On the morning of November 4th, OpenGov Asia and its partner Raytheon|Websense held an informative breakfast dialogue in Jakarta. The topic discussed was the growing threat landscape in Indonesia and what agencies are doing to actively combat these threats. More than forty-one delegates from twenty-three Indonesian public sector agencies were represented in this dialogue. Each delegate shared insights from their own experiences with cyber security and how they are forming their own security strategies. The speakers included: Mr. Mohit Sagar, Managing Director and Editor in Chief of OpenGov Asia; Mr. Anurag Madan, Head of IT Digital Services at Ministry of Social Development, New Zealand; Mr. Setiaji, Head of Technical Implementation Unit for Jakarta Smart City; Mr. Mohd Zabri Adil, Senior Specialist / Head of Digital Forensics Department of CyberSecurity Malaysia; and Mr. David Barton, Chief Information Officer for Raytheon|Websense.
The breakfast dialogue began with Mr. Mohit Sagar, Managing Director and Editor in Chief of OpenGov Asia. He opened up the discussion saying, “We are talking about cyber security. With this, we need to look at 10 security challenges which encompass internal and external threats to your organisation.” Mr. David Barton, Chief Information Officer for Raytheon|Websense, spoke on how security solutions can help combat these attacks. He felt that the security community must continue to innovate due to the ever changing cyber threat landscape. This is so they can give organisations the proper tools to defend their network and defeat attackers.
Mr. Setiaji, Head of Technical Implementation Unit for Jakarta Smart City, took the floor to discuss the government’s constant battle with cyber threats and how it is affecting Jakarta’s Smart City vision.Mr. Setiaji highlighted to the delegates, the very magnitude of attacks targeted at government, “Government websites are suffering from many targeted attacks. About 8,800 attacks on government websites occurred in 2014. This accounted for 73% of the total attacks in Indonesia.” Network security, Internal Application Security, IoT security, and False Reports are the minimum requirements to secure these networks. “As we launch Smart City initiatives, we will be using a lot of the devices from the Internet of Things. 70% of the data from these connected devices is hackable,” Mr. Setiaji told the room. The power of IoT is essential to Smart City systems. Devices and applications which operate through IoT need to be secured in order to develop Jakarta as a Smart City.
Mr. Mohd Zabri Adil, Senior Specialist / Head of Digital Forensics Department of Cyber Security Malaysia, talked about the Malaysian experience and how his agency is governing cyber security management. “As a country, Malaysia is number 3 on the Global Cybersecurity Index and Cyber Wellness Profile Report. This is based on cyber security management,” says Mr. Zabri. Cyber Security Malaysia is very sure in their threat protection and they invest 20% of their IT budget towards security. This heavy investment represents their great dedication towards protecting their networks. With these investments, Cybersecurity Malaysia has run various initiatives promoting their mission. Since 2011, Cybersecurity Malaysia customized their Information Security Management System (ISMS) to fit the needs of the National Cybersecurity policy. In 2013, a National Cyber Crisis Exercise was held to simulate the typical threats that would be used by attackers. However, Mr. Zabri worries that is not enough.
Mr. Anurag Madan, Head of IT Digital Services at Ministry of Social Development, New Zealand, discussed the concept of business resilience and initial security integration, as these topics relate to what is happening in Indonesia. Mr. Madan finds that using a business resilience strategy helps agencies deal with data risks in a more holistic manner. This helps organisations respond better and look strong to the public. Mr. Madan considers security as an integral part to ICT infrastructure. “One thing I emphasise in my department, is keeping security in the center of IT design and implementation,” Mr. Madan told the room.
After the speakers finished, OpenGov turned the conversation back out to the audience. It is recognised that each organisation has different security threats they worry most about. OpenGov probed the delegates to find their pain points.When the delegates were asked: “What security threats worries you most?” 36% of delegates responded with Data and Identity Thefts, 22% responded with Advanced and Targeted Cyber Attacks, and 22% responded with Employee Negligence.These responses are more distributed compared to Singapore. When the same question was asked to our Singapore audience, 50% of delegates responded with Advanced and Targeted Cyber Attacks and 28% responded with Data and Identify Thefts.
These numbers show that Singaporean agencies are worried more about Advanced and Targeted Cyber Attacks, than their Indonesian counterparts. This can be due to many of the Indonesian delegates (61%) feeling that their greatest threats originate from within their organisations. This is shocking. Data travels a lot within a network and it can be very easy for a skilled attacker to gain access. This is why organisations must have the proper mechanisms in place to ensure their network is protected, even from internal threats and accidents. To calm these fears, each organisation must put certain standards in place and keep people educated about threats.
Knowing how your security architecture behaves and reacts to threats is crucial. When delegates were asked: “What do you think is the biggest challenge in your security architecture?” 71% of delegates responded with Lack of Data awareness and Visibility and 22% responded with Lack of Collaboration between various Security Products.It is clear that some of the delegates do not have the personal data investment for security. They are also still dealing with how to manage the data and how it behaves.
One delegate exclaimed, “We have around 1 to 2% of our IT budget allocated to security and this will never be sufficient to effectively protect our system.” Another delegate told us that their department has less than 0.2% allocated to security. With respect to his projects, Mr. Setiaji said, “Our concern is that we have all of the data integrated into Jakarta Smart City and it must be protected.”
Lack of data awareness and visibility is a concern, globally. As for Lack of Collaboration between various Security Products, there are key if components are not interacting with each other, it affects the whole system. Mrs. Sri Hartati, Head of Central Financial (Information System & Technology), Ministry of Finance stated, “I never think about the budget because there is no common practice for how much to spend on security. In our office, we have specific targets to meet when it comes to security. We put it in our key performance indicators set for the year to measure our success.” To that, Mr. Zabri suggested to her, “Now, the next stage is to do testing, making these statistics measurable. So then, management can see your performance based on KPIs and invest more in security.” This emphasises the need for organisations to start with strategising from assessing business priorities. This will help them better realise where to invest their IT security budget in.
If sensitive or classified information were to leak out due to internal or external attacks, it could devastate the organisation. Data Loss Prevention is a great asset to organisations as they often hold highly sensitive information. This is why it is all the more important to have strong security measures in place. The poll results show that when delegates were asked: “Which of the following security measures do you think is most important to you?” 59% of delegates responded with Data Protection and Data Loss Prevention (DLP) and 29% responded with Insight and Real-Time Protection against Security Threats.
When the same question was asked to our Singapore audience, 38% of delegates responded with Data Protection and Data Loss Prevention and 44% responded with Insight and Real Time Protection against Security Threats. These numbers show that the delegates of Indonesia are more concerned with Data Protection and Data Loss Prevention than the Singapore audience. From this, we can see that DLP is an area of higher value to the Indonesian audience.
To this, Mr. Sagar asked the delegates, “How do we go about changing the mindset in people who do not realise the risk of not having these security measures in place?”Mr. Iwan Djuniardi, Director Transformation Technology, Communication and Information, Directorate of General Tax / Ministry of Finance responded, “We must justify where we spend on solutions and how we advocate security. This will help us change this mindset.” Mrs. Sri Hartatisaid, “For this, we have a Ministry of Finance Security mandate for security and we have an inspector general in our ministry to make sure that employees comply with our security policies. Our policies span across the whole employee chain. There are also formal communications held on these topics.” Internally, organisations should have strict rules on how to secure the data in their network. This is to help to protect their reputation. This is why DLP security should be of utmost importance to these organisations.
When asked to rate their own protection abilities, delegates were very responsive. To this, a question was raised, “How do you rate your ability to protect IT infrastructure against security threats?” to this, 47% of delegates answered ‘Needs Improvement’, 25% answered ‘Average’, 22% answered ‘Good’, and 6% answered ‘Do Not Know’. The delegates had various reasons to explain how they ensure security to their IT infrastructure. Mr. Bisyron Wahyudi, Vice Chairman for Data Center, Application & Database Department, Indonesia Security Incident Response Team on Internet Infrastructure (Id-SIRTII) said that in his organisation, “We do an evaluation of our security to assess our greater needs. This is a full assessment which includes integration testing.” Mr. Raditio Ghifiardi, Assistant Vice President of IT Infrastructure Group, PT Bank Mandiri (Persero) TBK, said,“[My organisation] does continuous improvement. Yet, we still worry as our customers may not understand security. For this, we improve our policy and spreading of awareness.”
Cyber terrorists are always watching targets and waiting for vulnerabilities. This idea can be frightening. “Today, I could be sitting in my house or on a boat and breaking into your biggest asset. If this attack is not protected, you would be considered the criminal for not taking on DLP measures. If you are not protecting your data, you are not protecting your employees and users,” Mr. Sagar exclaimed.
Cyber-attacks are not going away anytime soon, or any day for that matter. Public Sector agencies must invest in the best solutions to protect their networks from the attacks stemming from the growing threat landscape. Also, security has to integrate within the ICT infrastructure design because it helps organisations readily embrace protection. It all starts with what has been implemented in the beginning of the process. A robust framework must be in place to initiate strong and stable security measures throughout an organisation.