Security in the enterprise, a human or tech problem?

Cybersecurity is a leading priority for CIOs in Singapore, as businesses grapple with protecting the enterprise while innovating at speed.

But where should security priorities lie? In educating the workforce to reduce risk or bolstering defences with the latest technologies?

Toward pervasive and continuous security

Purushothama Shenoy (Puru), CTO of IBM Singapore, believes the greatest security challenges affecting enterprise businesses include the ability to optimise on intelligence, speed and accuracy in relation to prevention, detection and response. This is in part because increasing compliance mandates make cybersecurity even more complex. But also because good security talent is scarce.

He advises C-level executives to establish “pervasive and continuous security” procedures, alongside leveraging artificial intelligence to improve detection and response capabilities and simplifying user experience to enhance security controls.

“Security leaders must consider cognitive technologies to augment the skills and resource availability issues,” said Puru. “Now is the time to move towards frictionless and password-less authentication technologies to simplify user experience, as well as managing data and encryption consistently through hybrid cloud transformation.”

Weak spots

In assessing the security posture of an enterprise organisation, Chin Kiat Chim (CK), global CISO of Dyson, notes that traditionally, the focus of network security has been on prevention, through the deployment of firewalls and anti-virus software, for example.

“The process was similar to setting up a frontier with the aim of stopping bad guys outside of the perimeter infiltrating the internal network and stealing the crown jewels,” says CK, who joined Dyson in July 2019. “Most of these technologies are designed to prevent cyber threats based on known patterns and signatures.”

However, unlike most physical targets, which are stationary, digital targets are “wily and dynamic,” CK says. They stealthily take advantage of poor cyber hygiene and human errors to infiltrate a whole network, infect computers and even steal confidential data.

As malware becomes more sophisticated and distributed across the world, traditional security approaches deployed by enterprise organisations are becoming less effective, CK says.

Matthias Yeo, president of ISC2 Singapore Chapter, argues that employee negligence is not always the factor that leads to weak spots in enterprise security.

“Many sophisticated attacks do not necessary link to a human mistake, such as phishing,” he cautioned. “The main weak spot in my opinion is the ability to understand what has gone wrong, or what is needed to be fixed. That means visibility into an enterprise network.”

“Technology should not fail in this day and age. While we talk a lot about business continuity plans that focus on fall backs in case of a technology fail, it should remain as a last resort.”

Evolving cyber threats

Evan Dumas, regional director of Southeast Asia at Check Point Software, thinks that today the market is experiencing a “fifth generation” of cyber attacks — attacks that are proving more “evasive, targeted and dangerous” for Singaporean organisations.

“Security deployed by businesses is at a very concerning inflection point because most infrastructures are only at the second or third generation of security,” he says. “Simply put, business security is lagging behind and ill-equipped to protect against the level of attacks being launched today. This is an alarming problem that must first be recognised and then resolved.”

These attacks are multi-dimensional, multi-vector and polymorphic and Dumas says that IT operations today require an innovative and holistic approach to assessing and designing their security toward an integrated and unified security infrastructure that prevents attacks in real-time.

This approach renders irrelevant the traditional check box method of building a security infrastructure, where a specific security technology is deployed to defend against a specific type of attack or to protect a specific type of application.

Multi-layered approach

CK explains that enterprise security is dependent on multiple layers of defence to ensure adequate protection These layers consist of identifying, preventing, detecting, responding and recovering.

CK advises organizations to avoid spending too much money or effort on one single layer and instead to spread the focus into detection and response so that attacks can dealt with quickly and the damage can be minimized.

“It’s also important to not forget business continuity management, which is crucial in ensuring that during the worst-case situation, mission-critical business processes are still up and running even when the organisation is in the middle of cyber attack,” he says.

Echoing CK’s observations, Yeo notes that the security posture of an organisation continues to be “constantly challenged” on a daily basis, due to the emergence of new technologies and new business models.

Organizations can quickly become overwhelmed by the deployment of multiple security solutions. In order to be effective, Yeo says, security tools must align with the organisation’s behaviour and culture.

Speaking as a global security leader, CK acknowledges that the industry today is “crammed with too many security vendors and products,” with most failing to address organizations’ pain points.

“There are too many overlaps in term of solutions and features,” he says. “Buying individual products from these vendors without knowing how to integrate them effectively does not help an organisation enhance cyber defence capabilities.”

CK also warns that an increase in technology investment “does not always guarantee” increased protection. Frequently, organisations will buy individual solutions to tick the regulatory compliance box, but without a strategy to optimise their use.

“Cyber security is not just about compliance, but more importantly, the ‘defence’ capability to secure an organisation from a cyber attack. Technology investment alone is not enough, the process and people also play a key part in bolstering the overall security posture of a business.”

Easy targets

In switching the cyber conversation to users, Viktor Pozgay, former CISO of financial software company Avaloq, cautions that “it is easy to blame” humans as the weakest link or least secure aspect of an enterprise, but that’s not always the correct assumption to make.

“Leaders in charge of information security have to realise that a) humans are never going to be perfect and that people will make mistakes; and b) the human aspect is much wider than a person clicking on a malicious link,” he says.

Pozgay thinks that good leaders manage risks by achieving a balance between people, processes, technology and investments.

Specific to the human element of security, the former CISO said best practice extends to the skills required to implement and manage technology and processes as well as the culture of the organisation and its ability to “push through” objectives related to security. CISOs can have the best security strategies and plans, but those will go nowhere if they are not able to persuade stakeholders and business leaders.

Pozgay believes that security awareness and education must be “tailored, more interactive and practiced” at all levels of the company.

“You need a mix of senior leader briefings, team and context specific security awareness and practicing through interactive and realistic scenarios – from phishing to an incident response exercise,” he says. “Most importantly, security awareness requires leadership across the board — senior managers and leaders in the company need to step up and help communicate the importance of security and risk awareness.”

Culture change at the core

Despite accepting that both technology and human elements have flaws, Carolyn Chin-Parry (who was recently named Woman of the Year at the Women in IT Asia Awards)  argues that humans are more challenging to manage and control from a security perspective.

This is partly because employees have different levels of maturity when it comes to security. However, protecting the organisation shouldn’t be just the IT department’s job but a common effort from all employees. But Chin-Parry acknowledges that mindset and attitudes are “sometimes difficult to change.”

“Training programmes may increase awareness, but it needs to lead to improved behaviours and workplace practices,” she says. “Cultural change needs to occur where cyber risk is regularly considered, and employees feel ‘safe’ to check-in with IT whenever something looks potentially dangerous.”

To achieve this, Chin-Parry says that organisations need to set up processes and praise those employees who take steps to protect the business, without the fear of being chastised if it is a falsa alarm.

Steven Sim, vice president of ISACA, an international professional association focused on IT governance, says that despite arguments on both sides, the human element continues to be the least secure and controlled aspect of enterprise security.

“If we look at most of the breaches out there, they almost always begin with a phishing attack for the very reason that humans are the weakest link in the entire cyber kill chain,” he says. “The majority of cloud hosting breaches were also due to misconfigurations which could have been easily prevented if due care was exercised. Shadow IT is also a sticky problem because you cannot control what you don’t know.”

Back-door access

Attackers increasingly targeting individual users to gain access to the network. Pozgay notes that a great number of incidents start with a user visiting a malicious website or opening an infected attachment.

“What we see in terms of trends is that the sophistication and targeting of specific users is increasing – think phishing emails are more tailored to a specific person or function, more relevant to the context of the targeted user,” Pozgay says.

But Pozgay says there is “no silver bullet answer” for how much security control a business can exert without compromising user privacy.

The level of control will depend on the laws and regulations the company is operating in as well as the nature of the business – and those controls should be aimed at protecting and safeguarding the employees.

As guiding principles, he adds, controls should be commensurate to the risks or exposures that a company faces, and, in general, they should come with disclosure to employees.

Within the boundaries of employment, Sim says a company’s acceptable use policies could include having the employees’ activities monitored. Furthermore, behavioural analytics can also be used to detect anomalies without revealing sensitive private details.

Ultimately, as the threat landscape becomes more sophisticated, more emphasis will need to be put on the detection, response and recovery phases, Sim says, since it is not a matter of if an incident will occur but when.