When it comes to a cyber-attack, it is no longer a question of if your company will be hacked but when. Companies from 2 to 10,000 will get hacked. There’s no question.
If you think that’s bad news, then consider this: in Asia Pacific, enterprises were expected to spend US $230 billion in 2014 to deal with cyber breaches, and it wasn’t enough. Organized crime accounted for US $138 billion in enterprise losses in the region, according to an IDC/NUS study.
Sixty percent of security breaches are due to compromised credentials. The threat won’t lessen as time goes on—cybercrime is profitable. In fact, it’s now more profitable than the illicit drug trade—and it’s a powerful magnet, attracting unscrupulous individuals, organized crime rings and even nation states interested in doing “bad” for profit.
With the advent of the third platform—mobile, social, big data, and cloud—the surface of attack for cyber criminals is just getting larger. Security measures of yesterday are struggling to cope with the speed of mobile adoption and how devices are now interconnected. Meanwhile, hackers are already onto the next stage of the game: it’s a game of cat and mouse, and we, unfortunately, are the mice.
Governments are also getting in the game, with a number of countries in Asia ramping up measures to counter cybersecurity threats. For example, in Singapore the Infocomm Development Authority of Singapore (IDA) introduced the Singapore National Cybersecurity Master Plan 2018 to provide the strategic directions to guide Singapore’s national efforts in enhancing cyber security for public, private and people sectors.
Singapore is by no means the only nation worried about cybersecurity: Japan, Indonesia and other countries in the region have also put forward initiatives to bolster efforts to address the clear threat cybersecurity poses.
This is the current threat landscape. It’s scary, but by no means is it impossible to address. In fact, Asia Pacific is leading the world in digital security, according to PwC.
Companies in the region are more likely to have an IT security strategy that is aligned to the needs of the business and to have a senior executive who communicates the importance of security.
The Asia Pacific region remains a leader in implementing strategic processes and safeguards for information security, setting the pace in numerous practices. As with any potential threat, being prepared to deal with attacks is just as important, if not more so, than preventing attacks in the first place.
Let’s put it this way: If a company with firewalls, anti-spam and anti-viruses all in place is a castle, they are well prepared for an attack that castles would naturally expect: armies with arrows, a catapult, hordes that can be repelled by ensuring they do not enter the castle.
What happens when the enemy evolves? In order for the company to keep its castle safe, it needs to change its mindset and understand that they are no longer dealing with the same enemy as before.
Changing Mindsets on Cybersecurity to Match the Evolving Threat Landscape
Today, the focus is on preventive technology. In the castle analogy, this would be the equivalent of the strong walls, narrow windows and a moat—anything in place to ensure that intruders can’t get in.
While it’s absolutely necessary to make sure you have adequate defenses on the outside, none of these preventative measures are able to do anything about aggressors that have already gotten into the castle.
The mean time to detect a threat and mean time to respond is currently in months—hundreds of days—long after the damage has taken place and is too large or severe to salvage.
Once the detection and response times are closer together—in the weeks, days, or even hours, ideally—companies can meet that challenge of seeing their environments in real-time and knowing when you there is an intruder.
How can this be done? By not holding compliance up as a shield. 2014 was a year of major breaches—and many of the major breaches that took place last year happened at companies that considered themselves compliant to security standards.
Being compliant to regulation is not the same thing as being protected. Enterprises can no longer be satisfied with a “check the box” mentality. Regulation is a good start, but by no means does it comprehensively cover a company’s security measures.
Once companies change the “check the box” mentality towards cybersecurity, the realize that the threats that their businesses are facing aren’t necessarily ones that fit into a checklist or a framework. That’s why preventative measures are not enough.
Let’s go back to the castle analogy: you have a well-fortified castle but you’re not dealing with an enemy that’s knocking on your gate anymore. You’re looking at enemies that are wearing your uniforms, or drones that are attacking from above – a more sophisticated intruder that you can’t prevent from getting in. What can you do? You need to identify them, and respond to them in a timely manner, before they can deal your castle significant damage.
The Way Forward: Early Detection and Response
Organizations need to baseline their environment and determine who has access to which areas and what information. Can you see your environment? Are you aware of where your servers are and what’s on your servers? Where is your sensitive information? Who is allowed to access what information?
We help organizations create that baseline so they can see, with the help of analytics, if something is going wrong in real time. For example, if an employee’s credentials are compromised, any new activity from that account is and should be a red flag.
Today, organizations needs to invest in security intelligence and have a set of security analytical tools. As services become more interconnected and as more data is generated, there is an increasing need to shift to a combination of machine and user analytics. Let the machines analyze the thousands or millions of logs generated and have it identify the unusual occurrences.
This way, we can reduce the time to detect and the time to respond. These are the critical factors when it comes to cyber security: When you realize that they are going to get in, then you need to kick them out before they can do any real damage.