Singtel Cyber Security Forum 2018

The expertise of cybercriminals has increased dramatically in recent times, with many of them bypassing traditional methods of attack, says Teddy Ko, Country Director, Hong Kong, Singtel. Coupled with the acceleration of digitalisation and mobility, businesses are facing greater risks than ever before.

Speaking at the opening of the Cyber Security Forum 2018, Ko cited reports by Gartner on the conservative growth in cybersecurity and highlighted an impending danger: “If you look at [the] continuous and unstoppable acceleration in [cyberthreats] and data breaches in the past few years and project it ahead, the growth rate of security spending may not be sufficient to avoid cyberattacks.”

“Ensuring the meeting of security requirements to protect your enterprise assets is an ongoing exercise – beyond resources, you need a comprehensive strategy that encompasses talent, technologies and processes. And this needs to be [constantly] fine-tuned, and with regularity. Vigilance and staying up-to-date is key,” he said.

“A lot of breaches are happening today, and in an increasing fashion. Unfortunately, the reality of cybercrime is that the criminals go where the opportunities are,” observed Miro Pihkanen, Partner, Cyber Risk Services, Risk Advisory, Deloitte China, as he cast the spotlight on the state of cybersecurity today.

The good news about this pressure is how it has forced a change in the cybersecurity arena over the last decade, Pihkanen noted, giving the example of organisations that used to measure their security maturity by calculating the ratio of firewalls to employees. “Those days are truly gone – it is no longer a matter of having firewalls or point technology solutions; the whole hard outside and software inside approach is truly gone – it doesn’t work anymore,” he said.

Of course, a new slew of technologies has emerged on the back of digital transformation, creating disruption not just in existing business processes and business models, but also in terms of cybersecurity considerations. The result is a far larger attack surface that attackers can exploit.

Pointing to the machine-to-machine (M2M) appliances that are typically used in the utility and energy sectors, Pihkanen noted that the traditional assumption that M2M networks are completely isolated is no longer true. “With IoT (Internet of Things), everything is becoming connected. With Wi-Fi hotspots, wireless access points, everything is interconnected. Even at home, your vacuum cleaner is connected to the internet,” he said.

“This gives cybercriminals a lot of avenues and devices [to exploit]. They are very entrepreneurial and know what to exploit and profit from,” he explained. And the repercussions are much greater too. Giving an example of how a modern office complex can be disrupted, he said, “[The hackers can] come, breach the system, lock the doors and disable all access passes.”

The IoT is a big catalyst and driver of digital transformation, asserted Dr Ong Chen Hui, Director, Operations Technology Security, Singtel.

She pointed to how IoT appliances are powering the deployment of smart metering and empowering the smart grid in the utilities and energy sector. Elsewhere, she noted that IoT is also enabling just-in-time (JIT) manufacturing, JIT logistics, and playing a part to track the distribution and consumption of goods and services.

“29% of organisations globally currently already adopt IoT in their business. More than half of those adopters say that IoT is increasing revenue or opening up new revenue streams for their business. 57% of all companies think that IoT will only increase in importance for their business,” said Dr Ong.

One trend is the convergence of IT networks and operational technology (OT) networks, she noted. The latter are systems that sense and control the physical world, such as running production lines in manufacturing environments or controlling urban railways. Together with the proliferation of IoT devices, this does create security considerations that may be overlooked by some, she noted.

“In the past, we have always assumed that these networks are separated by what is known as the air gap. Due to the need for business efficiency, however, IT and OT networks have increasingly started to converge. IoT will only drive that convergence,” said Dr Ong.

With 50 billion devices projected to be in use by 2020, this can only result in a bigger attack surface. It has not helped that the IoT ecosystem is extremely fragmented, and new innovations are needed. “We need to think of designing for safety and security together. They need to coexist.”

Speaking on the topic of detecting insider threats, Ralph Pisani, Executive Vice President, Field Operations, Exabeam suggested that security information and event management (SIEM) systems are ideally positioned for practical detection of this type of threats.

“As an industry we tend to focus on the attacks, were my people phished, was there malware involved, how can I stop phishing, how can I stop malware… It’s vital for all of you to start thinking about what data you are going to collect to be able to see the full scope of the attack,” said Pisani, who said the key lies with the credentials.

“At the heart of what made hackers successful is that they own the credentials of a legitimate person inside the organisation. The password is the holy grail for the attacker,” he said, noting that advanced persistent threats (APTs) are really about gaining credentials. “That persistence [in an APT attack] is usually because they look like an insider, and they own credentials of somebody inside.”

Attackers never stop with a single set of credentials but will want to escalate privileges, notes Pisani. “These attackers will move laterally, and they will go through systems, and inevitably, they will touch things that the owners of those credentials don’t touch.”

Organisations have the advantage in that attackers have no idea about the normal job responsibilities of the employees whose credentials they have stolen. “You have to start to look at the kill chain, you have to start looking at more than just single anomalies and start piecing together the movement of attackers.”

The Singtel Cyber Security Forum 2018 also saw a panel of experts share insights on the various pitfalls in cybersecurity.

“A lot of times, we just buy security for the sake of it. We don’t really know what we are trying to protect at the end of the day. To help your organisation understand what you need to spend your money on, you must first perform a proper risk approach,” said David Mclinton, Head, Asia Pacific Operations, Cyber Security, Singtel.

He called on businesses to focus on outcomes: “If you’ve only got $50,000, what should you spend on? Some companies spend on the easiest things to implement, or the latest and greatest technology, which is probably not the right approach. We see many companies buying technology they probably don’t really need to refresh. [However] they should be focused on the outcome; it could be [preventing] data leakage, incident response, training, or any of those things.”

“The first question I have is the training of cybersecurity professionals. Right now, we are in the world where attacks are so diversified. Just using standard tools is not adequate. We need more of these people; my main concern is in the human resource aspect of cybersecurity,” said Dr Lucas Hui, Senior Director, Security and Data Sciences, Hong Kong Applied Science and Technology Research Institute (ASTRI).

Patrick Liu, Head, Information Security Risk Management, DBS Bank (Hong Kong) thinks that organisations should start with the fundamentals: “You need to define the use case and understand the [underlying] business risks. Go deeper and identify the real assets that you are trying to protect and ask yourself: What are the key steps you can take to make hackers stop the hacking?”

“Moreover, how do you effectively use the various security solutions together? Each security product may give you [solution to] a certain [pain point]. When you deploy different solutions, you may lose sight of the big picture without proper integration,” he said.

Anna Gamvros, Partner & Co-Head, Technology & Innovation, Asia, Norton Rose Fulbright, observed that far too many of her clients only come to her in the midst of a crisis. She called for enterprises to prepare ahead for potential security breaches by putting together a holistic incident response plan to manage both legal and reputation risks.

“Quite often we find that part of this preparation process is not only in the training, but also in making sure that the IT and security teams are focused on who they need to reach out to beyond the technical side in an incident. Who [do they contact for] legal, management, and public relations in the midst of a crisis?” asked Gamvros.

“A lot of companies and firms are turning to digital transformation and the cloud for greater business agility. The concern in cybersecurity is how fast we can respond. If companies are moving towards the cloud, then security must be embedded into it. How fast can we embed it or how fast can we adapt to support our business needs?” asked Maurice Mo, Senior Director, Regional IT Security, Prudential Corporation Asia.

If there is one takeaway from the forum, it would be the fact that enterprises cannot sit back and rely solely on static cybersecurity tools to protect them. To stay ahead of the deluge of threats against a changing cyber landscape, organisations must roll up their sleeves to strengthen their fundamentals, perform a proper risk approach, plan for the worst, and invest in cybersecurity professionals – or work with partners with relevant skillsets.