Cybersecurity issues discussed at MIA Conference 2017
During the MIA International Accountants Conference 2017, cybersecurity experts took to the stage during one panel discussion, to talk about how cyberthreats and cyber risks are evolving exponentially, now that technology and digitalisation has become so pervasive.
KPMG’s Cybersecurity Lead in ASEAN, Dani Michaux, shared how cybercrime has become an organised, and very sophisticated business; it is the reason for up to USD450billion in losses, last year.
“You can order (cyberattacks) as a service, and all it takes is USD100 to bring down a company,” she said.
Firmus CEO and founder, Alan See, observed that motivations behind cyber attacks have definitely evolved, and there is a whole underground economy for cybercriminals who are all too well aware that the weakest link in any attack, are end users.
For example, ransomware attacks target end users via social engineering and/or phishing emails. All it takes is for someone to click a phishing link, and it is believed that most of the reported ransomware incidents that happen in Malaysia, are caused by an end user’s lack of judgement.
So, it isn’t only that hackers are getting more sophisticated, with more advanced tools and resources at their disposal, but users are not keeping up with how to properly use technologies, and sufficiently protecting themselves.
Do we keep throwing money at the problem?
When Media Prima’s Chief Transformation Officer, Alain Boey, asked his panellists this question, Michaux drew attention to the fact that banks would employ physical security to protect the cash, but there are no security systems in place, when it comes to cybersecurity and cyber risk.
“Because there is the hope that someone down over in IT, would fix it,” she observed.
So, besides cybersecurity actually needing to be a business and boardroom issue, the business and management also have to decide and agree upon what it is that they want to protect.
See also observed that during audits, it was discovered that some security policies are over ten years old. “These definitely need to keep up with the times, and be updated.”
There is also a view, that there should be investment in training for users, to practice good cybersecurity hygiene steps like limiting use of USB drives, limiting use of social media, and regular data backups, as well as patching.
With so much horror stories going around about how end users are using technologies in the workplace ie. Creating a backup folder for the PC, and keeping it on the same PC, Boey posed the theoretical question: Might it be cheaper to implement Pavlov-ian techniques on users’ computers, instead of expensive cybersecurity solutions?
For example, a very loud buzzing alert goes off, when an employee saves to a thumb drive, or emails out, a very sensitive company document.
Talking the business language
The gap between business and IT has been oft talked about.
With cybersecurity still being the domain of the IT department in most organisations, it becomes a challenge to not only secure budget for cybersecurity, but also to articulate the risks that comes from having digital technologies being brought into the organisation.
Traditional risk management units are unable to grasp, much less explain the risks, and See shared that when it comes time to justify cybersecurity spending, it is extremely hard to quantify the return of investment (ROI).
He said, “There has to be a paradigm shift that cybersecurity spend, becomes part of the business cost.”
Michaux also gave her two cents, “As cybersecurity professionals, we should be the bridge to management, to help them make intelligent decisions, with sufficient information about what their exposures are.”
The questions also came up, about how secure the cloud can be?
Michaux raised the pertinent point that an organisation should focus on their core business, and it is “far better to have a cloud provider take care of security for you.
“Cloud providers have potentially better skillsets to do so, because they do it for more customers, whereas you as an organisation, may just be going on your journey, and you don’t want to worry about it.”
That said, she also cautioned, “Please make sure you read your contract very carefully. There is a glaring lack of good contract managers and legal teams who understand the cyber risks and cyber security.”
See also advised, “Make sure you subscribe to cybersecurity services on the cloud. It will be additional billable items, but policies for applications and data are different from one organisation to another, so you will need more than the standard cloud protection.”
Ransomware is inevitable, so hope for honourable thieves?
Boey also asked, “Do we pay the ransom to decrypt our ransomed data?”
If losses exceed the cost of ransom, then the organisation probably should. It also depends on how critical the data is, to the business, and what the potential losses are, without the data.
But, there is also the danger of ransomers not honouring their word, and not handing over the decryption key.
The issue of personal data protection also came into the discussion.
Michaux opined that companies that process personal data have a responsibility to citizens to keep their data safe and private.
With the amount of digitalisation that we have gone through and are about to undergo, Michaux felt that ecosystems have to be created to look into protecting citizens’ personal identifiable information (PII) data.
See also said that PDPA enforcement is not strict. “The situation is not improving, it is getting more serious. Companies that have been breached are not penalised enough, and it is causing the current situation!”