Also, for a long time the concept of defence in depth has been championed. That's okay, but often organisations are only thinking about external threats. We've seen lots of research that says the bad guys are already on your network and some of them are your employees, so if you're only looking outside, you're not seeing the whole problem.
Lastly, in your internal systems, you have different types of data, that has different levels of value to your company and externally, which need protecting in different manners. Some attacks will get through regardless of how much training you give you end users, so you need to prioritise what you protect.
Richard Pain: Do you see any examples of best practice elsewhere around the world that could help change this situation in Asia?
Simon Piff: I think the Australian Government has improved cybersecurity for companies very well. As part of their personal privacy regulations, the company director is personally liable for the privacy of the information their company stores. If there is a breach and it's proven that there was negligence, the individual is potentially going to face prison time and a personal fine, so this absolutely makes it a businesses concern. Also the upcoming Singapore Cybersecurity Bill is a great starting point, although it would be better if it looked beyond cyber warfare to include cyber crime too.
Richard Pain: What about the upcoming General Data Protect Regulation (GDPR) in Europe?
Simon Piff: I see it as the gold standard for personal data privacy and something that should be considered in some markets in Asia where there are either no existing data privacy regulations, or no laws around cybersecurity incident disclosure.
All governments should create some kind of disclosure law. Here in Singapore, cybersecurity incidents may or may not be shared with the public and in the case of critical infrastructure that makes sense. However if you are a publicly traded company, it should be shared, and if your stock price gets hit because you have failed to apply the right measures for security, that means you are not investing the right place and your profits are a lie in the first place.
Sign up for CIO Asia eNewsletters.