Challenges smaller businesses are facing while going digital, and the cybersecurity implications when it comes to protecting their customers’ data.

The push for digitalization has been accelerated by COVID-19, and localized businesses such as wet markets and SMEs have been feeling the heat to pivot their businesses online.

As they cope with the impact of the pandemic and prioritize taking their business digital to ready themselves for the new reality, cybersecurity concerns have often been low in their priorities.

Establishing an online presence and building digital transaction and digital payment capabilities are important first steps, but cybersecurity as an afterthought can be hazardous for both businesses and customers.

CybersecAsia discussed the issues and implications with Siddharth Deshpande, Director, Security Strategy, Akamai Technologies:

Siddharth Deshpande, Director, Security Strategy, Akamai Technologies

With the rise of the digital economy, from self-employed individuals to SMEs to MNCs, what can businesses do to stay secure online?

Siddharth: Organizations of all sizes need to think about digital security along two main dimensions: security their internet facing applications/infrastructure and securing their employee/partner facing applications/infrastructure.

With digital business models becoming a dominant source of revenue for most organizations, the security and privacy of their critical assets is as important as delivering a great user/customer experience. Any security architectural model chosen, therefore, cannot compromise on performance.

Zero Trust is a framework that companies can employ in their security infrastructure to replace a traditional perimeter-based security infrastructure. It is built around the idea that there is no longer an internal network where anyone or anything can be trusted.

Zero Trust operates on the assumption that every attempt to access information applications could potentially be a security threat malicious, until proven otherwise with proper authentication and authorization at an application level.

By way of analogy – it is like going from assuming that a key to the front door indicates that anything in the house is fine for you to look at, to locking all individual doors and handing out keys only to people who need them and are authorized to use them, or providing visitors elevator access to only specific floors of a building they are authorized to instead of giving them access to the entire building.

This changes the whole paradigm because it fundamentally limits the potential upside for an intruder security paradigm because it reduces the enterprise risk surface by design and makes it easier for the security team to manage remote working scenarios. Deploying these capabilities through a cloud-based, edge-delivered architecture ensures that security posture and user experience can be improved simultaneously.

The core components of Zero Trust frameworks include: secure access of all resources (regardless of location or hosting model), enforcing a strategy of strict access control based on least privilege, and inspecting and logging all traffic for suspicious activity.

What are some key challenges that comes with hosting a business online?

Online business implies that critical revenue generating functions are exposed to customers through the public internet. This also means that attackers have more of an opportunity than before to discover and play around with the target environment before launching attacks. Staying ahead of ever-changing attacker behavior is tough enough, but defenders also need to ensure their security protections do not get in the way of revenue generation/customer engagement.

In an era where hundreds of online brands are competing with each other for customers’ screen time, anything that slows down or impedes the customer journey is unacceptable to the business. Therefore, security controls need to be deployed in a way that is as transparent to the user as is possible, while still defending against threats.

Effectively, this means that a regular consumer should not have to interact with a security control unless absolutely necessary and if there is high risk associated with a transaction. Now, this may be different in certain verticals like banking where customers feel reassured by more visible security controls, but for most retail and online commerce activities – transparent security controls are the way to do.

Akamai has been helping online business with these challenges for several years through our Intelligent Edge based security architecture, that helps organizations improve performance and security of their online business simultaneously. This involves integrating key web security controls like web application firewalls (WAF), API security, bot management, DDOS protection, script protection into the same edge delivery platform that improves performance.

Concerning budgets, what kind or size of cybersecurity investment should a business be spending on? Is there some formula or calculable considerations a business could use?

It would be unfair to put a specific number on how much an organization should spend on cybersecurity, because they all differ so much in their security maturity and business context.

An organization may spend anywhere from 10% to 40% of their IT budget on security in any given year (or even more), depending on the prevailing internal situation and external threat landscape. In today’s times, we find that organizations are focusing their cybersecurity investments on areas that directly impact business viability and performance.

In 2020, Akamai is seeing cybersecurity investments prioritized in areas that facilitate remote working as well as enable a secure transition from physical to primarily digital business models.

With businesses having to go digital to survive and to thrive, what are some tips and considerations you can share with SMEs to protect their digital business?

Businesses need to focus on what their design principle is for their security architecture. Once that is identified, people process and technology considerations will follow. Industry frameworks such as  Gartner’s Secure Access Service Edge (SASE) framework, or NIST’s Zero Trust Architecture model offer some pointers for security leaders.

For example, one of the design principles articulated by Gartner is that security controls need to be delivered closer to the user, rather than closer to the enterprise datacenter. This also means that security controls are delivered closer to attackers, thereby significantly reducing enterprises’ risk exposure. From a technology standpoint, this means the security architecture should be delivered on a distributed edge network that can scale based on business requirements.

Organizations should also invest in managed security services for their critical security operations. After all, attackers’ methods are not static and keep changing – this requires security teams to supplement their in-house capabilities with specialized 24/7 managed SOC services from their security vendors.

This can help organizations mitigate attacks much more efficiently than doing it all themselves. For example, Akamai’s Managed DDOS protection services recently helped a customer successfully block a massive and abnormally intense DDOS attack and keep their business up and running as per normal.