During the ConnectGov Leader Summit held in Bhutan earlier this year, a panel of CIOs and technology partners came together to discuss pertinent issues in security as CIOs look to ride the wave of disruption in their own industries.
Businesses are being urged to share information on cyber attacks so that others can identify similar methods of digital incursions.
“Industry will collectively benefit from this exchange”, said Mr. Sean Duca of Palo Alto Networks.
“Cyber criminals are already sharing information like attack methods and vulnerabilities among themselves. They are benefitting from this exchange. So why don’t businesses do the same to fight them?” Mr. Duca continued, he was a panelist on cyber security held at the recent ConnectGov summit in Bhutan.
Chief executive officer of CyberSecurity Malaysia Dr. Amirudin bin Abdul Wahab stressed that no one can work alone in cyber security.
“You need to share information, threat intelligence, and situational awareness so that everyone gets a bigger picture of what’s happening. Then you can start protecting yourself,” said Dr. Amirudin who was also on the cyber security panel.
Other panelists were Mr. Kunal Sehgal, head of Information Security for Schroders, Asia Pacific; Mr Murari Kalyanaramani, head of information security at a global bank; Mr Leonard Kleinman, RSA’s chief cyber security advisor Asia-Pacific and Japan; and Ms Cynthia Lee, regional director, Asean for CyberArk and Mr Derek Gooh, chief information security officer of Singapore’s Ministry of National Development. The panel was moderated by Dr. Madan Oberoi, director for cyber innovation and outreach, Interpol Global Complex for Innovation, which is headquartered in Singapore. The topic of discussion was Re-thinking Cyber Security.
Security – Fighting the Invisible Beast.
According to Juniper research, the rapid digitisation of consumers’ lives and enterprise records will increase the cost of data breaches to US$2.1 trillion globally by 2019, up by almost four times the estimated cost of breaches in 2015.
“What cyber criminals are looking to steal are personal details of consumers.”, said Mr. Sehgal. For example, the Dark Web offers credit card information for US$5 each while personal details are worth US$1 each.
Given this scenario, the panelists suggested different ways companies could safeguard themselves. Mr. Kalyanaramani identified broadening threat intelligence as a way to identify potential attacks.
“We need some common sense. Not everything is a technical threat. You also need a high level of situational awareness of what’s happening outside the organization that can impact your company’s information security well-being,” he suggested, and continued to encourage the group, “Work with different departments like the corporate affairs team to highlight events of interest.”
“Is there a large population of consumers complaining against the company, will it have the potential to escalate the threat level against the organisation? Are there moral issues with external that could the attention of hackers?”
“In mergers and acquisitions activities, is the organization investing in a company whose projects are objectionable to others? For example, if the company being acquired is potentially destroying the environment, then an environmental group may decide to hack you,” he said.
RSA’s Mr. Kleinman reiterated that getting visibility on potential threats allow security defenders to make informed decisions on protection. “Another factor organisations should focus on is the security hygiene factor,” said Mr. Gooh of Singapore’s Ministry of National Development. “About 70 percent of his team’s time is spent on doing boring but critical stuff like ensuring anti-virus software is up-to-date and patching of security holes in software. Time is also spent educating users not to download software and information from unauthorized sites and to ensure that the USB ports on employees’ computers are locked down”, he added. He believes that attacks are inevitable so response capability is crucial.
“When the attack happens, how do you respond to limit impact? Organisations need to conduct table-top exercises so that when attacks happen, everyone knows how to react,” he added.
“Looking forward, it is important for organisations to do something different in cyber security”, said Mr. Duca.
“In this instance, Singapore has taken a rare and unusual step to unhook 100,000 public servants from the Internet from May next year”, said Mr. Gooh. Their work computers will not be connected to the Internet but they will be given terminals to access the Internet. They can also access the Internet from their own private devices.
In an earlier TV report on Channel News Asia, Singapore Prime Minister Lee Hsien Loong had revealed that the Republic has seen very sophisticated attacks on the Government’s Internet system. The threats have become even more severe, he added. Which is why the Government is making the move after having put it off for as long as possible.
The blocking of Internet access or providing an “air gap” between government networks and the Internet is not new. Singapore Ministry of Defence implemented this process many years ago. “Companies should also identify what are their digital crown jewels”, said CyberArk’s Ms. Lee.
“Data is the new crown jewel. But companies are still protecting personal identities when there has been a shift to data which is increasingly being used by businesses for competitive advantage,” she said.
However, cyber security ultimately boils down to people who are the weakest link in the cyber security defence.
Mr. Gooh highlighted: “Governments can do what they can for the public sector. There also needs to be a cyber crime action plan to educate all citizens so that people can use the Internet safely.” “Singapore will be beefing up the scam alerts as well as strengthen the regulations. Cyber crime is transnational and it is important to ensure laws remain relevant.”
Closing the discussion, Interpol’s Dr. Oberoi singled out information sharing s as a powerful way to combat cyber crimes.
Sharing can begin with vertical industries and then spread to across all industries, he said.
“It is not the breach that companies need to know. How did the intruders invade the networks, what did they do, which servers and data centers did they attack? Such information is useful because it paints a picture of the attacker. Other companies can use this picture to identify potential culprits.”
By CIO Academy Asia
Responses