The OpenGov Breakfast Dialogue on ‘Winning the war against surging perils – Cybersecurity in the public sector’ saw representatives from a range of government, education and healthcare organisations have an open discussion on their preparedness for dealing with cyber threats.
Mohit Sagar, editor-in-chief of OpenGov started the conversation talking about the many different types of risk, emanating from insider threats, ransomware, web and email and shift to the cloud. He highlighted the currently dismal dwell time (The time from infection to remediation) of over 200 days for cyber threats in organisations.
Alvin Rodrigues, Chief Security Strategist (APAC), Fortinet spoke about the importance of real-time monitoring for identifying baseline and detecting anomalies in the network and how few organisations have it. Vulnerabilities can be found and exploited in the areas of people, processes and technology. Cyber security and physical security work hand-in-hand. Credentials can be used to infiltrate into network environment. Even lower level credentials can be used by attackers as a stepping stone for gaining entry into the system and breaking into higher level networks.
Mr. Rodrigues further talked about the rapidly transforming environment resulting in a borderless world for technology and along with it, cybersecurity. Today’s standard approaches such as those focusing on compliance and point solutions need to evolve. The need of the hour is seamless integration, and critical actionable intelligence.
Guest speaker from Singapore, Dr. John Kan, Chief Information Officer (CIO), Information Technology Shared Services at A*STAR, shared his agency’s security-in-depth framework, encompassing governance, policy, compliance, process and technology for dealing with wide range of cyber attacks, ranging from Distributed Denial of Service attempts to brute force user authentication and spywares. Dr. Kan also spoke about implementing a BYOD policy with robust cybersecurity measures.
Before starting polling Mr. Sagar highlighted the fallacy of thinking that ‘we are not going to be attacked’. It is a result of the normalcy bias, which causes people to underestimate the possibility of a disaster and its possible ramifications.
Dialogue questions and discussion
Around 42% of organisations present stated that cybersecurity is handled in house at their agency or organisation, while for 47% it was a mix of in-house and outsourced teams and resources. Here, outsourcing included other government agencies and not just commercial vendors.
Marsineh Binti Jarmin, Head of Cluster for Technological Innovation Cluster Management (i-IMATEC), National Institute of Public Administration (INTAN) stated that their decision to rely on a mix was driven by costs, internal capabilities and nature of activities.
Around 16% of delegates responded that they felt their current cybersecurity setup was sufficient to protect against cyber-attacks. Delegates who said ‘Yes’, explained that they had implemented whatever systems they could and they needed to have trust in it. They would continue to test the systems to check their resilience. However, 42% of respondents picked ‘maybe’, because of the uncertainty caused by rapidly transforming technology and unpredictable user behaviour. However, the same unpredictability and the role played by chance, for instance through accidents or natural disasters, also got in a vote for the outlier of ‘hope for the best’.
Syed Norris Hikmi Bin Syed Abdullah, Deputy Director of Infrastructure and Operations (CICT), Universiti Teknologi Malaysia highlighted the importance of culture. From culture the talk veered to problems with implementing BYOD security measures. Giving up control over your device so that your organisation’s IT team can scan it, possibly look at browsing history and private information could be a privacy concern for some employees. Employees might also get frustrated with things like keying in long, complicated passwords or changing passwords frequently, looking at these an unnecessary inconvenience. The challenges are even more severe for non-IT staff.
When asked if cybersecurity was a concern at their ministerial or board room level, an overwhelming 75% replied positively. The consequences of this were visible in the answers to the next question if delegates’ agencies have internal cyber security awareness programs. Over 70% responded that they had awareness programs in place. A similar percentage said that they have an incident reporting and management program.
This question sparked off a fascinating discussion on achieving balance between having strong security measures and maintaining productivity, user-friendliness and costs. The importance of educating employees, imprinting the importance of security in their minds through persistent efforts was highlighted.
There could be two different approaches to modify user behaviour. One is a more indirect, gentler approach where staff are exposed to information repeatedly through awareness campaigns, notified when they make an error. The alternative would be a carrot and stick or penalties and incentives path. The pros and cons of both approaches were debated vigorously.
An interesting example came up of how absence of resources required for productivity might lead to security issues. For instance, if the organisation does not have a secure file-sharing system, employees might use personal drives, exponentially increasing the risk of exposure to malware. Here the objective is to improve productivity but it ends up undermining security.
Regarding training, it was mentioned that at times, cybersecurity training might be entry level officials might be weak. Such holes would need to be plugged because security is only as strong as the weakest link in the chain or the fabric.
Rabiah Bte Ahmad, Deputy Director, Centre of Research Innovation and Management, Professor at IT Faculty, Universiti Teknikal Malaysia Melaka brought up the difficulties in categorizing and classifying information and data and putting in authentication protocols for access and dissemination of information.
Executives expressed concerns over budgetary constraints. However, it also appeared that sincere and structured attempts were being made to do the best with available resources.
A set of questions regarding the ability to detect threat, respond to it and recover subsequently presented a picture of vigilant government agencies in Malaysia. More than 80% of delegates replied that they had confidence in their capacity to detect a cyber threat, could respond within 12 hours after detection and recover within 7 days of an attack. Several agencies have set up 24/7 operation centres for dealing with cyber attacks.
There was a consensus that attacks are unavoidable in the present day environment. In the event of a cyberattack, it is essential to have identified the core assets in advance and functions you need to protect to ensure that your business is not run into the ground. The key learning was to have people, processes and technology in place to protect the ‘crown jewels’ and in the event of an attack to have the ability to respond and recover afterwards.