Cybercrime: The importance of being alert

The recently published Safe Cities Index 2015 by The Economist magazine placed Singapore as the second-safest major city in the world, after Tokyo. The index does not measure simply crime, but also a wide-ranging set of factors, including digital security.

This provides some level of assurance for doing business in our highly networked city-state, which in 2013 faced an unprecedented threat where both the Government and businesses were targets of cyberattacks and data breaches.

The Government responded quickly to protect its digital assets and contain the attacks. The new Cyber Security Agency, to be set up on April 1 to provide dedicated and centralised oversight of national cybersecurity functions, is certainly a significant development in the right direction.

But the reality is that cyberattacks are here to stay, given the various forms of financial and sociopolitical motivations. Public- and private-sector organisations alike need to do a better job of anticipating attacks, as it is no longer possible to prevent all cyberbreaches.

However, it is unfortunate that over the past decade, many organisations have taken a very reactive stance towards cybersecurity. As a result, there has been a widening chasm between what organisations are doing versus what they should be doing.

While cyberattackers have become more sophisticated, the security management capabilities of organisations have not kept up. The increasingly wide adoption of technologies such as mobility, cloud computing and social media is further compounding the challenge.

In situations where technologies and processes have been put in place, there is at times a lack of consideration of how security should be managed.

BRIDGING THE CYBERGAP

The challenges of managing cybersecurity are common worldwide, showed EY’s 2014 Global Information Security survey, which polled 1,825 organisations in 60 countries. The survey found that most organisations (67 per cent) are facing rising threats in their information security risk environment, but over a third (37 per cent) have no real-time insight on cyberrisks necessary to combat these threats.

Companies globally are also found lacking the agility, budget and skills to mitigate known vulnerabilities and successfully address cybersecurity. For instance, 43 per cent polled said their organisation’s total information security budget will not change despite recognising the riskier environment.

The survey also revealed that careless or unaware employees are seen as the No 1 vulnerability that companies face. Beyond internal threats, organisations also need to think more broadly about their business ecosystems and how relationships with third parties and vendors can affect their security posture.

It is time that organisations re-evaluate their security strategies. In today’s landscape, preventive techniques is only part of the solution. With increasing sophistication of adversaries and pace of innovation in cybertactics, online attacks are more likely to succeed than not.

To that end, prevention, while remaining highly important, will be one of the toughest challenges. This also means that increased vigilance and effectiveness in detecting and responding to security breaches are critical.

It is important to consider shifting some of the investments into building a more holistic cyberthreat management framework that comprises a balanced portfolio of threat intelligence, monitoring and detection of low-threshold persistent threats, proactive vulnerability identification, as well as remediation and incident response plans.

This allows the organisation to ensure that a minimum security baseline can be sustained and critical services are monitored to detect the occurrence of undesired disruptions or security breaches.

To achieve a state of cyberreadiness, an organisation must be constantly alert to new threats. Cybersecurity must be embedded in the DNA of the organisation, with its leadership addressing cyberrisks as a core business issue.

Cybersecurity cannot be the sole responsibility of the information technology department, which is primarily a facilitator in providing the expertise and guidance.

Every individual team and employee must recognise that they can be a prime target for adversaries that seek to find a path of lesser resistance into the organisation.

On the other hand, organisations also need to have a comprehensive yet targeted awareness of the wider threat landscape and how it relates to the organisation, and invest in cyberthreat intelligence. At the same time, when resources are finite, there should be a common understanding of the organisation’s “crown jewels”, and how the protection of these most important assets can be prioritised.

In terms of incident response, capabilities should be regularly tested to ensure that these are truly agile and effective.

Another element that is of growing importance is learning and evolving the cybersecurity strategy. Using cybersecurity forensics, organisations can closely study data from incidents and attacks, maintain and explore new collaborative relationships and refresh their strategy regularly.

Getting ahead of cybercrime is all about knowing what is happening, how it is happening, identifying who is the threat, and determining if and when an attack can happen to you. It is about intelligence gathering, and then having the analytical ability to use that intelligence to make critical and strategic business decisions.

Only when organisations are confident of the above can they shed the victim mindset of operating in a perpetual state of anxiety. The days of impenetrable cyberfortresses are long gone.

ABOUT THE AUTHOR:

Gerry Chng is advisory partner and ASEAN leader for information security at EY in Singapore. The views reflected in this article are his own.