Cybersecurityasean.com teamed up with IBM and CyberSecurity Malaysia to run an exciting event that coupled the idea of profiling the psychology of cybercriminals with how companies prioritise and manage data privacy. The subjects gelled well, and the blend of expert presenters and engaged attendees led to an event where experience and knowledge were shared to everyone’s benefit.
Andrew Martin, Group Publisher at Asia Online Publishing Group, kicked off proceedings with an introduction that explored two areas. He explained that cybersecurity teams in countries around the world are starting to look seriously at the role industrial psychology can play in their total cybersecurity posture and contended that Malaysia is behind the curve in this respect. Andrew then went on to present high-level details from psychologically led research that showed how psychological emotions are the stimulus behind many forms of a cyber-attack. As an example, if you have ever received a phishing email “apparently” from a friend abroad in need of emergency finance, the cybercriminal is playing on your natural desire to “help a friend in need’.
After Andrew’s introduction, we were treated to a great presentation by CyberSecurity Malaysia’s Fathi Kamil. Before his time with CyberSecurity Malaysia, Fathi spent nearly 10 years as a penetration tester, and more recently was a member of CyberSecurity Malaysia’s winning team at the ASEAN capture the flag competition in Australia. This experience qualified Fathi to comment on “thinking like a hacker”.
Fathi described his work in MyCERT and how the team is available to help any company that suffers a cyber-attack. He also shared statistics of the most common attacks Malaysian businesses have reported this year.
In terms of the capture the flag competition, it was interesting to note that their closest competitor (Singapore) diagnosed the issues, but Fathi’s team were able to do it quicker. This confirms that having the experience to work quickly and accurately under pressure during a breach is critical as the speed of resolution is everything.
Following Fathi, IBM’s Glen McFarlane (Threat Management Segment Leader) went into more detail about solutions. He gave an overview of how IBM Guardium can be used to manage the policies that keep your company secure. The subheading of Glen’s talk was “more rules, less tools” which was very salient to the theme of the day. Whilst having the right technology and products is without question a necessity, Glen explained how the fundamental core of defense needs to be the strategy, rules, working practices, data classification and priority that the security team defines. Once this is watertight, the tools can be implemented to manage, enforce and monitor the strategy.
The final speaker of the day was IBM’s Sunil Prabhakaran (Data Privacy & GDPR Lead ASEAN). Sunil has built his career around the area of data privacy. His knowledge on global data privacy legislation is deep, and he helps companies understand their legal obligations across geographical boundaries. Sunil’s presentation piqued the attendees’ interest and it turned from presentation to impromptu Q&A as people picked his brain about specifics of frameworks like PDPA.
One of the interesting points that came from Sunil’s presentation came back to the idea of “psychology” in keeping our data safe and private. The issue that bubbled to the surface was whether individuals in Malaysian companies take the whole concept of data privacy seriously enough. The consensus in the room was that there is much more to do in this respect.
The final session was an open Q&A moderated by Andrew Martin. In addition to the speakers, the panel was joined by Azril Rahim from TNB (APAC's Cybersecurity Threat Intelligence & Threat Hunting Expert for IT and OT) and Bernard Chen (Managing Director at TechLab Security & GeoXspot). The questions the panel fielded were varied and insightful. There was a consensus that moving to cloud meant that responsibilities lie on both the customers and cloud providers. And as security challenges grow over time, companies should be prepared to strategically allocate specific percentages of their annual revenue to cybersecurity.
These were questions that encouraged debate but didn’t receive conclusive answers and could perhaps be great subjects for us to explore in our next event!