The C-level cybersecurity roundtable organised by CSA together with IBM and CyberSecurity Malaysia last week, attended by Malaysian business decision makers and IT leaders, was a definite success. After the opening remarks and presentations from each of the invited speakers, the panel discussion followed, hosted by Andrew Martin, AOPG Group Publisher.
The panellists consisted of Mohamed Anwer Bin Mohamed Yusoff, CyberSecurity Malaysia’s Head of CyberSecurity Industry Engagement & Collaboration, Vincent Liu, Regional Sales Director, Nozomi Networks, and Evan Loh, Business Director, LifeTech Net.
The main point of discussion for the day was the balance between the technical and people-related threats. To kick off the one-hour session, Andrew Martin highlighted the fact that oftentimes, people are identified as the weakest link in cybersecurity.
Nevertheless, he added that certain agencies, such as the British National Cyber Security Centre, have been trying to move away from the idea of humans as the weakest link in the chain and instead focus on “fixing the underlying problems such as ageing IT equipment”.
He then opened up the question to the panel as well as the dignified guests in attendance. “Is it a people issue – are people your biggest concern – or is it actually things like legacy IT infrastructure?"
Anwer from CyberSecurity Malaysia opined that although people now depend more and more on technology, the human element will always be there whether we like it or not. In fact, he stated that a vast majority of cybersecurity issues come down to the human factor and therefore, it is something that needs to be addressed. He reiterated a few points he touched on while giving his opening remarks; that there’s no silver bullet to solving the cybersecurity conundrum and what it takes is a holistic approach which involves people, process and technology.
In terms of technology, Vincent from Nozomi Networks said that things have now improved to the point where companies like IBM can offer solutions that can monitor systems and give much deeper insights than ever through predictive analysis. For example, when there are anomalies in the way that IT/OT systems or even ICS behave, the solutions can determine whether the changes could be attributed to system degradation, signs of imminent failure or if the systems are being attacked.
That is one way of removing (or at least lessening) the human element, especially as systems become more complex and the risk of cyber attacks continues to escalate. “Relying on technology, such as AI or machine learning, is vital to understanding the business itself. When you’re looking at prediction, it’s not just about maintaining uptime. It’s also about instant return on investment.”
While the third member of the panel, Evan from LifeTech Net agreed that implementing advanced technologies such as AI as part of operations is beneficial, however, “at the end of the day, we still need to come back and focus on the people. We need to go at it from the top down, building that culture of cybersecurity,” he said.
He cited examples of successful business email compromise (BEC) attacks that are designed specifically to target specific individuals within an organisation, especially those with senior positions. To counter such threats, TechLife Net is working with C-level executives within companies to help them build up their processes and frameworks so that they can gain a better understanding of cybersecurity and how it affects their business.
“Cybersecurity can be disruptive, so they need to know how they can take that into their overall business framework so that it becomes part of their overall business structure,” he explained. From there, the greater emphasis on cybersecurity on top-level management will trickle down to other employees within the organisation to become part of its corporate culture.
Making the Right Cybersecurity Investments
To get a sense of what Malaysian companies are faced with, Andrew then asked attendees of the roundtable event to name their single biggest cybersecurity concerns, and the answers consisted of the usual suspects – threats we very often cover in our own pages here at CSA. Charles Nathan, Head of IT at Cenviro Sdn Bhd named spam emails as his biggest concern; Aggie Lee, Group CEO of AQM Concept, mentioned securing customer data. For Mazrul Mansor, Head of IT at Tradewinds Travel Services, it is the dangers of fraudulent and malicious emails while for R Jayachandran Pillai, Head of IT, MMC Gamuda KVMRT, it is the prevalence of malware and ransomware.
Although many organisations are investing a lot of money to mitigate cyber risks, Anwer believes that it’s important for them to evaluate the return of their security investments. He suggests that organisations should definitely include these discussions at the board level, for example by reporting certain security-related KPIs, such as the number and severity of security incidents during board meetings.
He surmised that like what’s already happening in a lot of countries, it’s just a matter of time before those at the top level will be held responsible for cybersecurity breaches that involve Malaysian businesses. As of now, that has yet to happen despite some very high-profile cases reported in recent years. “These are issues that we have brought up with the current government. There must be proactive measures to prevent cyber breaches”, he said.
As such, CyberSecurity Malaysia is trying to move the conversation forward from just focusing on cybersecurity, but to a more all-encompassing one on digital security. “We need to look at a much larger scope. We need to look at digital security as well as more inclusive policy, instead of talking just about CNII (Critical National Information Infrastructure) or the telcos, banking and financial sectors.”
Azril Rahim, IT Senior Manager, Cyber Threat Intelligence for Tenaga Nasional Berhad, posed a question to the panel about the type of strategy and investment that Malaysian organisations should make in the face of such a varied and volatile cyber threat landscape, as well as whether companies should start looking more into data-driven and analytical cybersecurity approaches.
Vincent Liu shared that in his experience, what’s certain is that “if they [the cyber threat actors] want to get into your system, they can get into your system”. Therefore, it isn’t viable for companies to overspend on trying to mitigate every single threat out there. The focus area for every security operations centre is unique, so he suggests that each organisation do their own threat modelling to determine the biggest risks to their systems.
“That would help them form a baseline of where they want to spend their efforts,” he said, adding that the biggest problem with a lot of today’s approaches to security is that it is designed like an egg – hard on the outside and soft on the inside. “Once they get in, it’s easy for them to traverse and move around and escalate privileges.”
His advice is that companies need to know where their most important digital assets, or “crown jewels” are, and allocate more resources into protecting those areas that will be most impacted should a cyber breach occur. “Breaches will happen,” he said, adding that what’s critical is having the right crisis management to respond quickly and effectively.
Instilling a Cybersecurity Culture
Attendees, Albert Tan, Head of IT for Themed Attractions & Resorts Sdn Bhd, and Sina Manavi, CIMB’s Senior Manager, asked what’s the most effective and innovative ways would be to educate users (especially ones that are not tech-savvy) to build awareness on cybersecurity, as well as the ways to gauge the effectiveness of such user training methods.
While awareness programs are essential, Evan mentioned that classroom training can be boring and, added to the fact that they’re conducted few and far between, forgettable. To develop a better understanding, Evan suggested that companies should try doing simulation attacks to get users to experience what real attacks may entail. Consistency is key and the end goal should be to emphasise and develop a strong cybersecurity culture.
Agreeing with the panellists, Serene Lee, General Manager, Cloud, IBM Malaysia, shared her views that IBM itself has over 300k employees worldwide and not all of them are technical employees. “What we do is we give constant reminders, security training certifications that employees must undergo regardless of their job scope, yearly or bi-annually. Our IT departments also do a lot of internal tests on randomly selected users and we teach users to identify and classify our confidential information to keep them secure. We deal with security very, very seriously,” she explained.
To wrap up the session, Andrew summarised that when it comes to cybersecurity, it often boils down to protecting an organisation’s most valuable asset, which is data. He concurred with Sarene’s comments, adding that one of the fundamental issues that companies still have is not a technology issue, but “making users aware of which data is more valuable than others.”
He also reiterated Vincent’s point, saying that crisis management is also critical because the stats show that most companies have not thought through what their crisis management plans are. Having a crisis management and cyber resilience plan helps them be much more prepared to know exactly what they need to do when things do go wrong.
Last but not least, Andrew said that security is no longer an IT issue. “You need buy-in from every part of the organisation. IT can do some of the defences, but you need executive-level buy-in, you need HR buy-in for training, and you need the top people to understand the level of risk. Cybersecurity is a total, organisational-wide issue”.