What are the major cybersecurity challenges you see for the public sector?
In all businesses, a balance has to be struck between what the business needs, how much risk it can afford and the budget. The security budget globally is around 5% of IT budgets. Five percent is not a small amount. If directed properly it could be used to make the organisation reasonably secure.
A CIO in the private sector might get overly excited by the new, cool security start-up that they met last month at a convention and then spend money buying their product, without analysing if it works for them.
With governments, the problem is the opposite. They are very conservative. They want stable, reliable solutions, from big established names. That makes them buy legacy products, such as anti-virus and firewalls, which might not no longer be relevant and which drain dollars from that 5% IT security budget towards ineffective, out-of-date solutions.
Governments are relatively slow in responding and embracing new technology. They are often not pro-active. If one division gets targeted by ransomware today, tomorrow all the security dollars will go towards ransomware. You can bet that tomorrow the threat won’t be ransomware. By the time you deploy sandboxing technology to protect yourself from ransomware, you have to deal with something else.
Governments need to start thinking ahead of time and focus on not just patching the problems of today, but look to where we are going and prepare for those challenges.
Where are the threats coming from?
The problems are coming from inside, not outside. Insider threats are a daunting challenge.
It is not just malicious insiders. It could be insiders who just want to do the right thing for the company.
Say a nurse who needs to have the patient data on-hand, as she goes for rounds with the doctors. She just puts the data on an unsecured USB drive. You ban USB drives, she creates a Google drive account. She is putting patient data at risk
You need to have a technology that allows this lady to do business but also protects the company and the end-users, ensuring that the data stays safe.
Do you think most nations are considering the risks associated with IoT, when developing their Smart Nation plans?
During the Singapore International Cyber Week, the Prime Minister did not say Smart Nation. He said Secure Smart Nation.
That’s the problem with most other countries. Most countries end up saying something along the lines of, “We are going to embrace Smart Nation. Can you give me some boxes to make it secure?” That is not how it works.
The Singapore approach is a good one. In Singapore, new projects are going to be built with security in mind, which is fantastic.
These days everyone is talking about security-by-design. But what do you do about the systems and the infrastructure you already have in place?
Last month, we released a report on ‘Abandonware’. It is a term commonly used to refer to legacy game software that has been abandoned by the author but is still widely loved and used by the user community.
We have become accustomed to and rely upon various web-connected devices, available whenever and wherever we need them in our personal and professional lives. We expect them to receive the benefits of automatic patching and updating of software, as is done by Apple, Adobe, Microsoft and Google. We have become so used to it that this leads to a sense of complacency and we don’t bther to check for vulnerabilities while using "end-of-life'd” software, for which no product support is available.
Here we are using it to refer to the use of software that has come to its end-of-life but, for a variety of reasons, is still in use. We had a case study where around 75,000 users in the IT security field continued to use an abandoned and somewhat obscure plug-in for an abandoned software package, thereby unknowingly and unnecessarily putting themselves at risk.
In your view, what kind of approach should be taken by governments for defending their organisations against cyber-threats?
You might have a hundred pieces of security software, but still not be secure because you do not have access to the big picture. Instead you have thousands of logs. A disjointed view can hinder the ability to detect and defeat advanced security attacks.
We invested to connect the dots and produce a risk-incident scoring system. It will help in prioritising. It will tell you that these are the incidents you need to deal with first.
Having a security process, however robust it might be, cannot make anyone fully secure. We need to figure out what is the most important thing to protect. It is not the devices.
Protecting all devices in any organisation might be a lost battle. What I need to protect is the data. That’s where I should be investing 95% of my IT security budget.
We have to protect data contextually. Suppose you have a legitimate reason to access customer data on a regular basis. But if the security system detects that all the customer details are being sent out in a batch, that should be a red flag. Either you are doing something wrong, maliciously or otherwise and you need to be stopped or it is someone pretending to be you.
So, contextual, behavioural analysis is essential, around data, not around people and devices. In the past we protected laptops. Protecting the data is of paramount importance in today’s environment.