CSA’s own coverage has seen us publish a number of studies, reports and expert opinions that highlight how widespread, dangerous and persistent the cyber threat problem has become. Technologies are developed and deployed; processes are improved upon to counter this new reality. At the same time, it is the “people” aspect that’s often seen as the weakest link that’s letting organisations down in the fight to keep their valuable data safe.
On the ground, are the real issues faced by organisations actually related to people, or technology? What are the cybersecurity issues that keep Malaysian business owners and execs awake at night? To find out, CSA organised an exclusive roundtable and luncheon event attended by those responsible for making the tough decisions - the senior and C-level executives.
A distinguished panel consisting of experts from CyberSecurity Malaysia, IBM, Nozomi Networks and LifeTech Net was also on hand to share their experiences, advice and best practices on mitigating the cybersecurity dilemma in this digital economy.
Andrew Martin, AOPG Group Publisher, kick-started the event with a welcome address and to set the scene, gave an overview of some of the largest data breaches the world have seen in recent times. This included the likes of global brands such as British Airways and T-Mobile, who have suffered cyber attacks that resulted in the compromise of hundreds of thousands to millions of customer data, to more obscure companies (in this region’s perspective anyway) such as Timehop (21 million records compromised), Chegg (40 million), Kareem (14 million) and Aadhar (1.1 billion!).
The key takeaway here is that in this digitally driven era, it is not only the large enterprises that store and process large amounts of data. Big data is now also as valuable and accessible to SMEs and at times, whole organisations are built on nothing but data. This, said Andrew, has meant that the landscape for bad actors to act upon has also grown tremendously over the years.
Although technology is continually advancing, with new and (hopefully) improved security capabilities, it is often the old/legacy technologies that still very much exist in many organisations that are targeted and become the source of breaches. To make things worse, in many of the reported cases, the gestation period, the time before a breach is actually discovered, have been in the range of months and in the case of the Marriott Starwood data breach, a few years.
There’s No Silver Bullet to Cybersecurity
CyberSecurity Malaysia’s Head of CyberSecurity Industry Engagement & Collaboration, Mohamed Anwer Bin Mohamed Yusoff, echoed Andrew’s sentiment by saying that cybersecurity is an issue that is becoming ever more complicated. But not only that, it is a crisis that needs to be urgently resolved.
He mentioned that a major contributing factor to the problem is how valuable data has become, with personal information being sold for profit on the dark web. As a body that monitors the country’s digital security, Anwer shared that CyberSecurity Malaysia receives between 800 to 1,000 cybersecurity incident reports each month, with the majority being fraud and harassment cases.
Unfortunately, in Anwer’s view, senior management in many Malaysian organisations are not taking the issue of cybersecurity seriously. “This is an ongoing problem and we are going to have a lot of new issues in the wake of the Fourth Industrial Revolution.” He added that there is also no silver bullet or one-shot solution to completely eliminate the risk of cyber threats.
In particular, he singled out known threats, threats that are unknown or undiscovered, as well as threats that are enemy-related, or created by adversaries as three things that organisations must be able to address in today’s digital climate.
Therefore, it’s vital for Malaysian organisations to ask themselves a number of key questions, such as, “Do you have an information security policy in place? How do you address BYOD? How do you address data leakage? Do you do data classification? Do you do identity/access management?”, among others.
On their side, the Malaysian government has been stepping up efforts to boost the nation’s security posture, especially with the establishment of the National Cyber Security Agency (NACSA). Anwer ended his part of the presentation by giving the assurance that CyberSecurity Malaysia is always prepared to offer assistance to any Malaysian companies that need their services or guidance.
As the Focus Shifts from IT to OT, Are Organisations Prepared?
Vincent Liu, Regional Sales Director, Nozomi Networks, then offered a different yet compelling perspective when he elaborated on another form of threat that’s often overlooked in the headlines – attacks to critical infrastructure and mission-critical systems. He explained that it’s not uncommon for organisations to be lulled into a false sense of security because their mission-critical environments are often run completely disconnected from the internet or the outside world.
But incidents in the past have shown that those who wish to breach or disrupt a system can and will find a way in, and often through legacy or “outdated” technologies. He listed the following industrial security incidents in recent history, and methods the “disconnected” critical systems were breached:
· Stuxnet attack on Iran’s nuclear plant (2010) – via USB device
· New York Dam infiltration by Iranian hackers (2013) – wireless modem
· Spies target water treatment control systems (2014) – compromising vendors
· Malware takes down Ukranian power grid (2015) – ransomware and physical response DDoS
· Global aluminium manufacturer shut down (2018) – ransomware
He also emphasised on one particular incident involving the hacking of the Sayano-Shushenskaya hydroelectric dam’s SCADA system in Russia in 2009, which caused a major explosion and killed 75 people and caused an environmental catastrophe.
The point Vincent wanted to make was that while the impact of cyber attacks on IT is often monetary, when it comes to mission-critical environments and operational technology (OT), the effects are far worse. For example, in the case of the Russian dam, he said not only did it take more than $3 billion for them to make repairs and recover, lives were also lost in the aftermath and people who depended on the dam for water and irrigation were seriously affected as well.
Vincent mentioned that the adoption of new technology and automation would undoubtedly provide enhanced performance, cost reduction, scalability and flexibility, but this IT/OT convergence will also create new security challenges. Nevertheless, he stressed that the benefits of new technologies far exceed the risk from security and “we just have to manage the risk correctly via the right tools and processes.”
Based on his observations in the region, we have yet to see a major attack on critical infrastructure (although there were attempts to that effect), but there have been “many attacks on manufacturing that have shut down [operations].”
What makes these attacks dangerous is that they are not purely carried out for monetary advantages. Some attacks are carried out for the purpose of gaining political mileage, causing harm and affecting safety. “And these attacks are now changing. Before, it was on oil and gas. Now, they’re spread across different verticals, spread among different geographies. So very little of us are safe from attacks that can actually harm the population in our country,” he said.
Over the past decade or so, it is true that organisations have spent a lot of effort and budget on improving cybersecurity for IT. However, Vincent concludes that the next phase will be about looking at how to protect the critical infrastructure and mission-critical systems.