Brought to you by Singapore Exhibition Services
Never since the screening of War Games, the 1980s movie in which a teenage hacker almost accidentally set off a global thermonuclear war, has cyber security captured the attention of the public like it has today.
Though far less drastic than a nuclear apocalypse, the damage that is done today by cyber criminals can be a lot more real and personal.
From stealing credit card details to locking out an entire hospital from its systems until it paid up, hackers have caused extensive damage to corporations and users in the recent years. They have the potential to do much more.
As more information is collected, stored and analysed with the Internet of Things in the coming years, the worry is that there aren’t enough safeguards to protect this data from being stolen.
Companies that traditionally don’t invest heavily in IT infrastructure now find themselves having to shore up defences in an “arms race” with cyber criminals to keep them out. This is a tough fight for even experienced IT departments, never mind companies that don’t possess one.
More worryingly, they not only lose much goodwill and trust when they lose customer data, they face penalties from regulators if they are deemed to have failed to have enough safeguards.
In April this year, Singapore’s privacy watchdog said it had fined four organisations and warned seven others for failing to protect customers’ personal data.
In particular, karaoke operator K Box was fined S$50,000 for leaking the name, contact number and residential address of 317,000 customers in September 2014. Its database was accessed by an unauthorised user because of lax security measures, the Personal Data Protection Commission found.
The karaoke operator’s IT vendor, Finantech Holding, was also fined S$10,000 for not updating the systems to have the latest and most secure software to safeguard against attacks. The administrator password, it was found, was “admin”.
The onus is thus on businesses big and small to invest in cyber security to beef up their defences against the latest attacks that they could face online. As more information passes through their systems, this is one area that is not up for debate.
What’s less clear for many companies is how to go about it. Small and medium businesses often still view cyber security as an expensive, sophisticated undertaking for much larger companies. However, any company could be the target of a cyber attack, whether this is to steal information or cause havoc with critical infrastructure.
“Organisations are talking about cyber security more, which is a good thing, but the lack of trained personnel and the proper tools for incident response, is hampering their effectiveness,” said Ronald Lee, senior regional director for Savvius.
According to a study the cyber security firm sponsored recently, 80 per cent of organisations that receive 500 or more severe or critical alerts per day currently investigate less than one per cent of those alerts.
This is due mostly to a lack of trained manpower and adequate tools to help automate incident response, according to the study. It also found that 68 per cent of organisations suffer from staffing issues that impact their security teams.
In other words, all the data collected each day isn’t analysed, said Lee. It is impossible for organisations to hire enough people to use that stored data to create relevant context for security threats, he added.
One way is to outsource cyber security to the best experts in the field. A number of vendors now offer this as part of a full set of IT services that they provide to companies.
Such vendors usually have a round-the-clock security operations centre (SOC) that monitor real-time threats around the world and have increased readiness to deal with threats that break out. They also have better visibility by monitoring the state of the Internet or online chatter to sense an imminent attack.
Ultimately, though, it is hard to thwart an attack today, because of the many vulnerabilities to software and systems that are not yet discovered or which may be kept in secret by some cyber criminals as a future exploit to gain access.
One path suggested by consultancy firm Accenture is to have security by design. In other words, security is not an add-on or auxiliary part of a business, but a core part of how things are done in an organisation.
This means security is central to all business processes. Some may require more stringent clearance while others less, but each has to be aligned to the sensitivity of the data accessed. Each process will have to be part of a larger effort to protect the organisation from online attacks.
Whether this is having two-factor authentication to get into a system or simply having more alert and aware staff when it comes to cyber threats like phishing e-mails, the key is to stay one step ahead of potential threats.
A cyber security transformation, however, is not the end of the story. Beefing up one’s defences after a strategic review is great, but the endeavour extends beyond one-off efforts.
The threats are ever-changing so the vigilance has to be constant. As any company that has faced a cyber threat before will attest, things are definitely not business as usual.
For a start, organisations have to be able to visualise where their digital assets are and map out how to protect the data they hold. Failing to do so could well jeopardise their entire business altogether.
“Burying our heads in the sand and hoping for a world without security breaches is a terribly naïve and risky approach to enterprise security,” said Lee.
However, with the proper tools and an automatic workflow in place to intelligently store and investigate alerts and “suspicious” network packets, enterprises can be more prepared to take on and resolve an attack, he added.
Find out about the latest in cyber security and more at this year’s Enterprise IT show from May 31 to June 3 at Marina Bay Sands in Singapore.