CIO Academy Asia #HASHTECH Virtual Roundtable
May 12, 2020

Given that in the “new normal” almost everyone is now working from home, there’s an accelerated adoption of remote working, mobile-access and cloud-based apps and tools. This results in large numbers of remote users accessing corporate networks, downloading and uploading data via their home-based Wi-Fi networks and routers.

That, as well as a big jump in cyberattacks, has made CIOs (Chief Information Officers), CTOs (Chief Technology Officers) and CISOs (Chief Information Security Officers) sit up and take notice.

“The cyberthreats have become amplified and all organisations have to be more vigilant now than ever before,” an Executive Director for Cybersecurity Services for a global financial institution told attendees at a virtual roundtable hosted on by CIO Academy Asia (CIOAA) with support from McAfee. “Threat actors are more active during any crisis. With a major pandemic that’s impacting all countries, the risks are a clear and present danger. Phishing attacks have become rampant, as well as insider threats from laid-off or disgruntled staff.”

It’s not just cybersecurity, but physical security that also needs attention. When new staff are hired, they need to get the right resources.

“For new staff, we courier IT devices, even for our overseas locations,” said a Chief Security Officer for a large power and utilities company. “We couriered laptops and hardware tokens separately for security reasons to a large country. But the hardware tokens didn’t arrive. You can draw your own conclusions from this.”

Some organisations had to coordinate remote-working arrangements for senior staff members working from multiple overseas locations. “We’ve always had a flexi work policy even before COVID-19,” said a Chief Technology Officer from a sovereign wealth fund. “Everyone could choose to bring their own devices to work, but the VPN and RSA tokens were ours. The road warriors had no problems working remotely because they were always used to it. The rest were required to work on their iPads, which was tough as they were used to working on thick client laptops.”

Other companies are trying novel ways to keep secure.

“We’re rolling out a big cybersecurity programme and creating more awareness about cyber-hygiene across the company while implementing dedicated Cloud-security tools,” said Glen Francis, Chief Technology Officer at media giant SPH. “We’re also setting up bug bounty schemes and simulating cyberattacks with red and blue teams. There’s a surge in phishing attacks and ransomware; we need to be cautious and prepared.”

Should companies rely on the native security provided by CSPs (cloud service providers) or integrate it with the ones they already invested with their on-premise and end-point solutions? “While we ride on the CSP’s security credentials, especially from well-known trusted brands such as SAP, Microsoft and other major players, we ensure that our security gaps are addressed across the tech stack” said Mr Onn Jin Gee, Head of Infocomm & Organisation Excellence at SMRT Corp.

Daryush Ashjari, Head of Presales Engineering at McAfee Asia-Pacific, said the paradox was similar to a master mechanic developing an F1 car. “You have two options. One is you acquire the best components of the car from different vendors an put it together. However, once something doesn’t work, who do you turn to for help? The other option is to buy an F1 car off-the-shelf but add in third-party components; this is a more workable option.”

How should companies deal with the surge in online apps and traffic? “There are a number of un-managed devices running on unsupervised home networks that present a huge risk to organisations,” Mr Ashjari said. “What happens when a staff member takes a lunch break and his kid clicks on a phishing email on his open laptop?”

Mr Ashjari suggested companies consider the following:

  • Take a holistic view of security, both for in-premise and cloud-based apps. This is tough because the various components (end-point devices, network gateways, cloud apps don’t talk to each other natively. They need a layer – or a broker – to manage the connection seamlessly.
  • In relation to transition to the cloud and cybersecurity needs, organisations must consider a platform approach, start with CASB (Cloud Access Security Broker) solution and enhance the security posture, when needed, by adopting additional components to secure the workloads in IaaS and PaaS environment.
  • Get a consolidated security dashboard so that all your apps and critical workloads can be tracked in real time on a single pane of glass. This will greatly simplify your incident response for further action.

CIOAA’s CEO, Ramakrishna, who moderated the roundtable discussion, concluded by saying “With the sudden spike in cyber-threat activity targeting new vulnerabilities associated with remote working as a result of the COVID-19 pandemic, tech leaders not only have to meet the immediate needs of a large proportion of their employees working from home, but to rethink and re-orchestrate existing security processes and policies to secure Cloud-based workloads at scale.”

The Southeast Asia Technology Trends & Priorities for 2020 Report, published by CIO Academy Asia in collaboration with the Lee Kuan Yew Centre for Innovative Cities at SUTD, is now available for download.

Visit here to get your copy