Enterprises are strengthening their cybersecurity efforts in reaction to recent cyberthreats, but should we be thinking out of the box?

On 8 May 2019, hackers broke in the Singapore Red Cross’s network and stole the personal data of over 4,200 people, including their names and contact details. On 21 March 2019, the login details of about 50,000 government email addresses were found in illegal databanks. These included email credentials belonging to the Education and Health, and the Singapore Police Force.

Also in March this year, information including names and NRIC numbers of 800,000 blood donors was left exposed on the Internet for a period of nine weeks after the data was mishandled by a vendor of the Health Sciences Authority (HSA).

The list goes on. Today, no organization is immune to cyber-attacks and data breaches. Needless to say, organizations are strengthening their cybersecurity efforts. They are finding ways to prevent attacks and avoid data leaks – putting up firewalls, installing and updating security software, or tightening controlled access to computers, data and networks.

However, in an environment where cyberattacks and data breaches seem inevitable, are these organizations – especially those deemed as Critical Information Infrastructure (CIIs) doing enough by focusing on prevention? Will organizations be prepared to respond quickly, recover and maintain their operations, should they encounter a cyber security incident?

Time to tweak the security approach

At a time in which where cyberattacks and data breaches are not a matter of ‘if’ but ‘when’, how well are organizations – especially in Asia Pacific – prepared to respond quickly, recover and maintain their operations, should they encounter a cybersecurity incident?

According to a spokesman of DXC Technology Asia, part of the Enterprise Services business of Hewlett Packard Enterprise, cybercrime tools are becoming more sophisticated, and enterprises are hard pressed to reduce the increasing gap between their security posture and the widening threat landscape.

Said Abdallah Zabian, General Manager of Security and Analytics Services: “Cybersecurity today can no longer be treated in isolation from the rest of the business; it must be approached with a strategic view. If organizations want to survive and thrive in the digital world, new security architectures must be accompanied by new security technologies and partnerships.”

Cybersecurity is no longer just about responding, it is now also about the speed and ability to remediate. Zabian asserts: “With today’s evolving technology and cybersecurity landscape, the responsibility for improving security starts and finishes in the boardroom. Active defense allows the cybersecurity team to focus on managing cyber risk in accordance with the business’s goals and risk appetite. So, rather than continue in a passive stance, organizations must adopt an “active defense” model: they should assume that they have been breached and start from there.

Active defense requires organizations to anticipate attacks before they happen, detect alarms to contain attacks, and adopt a tiered approach to protecting critical assets. Engaging and deflecting attackers in real-time, by combining threat intelligence and analytics resources within the IT function, are also important. “AI can help governments and enterprises monitor and identify possible threats quicker than humans would on their own. By using AI and analytics organizations can start looking at correlations that could have been missed, helping them improve their ability to detect unknown threats.”

Protection, detection and response are Key

Since active defense is about balancing detection and protection initiatives to avoid the challenges of allowing a cyberthreat response to be necessary, enterprises need to focus on protection, detection and response.

According to Zabian, an enterprise cyber resilience strategy includes three main components:

  • Adapt existing business and IT systems to next-generation threats
  • Update the cybersecurity governance strategy
  • Create a resilience-conscious culture

In Singapore, nationwide efforts like Singapore’s Cybersecurity Act that centralize defenses under a common denominator and provides vulnerability remediation, are a nod in the right direction. Start with the assumption that a cyber incident can and will occur at any point and that enterprises need to be ready to deal with it.”

Training is also key – organizations and governments need to embark on an active campaign to educate employees and citizens to become more cyber aware. “For enterprises to become truly cyber resilient, they must be prepared for the worst to happen – it is no longer about whether a hack will occur, but rather what the likely consequences of a breach might be when it occurs. Protection is important, but organizations must also develop strategies to ensure durable networks and take advantage of the opportunities that digitalization can bring.”

Making the IT landscape cyber resilient requires investments in areas such as infrastructure, design and development of systems, applications and networks. At the same time, organizations must create and foster a resilience-conscious culture, of which security is an essential part. In a more detailed exploration of cyber resilience, Zabian draws a roadmap and shows how the finer points of establishing a holistic cybersecurity stance that benefits CIIs and other enterprises alike.