet over two decades ago. But such threats grow exponentially as individuals and enterprises become increasingly connected.
According to research firm IDC, the number of devices connected to the internet will reach 30 billion in 2020, a boost from an estimated 13 billion now. The number of new cloud-based solutions will also be expected to triple over the next four to five years. The enhanced connectivity, coupled with increased sophistication of hacking tools, leaves much room for security breaches.
A recent PwC global survey – which polled more than 10,000 C-suite executives and information security professionals worldwide – revealed 38 percent more security incidents detected in 2015 compared to the year before. Incidents of intellectual property theft also increased 56 percent the same year.
Asia’s technology boom
At the same time, IT spend is only slated to grow over the next decade, and much of this investment will be seen in Asia. Enterprise IT expenditure in Southeast Asia is expected to reach US$62 billion by 2018, with Singapore, Malaysia, Indonesia and Thailand accounting for 80 per cent of the spend.
“There is a significant adoption of technology in Asian markets,” says Zulfikar Ramzan, chief technology officer of RSA, a Dell Technologies Business, which has a presence in more than 100 countries. “Asia was quicker to adopt mobile Internet and smartphones when consumers in the US were still using flip phones and basic text messaging.”
“It’s an accelerating market. And when you look at any form of technological evolution, there's also a co-evolution of security and risk,” he adds.
This quicker uptake in technology makes it even more critical for MNCs in Asia to look at cybersecurity measures, at a time when the region experiences widespread connectivity that is only heading north.
The business language of risk
Many major breaches across the world simply start with a seemingly innocuous phishing message that leads to greater, widespread damage, says Ramzan.
“We’re not just dealing with random people hacking into websites and networks for fun. Hackers today are professionals. It’s what they do for a living. They spend a lot of effort on achieving, and they understand their objectives.”
Besides creating a climate of insecurity, cyberattacks have significant implications on businesses. There are threats to business continuity, especially in cases when operations and revenues generated are directly related to an organisation’s connectivity. Many organisations rely on round-the-clock monitoring systems, data centres, server networks and e-commerce platforms that require specific security infrastructure. A breach or cyberattack can have serious consequences.
There are also threats involving the loss of critical intellectual property and sensitive data, all of which can affect brand reputation and image.
“Companies with sensitive information about their customers, suppliers and partners in their databases will worry about what happens if that information is stolen,” says Ramzan.
Data loss can also have legal implications with severe monetary penalties if the data is misplaced. “Health information is considered very confidential. If a hospital loses health data, someone is going to be fined very heavily.”
As breaches can impact enterprises in so many different ways, cybersecurity should not be viewed as a technological issue, but a business one.
“Security is a mix of technology, business and risk. Companies have to consider all of that beyond just the technical elements. So when you think about what to do from a cybersecurity perspective, you have to think of everything in the language of risk and business impact,” explains Ramzan.
Invest in detection and response
According to Ramzan, the key is to look at these cyber threats more holistically, and not focus on the technical aspects alone.
“Every company or security professional has to express key objectives in terms of business goals and not technology goals. In other words, you are not trying to mitigate the risk of a DoS attack; what you’re trying to mitigate is the risk of losing business continuity. You’re not trying to mitigate against an information-stealing piece of malware; you’re trying to mitigate against the possibility of intellectual property being stolen,” he says.
Only by pinpointing an enterprise’s business objectives can security professionals then work backwards to identify the type of technical infrastructure needed to meet those objectives.
While it can be daunting to have a hacker poking around in a computer or network, Ramzan recommends investing less in preventive or perimeter-based solutions, and more in detection and response.
“Think of this as an analogy to a bank. The objective of a robber is not to simply enter; it is to get the money inside and leave. Security measures inside the bank would be more effective than a secure front door. In the same way, a cyber attacker does not hack into a computer or network just to compromise it; the objective is to get useful or important data. In many instances where a hacker might get through, companies that successfully prevent hackers from meeting their objectives would have achieved their business goals,” he says.
Four ways to mitigate cyber risks
The 2016 RSA Cybersecurity Poverty Index – which helped respondents in APJ self-assess the maturity of their security programmes – revealed gaps that leave organisations vulnerable to the risk of cyber incidents. Using the NIST Cybersecurity Framework as the measuring stick, the index revealed 70 per cent of APJ-based respondents experienced cyber incidents that negatively impacted business operations in the past year. It also showed enterprises often delay investing in cybersecurity until they have been hit by a major incident.
“Some companies and industries have higher or lower thresholds for what they care about. Financial institutions will care about cybersecurity because there is a lot of money on the line. So many of them understand the value of in-house training and specialist roles, and it justifies hiring security staff. Other companies may not have the same objectives or staff numbers, and prefer to outsource it to a partner,” says Ramzan.
Organisations should thus look at mitigating the risk of cyber attacks by focusing on four key areas: monitoring capabilities; strong identity solutions; cataloguing assets; and data back-ups.
He says attacks involving the risk of reputation loss are more prevalent in Asia, often through ransom ware threats where money is demanded after a malicious software has blocked access. However, ransom ware is often a symptom of a compromised system, where leverage is gained after compromising a system.
“Organisations should have strong monitoring capabilities at the network and endpoint levels, so that it’s easier to proactively identify threats and compromised systems. Can we see how these services are being used? Can we make sure they aren’t used incorrectly or in an unexpected way?”
Human beings are often the weakest link in cybersecurity, making user identity a linchpin in safeguarding against potential breaches.
Strong identity solutions with multi-factor authentication can prevent hackers from accessing critical resources and encrypting the underlying data. This is similar to the preventive measures taken by Google products and online banking services, where users have to provide added information such as a mobile number or passcode sent to a second source to confirm the authenticity of the log-in. SingPass, an online account management system for access to Singapore Government e-services, has also implemented a two-factor authentication (commonly known as 2FA) for all users to ensure accounts remain secure.
Such multi-factor authentication can be applied to data hosted on cloud services and on-premise applications that organisations rely on, so as to limit the access attackers will have.
“We also have to look at the visibility and access into cloud platforms and other systems. An employee should not have two different methods of access; there should be only one system that can identify the user and granted access level,” asks Ramzan.
Organisations should catalogue their assets so that they can identify those that contain critical data. The impact of ransom ware incidents varies depending on the kind of asset compromised.
“Without knowledge of this information, it is difficult for security teams to determine the business impact of an incident,” he says.
Finally, backing up data is always a good idea. “While doing so may not always work because back-ups can get corrupted or may otherwise fail to be restored, this measure can prove useful to organisations.”
Threats to internet security can no longer be ignored. By identifying business objectives and investing strategically in technical infrastructure, organisations in Asia can then pursue opportunities and continuity safely in an increasingly connected business environment.
Edited by Kritika Srinivasan and Goh Wei Ting