Photo - More than 200 invited IT delegates prepare for the 9th Computerworld Malaysia Security Summit.
The ever-changing nature of cyber threats and its effect on businesses were pressing topics at the 2015 Computerworld Malaysia Security Summit held at the InterContinental Kuala Lumpur on 12 March 2015. More than 200 information technology (IT) professionals were kept abreast in an interactive new format which included live polling, of the evolving risks, measures and technology being used in the battle against cyber criminals who were intent on gaining access to organisations' information.
"Technology is a double-edged weapon," stated keynote speaker CyberSecurity Malaysia chief executive officer Dr. Amirudin Abdul Wahab. "While moving forward with trends such as mobility, cloud, big data and bring-your-own-device [BYOD], we also have to be wary of its impact on security."
Cyber threats are targeted at several levels. At the strategic level are acts of aggression and hostile actions taken by the state, organisations and state-sponsored actors, whilst attacks at the operational level are targeted at groups and individuals. Individuals are also being unknowingly exploited to target corporations.
"Evolving cyber threats include cyber crimes in the underground economy which is increasingly financially significant, cyber attacks on critical services and cyber terrorism," said Amirudin. "To stay ahead of cyber threats, entities have to adopt innovative, aggressive and proactive approaches."
"Cyber security is not a technical issue but a business issue. It is an investment, not a cost," continued Amirudin. "Security is an issue that has to be taken seriously at the board level."
"Collaboration is needed to counter cyber threats. "No entity can work alone. It is critical for the private and public sectors to pull together and work as partners to strengthen the ecosystem against such challenges," concluded Amirudin.
Outside the fence
Identifying the weaknesses and strengthening an organisation's ecosystem was vital, noted keynote speaker Ernst & Young partner, Advisory Services, Jason Yuen. "In the battle against cyber crime, most companies spend the majority of their time and resources building a fence around their internal organisation including their data, systems and personnel. This is a starting point, but the perimeter is no longer stable, and a fence no longer possible," he said.
"We live and operate in an ecosystem of digitally connected entities, people and data. Most of today's business is done outside the defensive fence with a broader network which includes clients, customers, business partners, suppliers and vendors," continued Yuen. "Your security strategy has to consider the impact of such inter-connectivity which opens up a whole new playing field of vulnerabilities."
"Even if you have not experienced an attack yet, you should assume that your organisation will be targeted, or that your security has already been breached," warned Yuen. "You just may not be aware of it yet."
Cyber crimes not only hit large organisations but also small businesses, using it to access other parties in its ecosystem. It is not easy to get ahead of cyber crime as there is a disconnection in how security is handled and how attackers look at organisations. "Organisations are traditionally focused on endpoints, network and infrastructure," he said. "However, today's threats look at the underlying data and information. It is not focused on the technology. Attackers exploit vulnerabilities be it through infrastructure, people or processes."
Cyber threat intelligence is a key component to any cyber security blueprint. "It is not enough to just know there are threats. The organisation needs to understand the nature of those threats, how and where these might manifest themselves, and assess what the impact would be," said Yuen. "Incorporating a cyber threat intelligence capability which provides early warning and detection of breaches can help get the organisation ahead of cyber crime."
Cyber crime is big business today with attackers more sophisticated, better organised, well-funded and patient enough to wait for the right moment to pounce. "Organisations have to understand that cyber security is a business issue, not an IT problem. It has to be tied to business decisions as there will be security implications. Security needs to be part of the evaluation of new business ventures and products. It has to be part of the risk assessment process from the start, be it for a product launch, the opening of new offices or expansion into new countries," said Yuen. "Businesses have to be prepared for attacks, and prepared to respond to attacks. Anticipating cyber attacks is the only way to be ahead of cyber criminals."
The evolving blueprint
Sign up for CIO Asia eNewsletters.