By Majella Gomes
Cyber risks are a growing threat to business, and organisations must keep themselves abreast of risks and regulations in their respective industries, said session moderator Jason Lim, Vice-President, Cyber Security, Wiki Labs at the recent MIA Risk Management Conference 2018. Organisations shall practice security with the assumption that they have already been breached. In addition, organisations shall begin to no longer strive for perfect protection, but to implement controls that help them to detect and respond to malicious activity before it causes bigger damage and disruption to business. “Building the wall high enough is just not good enough. Organisations could have spent lots of money building good security perimeter preventing external attacks, but what about the insiders who are already in your network and accessing your crown jewels every day, they don’t even need to hack your system,” stressed Jason Lim.
How scary is the threat? MyCert Head, Megat Muazzam Abdul Mutalib said that statistics show more than 8,000 incidents pertaining to data security breaches were reported in 2017. The numbers are alarming enough; but this may only be the tip of the iceberg as many Malaysian companies prefer not to report breaches. Their reasons for keeping quiet about security breaches vary, although admitting them may have an adverse effect on share prices and shake investors’ confidence – but being stoic and tight-lipped in the face of cyber attacks may not be the best course of action. “Reporting is important so that the impact (of such incidences) can be mitigated,” stressed Megat Muazzam, adding that Malaysia has also seen a rise in incidents of crypto-jacking – the unauthorised use of computers to mine cryptocurrency.
When hacking first started, breaches were usually caused by “hacktivists” driven by a political or social rights agenda, or “script kiddies” who hacked for little more than bragging rights but this has changed. Today’s attacks are targeted, swift and brutal. Businesses can find themselves locked out of their own systems; entire organisations have been known to grind to a standstill. “We need to be educated about the types of risk because cyber crime is widespread,” cautioned Anthony Tai Yu Kun, Risk Advisory Partner, Deloitte Malaysia. Although Malaysia has laws that deal specifically with cyber- security, and Bank Negara has guidelines on e-banking, e-insurance and e-commerce, companies must determine what works best for them, starting with an internal framework.
Four Elements for Cybersecurity
Four elements are key for an internal cybersecurity framework: governance, vigilance, security and resilience. Megat Muazzam said firms should “start small” and develop internal capacity using their own resources and testing processes first, while raising staff awareness. While there are a lot of helpful softwares in the market, internal efforts will create a viable framework to support the four elements. Awareness is paramount; hence educating all staff, not just those in the IT department, is necessary. “Even the best-protected systems can be breached in the most basic way,” cautioned Tai.
One bright spot is that Boards today are more aware of possible breaches, and are generally supportive of efforts to mitigate them. This has become evident in the incorporation of cybersecurity measures and embedding cyber risks in corporate strategy and operations. While larger corporations may cope well, smaller enterprises may find themselves struggling to put a specific cybersecurity agenda in place; more proactiveness on the issue will be necessary. One strategy is for the firm’s Chief Information Security Officer (CISO) to have direct access to the Board, to be able to acquaint members with the main issues.
In the final analysis, how well an organisation manages its cybersecurity risks depends on the organisation’s capabilities – although third parties may provide supporting services. Firms need to put in place frameworks that can counter cyber attacks, and ensure that these frameworks are compliant with existing guidelines. Staff training is imperative, as most scams have been found to be carried out by those with knowledge of internal processes. Above all, understand your firm’s individual risks, identify what mitigative measures can be put in place and be prepared. Cybersecurity is everyone’s responsibility.
