Security is Job No.1
To read the full article, learn about JOS Recommendation and receive updates, please register.
Understanding the threat landscape
Cyberthreat is growing, and even the biggest names aren’t immune. Last year, Cathay Pacific admitted that data from more than nine million passengers was compromised.
The hack damaged customer confidence at a challenging time as the carrier was under pressure from Middle East, mainland China and budget airlines. It also rattled investors, with the stock price plunging to its lowest level since 2009. Although the share price did bounce back, the aftershocks have continued to reverberate, with calls from politicians and privacy advocates to make the reporting of such data breaches mandatory.
The private sector isn’t the only target. Hackers are increasingly seeing compromising governments systems as potentially profitable.
Hong Kong Department of Health also fell victim to a cyberattack last year, when three computers were hit by ransomware, which locked staff out of files and demanded payment to decrypt the information. Fortunately for the department, the systems didn’t contain any confidential personal information, and no data was leaked.
Interestingly, the attack came just days after SingHealth, the country's largest group of healthcare institutions, suffered its biggest ever data breach. The strike, which the authorities described as “deliberate, targeted and well-planned,” netted the health records of 1.5 million patients, including the country’s prime minister.
These incidents all have one thing in common – they were embarrassment and clean-up costs that could have been mitigated. With security being addressed when the systems were designed, implemented and maintained, the damage could be reduced.
“Banks and big businesses with experienced security teams are well aware of the risks. However, the majority of Hong Kong’s SMB community, typically with IT teams numbering five people or less, don’t comprehend how dangerous the threat landscape has become,” said Ray Tsang, Senior Business Development Manager, JOS.
Best-of-breed is no longer enough
The traditional approach of deploying multiple best-of-breed security products to protect different layers across the entire IT infrastructure no longer protects enterprises.
The world needs fewer security products and more holistic, built-in security. This is particularly true with new digital businesses operate in multiple channels and exposed to more unknown cyberthreats.
“To make innovation real and secure, a cybersecurity strategy must be built-in across the entire IT landscape – from the application and infrastructure to data security architecture and users security awareness,” said Tsang.
Enterprises are increasingly taking a holistic approach to security, by engaging managed security service (MSS) providers to bring threat intelligence, incident response and forensic experts to better detect, prevent and respond to attacks.
Spending in these services is also growing fast. According to MarketsandMarkets, the global MSS market was just over US$24 billion in 2018 and almost double to US$47 billion in five years by 2023. The growth is driven by a combination of stricter regulation and increasing instances of cyberattacks.
Forrester’s report on Security Budgets 2019: The Year Of Services Arrives also indicated spending on security services has overtaken spending on security products. The report suggested security services have become important for every level of security budget, not just among companies with the largest budgets.
Enterprises with midrange security budget, i.e. 11%-20% of IT budget in information security, were the biggest security service spender.
“Given that respondents in these organisation were the most likely to report multiple breaches, they appear to see services as a way to improve their security posture and respond to ongoing threats,” stated the report.
Even if there was no attack, a lack of robust built-in security and consistent security measure could still be extremely damaging.
“The company could be blameless. But, if customers think their information has been leaked, the organisation may have to conduct an expensive investigation to prove its bona fides. All of which takes time, costs money, and might never win back lost customer trust. It’s much better to build security into applications from the start,” he explained.
Comprehensive app security
At each phase of the web application development lifecycle – from initiation to development, implementation and pre-launch, and patching – there are different security considerations and risk assessment measures.
Even after the application is built, it should be scanned for vulnerabilities before launch. Tsang recommends a round of penetration testing to make sure the completed application really is secure.
Building a secure application is one thing, but keeping it secure is another. That calls for risk assessments before every change, modification, or upgrade. There are scanning tools and solutions to identify vulnerabilities and test applications as frequently as needed.
Of course, not all security threats are digital. A system may be ultra-secure from a cyber perspective, but unprotected from physical intrusion. For example, sensitive information that users print out if not kept under locks and keys or disposed properly, the information could still be compromised.
“These things are often easy to miss. An experienced consultant can be a valuable addition, helping it to keep on top of everything,” said Tsang.
Holistic security strategy
Application security is just the beginning. It is also important to take a broad and holistic perspective across the entire organisation when considering making innovation real and secure.
One way to start building that holistic view is by adopting industry best practices, such as the Gartner’s five-level Malware Protection Maturity Level.
- Level 1: Ad hoc—Undefined security measures with inconsistent use of technology. It lacks centrally enforced network and endpoint control.
- Level 2: Basic—Reactive to attack with basic secure email and web gateway. Disconnected process for managing antivirus, email security and URL filtering.
- Level 3: Managed—Up-to-date architecture diagrams and rigorous process description for malware detection and protection. Standardised endpoint protection platform.
- Level 4: Controlled—Use of threat intelligence to support predictable malware protection with continuous testing and update. Fully operational 24/7 security monitoring to tackle targeted attacks.
- Level 5: Avoiding—Enable moving target defense using advanced detection and threat hunting with embed security awareness in all user workflows.
“Enterprises face different levels of threat. The level of protection needed should match with the threat level that the organisation faces,” said Tsang. “Banks or gaming companies are huge targets, which calls for high standards of control under Gartner’s level 5. Firms that are less attractive targets can afford lower levels of protection.”
Most companies in Asia – including 90% of SMBs – are currently on Gartner Level 2, which may be too low. Tsang said the ideal compromise is Level 3.5, which merges Gartner’s Level 3 and Level 4.
“Most companies don’t have the IT budgets to support extensive security infrastructures. Following a proven blueprint, like the Gartner model, can help guide their decision-making and ensure an appropriate defensive posture,” he said.
One reason security is such a thorny issue for innovation is because it cut across different system maturity levels—from legacy systems to latest digital apps—and different layers within an organisation—from the infrastructure and application layer to business processes and user behaviour.
However, making innovation real and secure is not impossible. Tsang advises
companies to follow three steps.
- Identify the company’s critical assets
- Review the cyber threat scenarios
- Follow best practices to define security control
Perhaps, another important step to find the right expert partners to help along these steps.
“Whether technology is considered an everyday tool, or critical to the business’ innovation and competitive edge, security can’t be an amateur or part-time pursuit, because today security really is Job No, 1” said Tsang.
How do you feel about apply Gartner’s Malware Protection Maturity Level in your organisation?
How do you feel about adopting managed security service in 2019?