You are here
Securing online data vital to cloud computing & Smart Nation effort (Amended)
- Thio Tse Gan, Cyber Security Leader, Deloitte South-east Asia;
- Viktor Pozgay, Chief Information Security Officer, Avaloq Sourcing Asia Pacific (Singapore) Pte Ltd;
- Lionel Tan, Partner, Technology, Media & Telecommunications, Intellectual Property, Rajah & Tann Singapore LLP; and
- Keng Seng Wei, Managing Director, Technology Services & Information Security Services, DBS
Moderator: Amit Roy Choudhury
Introduction: Huge amounts of data, generated by billions of connected devices - the Internet of Things (IoT) - coupled with cloud computing and big data analytics is transforming the global economy. Huge amounts of data from diverse sources are being analysed in real time to provide actionable information for different users: the government, financial services, supply chain and logistics, healthcare, manufacturing, all the way to individual users who now have unprecedented information to make their lives better. This new ecosystem is also fuelling Singapore's Smart Nation ambitions. One downside that needs to be considered is that valuable and, in many cases, private data now resides in the cloud with its attendant security risks and privacy issues. Securing this data from unauthorised access is a vital task. To understand the risks involved and the way forward, The Business Times brought together a group of industry leaders and experts for a roundtable to discuss the issue.
Excerpts from the roundtable:
Amit Roy Choudhury: Data is at the heart of Singapore's push to become a Smart Nation. Most of this data is sitting in the cloud and protecting it is of vital importance. Can you give an overview of the challenges involved?
Thio Tse Gan: The adoption of cloud computing raises challenges in the face of new, and often competing, privacy regulations across various jurisdictions, as well as evolving cyber-security threats. For example, organisations that rely on multiple cloud service providers may have little or no control over the movement of their data through different data centres around the world.
Similarly, it is not always clear whether the data custodian or the third-party service provider is accountable to protect the data, or which sets of data protection laws apply. Moreover, cloud service providers are often reluctant to fully disclose the security measures they use to protect information or how they process the data, which is problematic in light of the proliferation and magnitude of recent privacy breaches, resulting in privacy class action lawsuits and reputational damage for cloud system users.
As a result, it is not surprising that organisations moving to the next generation of outsourced cloud services are concerned about privacy and data protection in the cloud.
Viktor Pozgay: Singapore has made progress to establish the Smart Nation platform acting as a backbone infrastructure for a hyper-connected environment. This kind of environment, with tens of thousands of sensors, systems and devices creating, transmitting, processing and consuming data, brings unique challenges with it.
The potential attack surface is very large and complex, a compromised sensor or device could lead to infrastructure disruptions or data leakage. Hardware and software components in the environment need to be properly secured and tested, which by itself is a significant challenge. Sensitive data needs to be identified, data storage, flows and stakeholders' access to data assessed and secured. The data security should be managed from the initial creation through multiple layers of data collection, transfer, storage, aggregation and analysis to the point where it is consumed.
Keng Seng Wei: MAS (Monetary Authority of Singapore) has recently released the revised "guidelines on outsourcing", detailing the main risks of cloud-based services. This is one form of outsourcing that requires strong due diligence and governance. We believe that not all cloud services providers are the same. Some have stronger controls than others. As the data physically resides elsewhere and may not be managed directly, the data's multi-tenancy, co-mingling and sovereignty challenges, as well as the corresponding controls in terms of well-trained people, robust processes and technology controls remain of utmost importance. Organisations that place data in the cloud will need to ensure that their ability to secure the cloud infrastructure is commensurate with the service models offered by the cloud service providers. For example, the cloud service provider may only be responsible for securing the physical and virtualisation security controls. Thus, the organisation will need to be aware of and manage the application, access and data security controls. An organisation's failure to do so will make its data an easy target.
Despite these risks, cloud services can grant enormous opportunities and competitive advantages to organisations. Cloud services can provide agility and elasticity to enable some organisations to flex their computing resources with a utility based model, for example running the compute nodes in AWS (Amazon Web Services). For other organisations, the cloud may provide more secure, reliable and resilient services than those available in-house. DBS believes that the cloud is a game changer and we are embracing it. We adopted a risk based approach that leverages AWS cloud services for non-sensitive grid computation of treasury and market financial instruments that require extensive computing power. AWS gives DBS the flexibility to rapidly scale the capacity of our computing grid up or down without having to make provisions for permanent capacity. This has resulted in dramatic cost savings, improved resilience and agility without data confidentiality concerns.
Lionel Tan: The use of cloud computing and storage of data on the cloud is set to increase as it offers the ability to leverage off such technology to enable constant access to the data and processing power, with reduction in costs. However, with such systems, the risks of the data breaches and data theft also increases. While the very established cloud service providers have invested heavily in security infrastructure to reassure its customers that their data will remain secure, the many instances of security breaches show that this continues to be a challenge. Some difficulties in securing the data on the cloud arise from the way the cloud storage is structured, in that the data may not lie in just one jurisdiction or location but may be distributed. This raises the difficulty of providing adequate security systems over various jurisdictions and locations.
Amit: In a digital information driven world, cyber-security management is not just the headache of the IT department, it's a board level issue. Do you think company boards in Singapore are prepared to deal with this issue? What are the things that these boards need to look out for?
Seng Wei: Company boards in Singapore are increasingly aware of and taking active roles in cyber-security issues. Certain industries such as the financial and telecommunication sectors are probably ahead of other industries, which haven't been made sufficiently aware of the need for cyber-security. Unfortunately, sometimes cyber-security issues only capture our attention when real incidents materialise. This is made worse by the increasing rapidity and severity of attacks due to advancements in technology.
To quote Sun Tzu, "If you know the enemy and know yourself, you need not fear the result of a hundred battles". A few simple steps are a good starting point for boards which are just beginning to look at cyber-security:
- Know the critical assets of the organisation and the impact of any attack on them.
- Be aware of the threats targeting these assets.
- Implement adequate controls to protect them.
- Ensure that there is a plan to deal with the worst case scenario.
Financial regulators are placing increasing emphasis on the importance of board members being aware of cyber-security. We believe that this trend will not be limited to the finance industry but will extend to other industries.
Tse Gan: In recent years, we have seen a sharp rise in board-level attention to cyber-security given the number of organisations that have been badly shaken by cyber-security breaches and their boards are being held accountable. Boards are now devoting increased attention and resources to responding to cyber-security issues. The board of directors play a fundamental role in understanding the enterprise-wide risk management issue, including cyber-security risk, and thus play a pivotal role in confirming preventative and detective controls are in place.
Overseeing a successful cyber-security programme requires frequent and proactive engagement from the board of directors and audit committee. The audit committee, in its capacity of overseeing risk management activities and monitoring management's policies and procedures, plays a significant strategic role in coordinating cyber risk initiatives and policies and confirming their efficacy. These responsibilities include setting expectations and accountability for management, as well as assessing the adequacy of resources, funding and focus for cyber-security activities. The audit committee chair can be a particularly effective liaison with other groups in enforcing and communicating expectations regarding security and risk mitigation.
Viktor: Organisations nowadays are highly dependent on cyber infrastructure and IT to allow them to do business, increase productivity, speed and flexibility. In my view, company boards in Singapore are becoming increasingly aware of cyber-security and treating it as a risk management issue, especially in regulated industries like financial services, where Avaloq is operating as well. That being said, many company boards still have a long way to go and need to step up their role in managing cyber-security risk.
Boards need to accept responsibility for cyber-security and treat it as an enterprise risk issue. They need to understand and have visibility of key cyber-security risks that their organisations are facing, as well as the company preparedness to deal with these risks. The boards need to validate the organisation's cyber-security strategy and set expectations for management regarding cyber-security.
Lionel: It is crucial for the board of directors of any company incorporated in Singapore to be aware of the importance of ensuring that there is a comprehensive cyber-security management in place. What used to be merely thought of as something which the IT department would take care of is now a responsibility which the board must undertake. At the moment, I am of the view that most company boards in Singapore have not deemed cyber-security as a high priority. Most companies are not adequately prepared to deal with the situation should a significant cyber breach occur, which may result in a loss of confidential information, personal data or even financial amounts. They may not be adequately prepared to deal with the significant damage to the company's reputation, the regulatory investigations that may arise and the legal liabilities that they may be exposed to.
Companies should be alive to evolving threats, such as ransomware and increasingly sophisticated phishing attacks. The boards of companies should empower those responsible within the company to set an adequate budget in order to invest fully in a cyber-security management system that would reflect the size of the company, the type of data they may possess and the risks that they may face from cyber attacks.
Amit: How can a cyber-security strategy be crafted which is not just reactive (that is reacting to control the damage after the attack occurs) but one that's more proactive in its approach? What is best method of risk mitigation? While all companies are vulnerable, which are the industry verticals most affected by cyber threats?
Tse Gan: At Deloitte, we observe that most businesses are not doing enough in the battle against cyber crime with many missing critical security protections.
First, do a risk assessment. Understand the threat matrix; identify who the potential perpetrators are and their motivation for targeting your assets based on the specific business risks. Pay attention to security controls, preventive measures and compliance initiatives on high-risk assets. Every organisation is a target, not just those that are perceived to hold valuable corporate intellectual property, customer information or those with high visibility. You need to have full, real-time awareness into events affecting your IT ecosystems. Maintain a high level of situational awareness about the types of incidents that are occurring and threat trends across geographic and industry sectors.
Lionel: While it is important to have a cyber-security strategy to deal with the aftermath of a cyber attack, it is equally important to adopt a proactive approach to seek to minimise the possibility of a cyber breach. Prevention is better than a cure, hence, it behoves companies to invest time and effort to adopt proactive measures to ring fence their IT systems. There should be a concerted effort to develop and continually refine policies and guidelines to encourage cyber awareness. Sensitive data should also be properly accounted for and separated, to lessen the risk of loss. Most importantly, it is necessary to invest in continuous cyber awareness training for employees.
The industry verticals most affected by cyber threats are those that may be perceived as having vast amounts of data that may be highly useful to criminal organisations while at the same time not seen to be taking cyber threats as a top priority. While the financial institutions are always on the front line of cyber attacks, they have largely invested significantly on systems to prevent such attacks. Hence, the shift to perceived "softer" targets is likely to increase. Such "softer" targets would include the healthcare industry, insurance providers and retail merchants.
Seng Wei: Ironically, the most proactive cyber-security strategy is one that assumes the organisation is actively targeted and may already have been compromised. It is critical to keep abreast of upcoming trends and threats to anticipate the next possible attack and how to respond to it. There is no single "silver bullet" or best risk mitigation method for cyber-security. Some key risk mitigation methods that DBS has found useful are:
- Visibility through active monitoring to watch for anomalies in networks, systems and data access. This helps to detect any potential incidents as early as possible.
- Deep defence with multi-layered security controls. If one layer of technology is compromised, there will be other layers to mitigate the risk.
- Vigilant users are important. Most major cyber attacks start from a simple e-mail containing an attachment or Internet link in a user's mailbox. Awareness to users such as not to click on every e-mail attachment and link is crucial.
The industry verticals that are the most commonly targeted, probably because they can generate a huge amount of publicity, cause major disruptions or provide financial gains are: critical infrastructure services (power/energy/water/telecommunications), government, financial services and health care.
Viktor: Approaching cyber-security as a business issue and a business enabler is the foundation for crafting a proactive strategy. Security strategy should be aligned to the overall business strategy; services and solutions should incorporate security solutions from the onset as enablers for business to be faster, flexible and able to grow.
Cyber threats and attacks are expanding from traditional targets in financial services, government, e-commerce and retail to industries that are more vulnerable to attacks, and present an easier target with better return on investment for the attackers. Industries such as healthcare, energy, education are increasingly becoming targets of successful attacks. In the coming years of hyper-connectivity, we can expect further increase in IoT-related threats and attacks as well as increased threat to critical infrastructure.
Amit: The government has taken the lead in developing a countrywide cyber defence with the setting up of the Cyber Security Agency of Singapore (CSA). How can companies complement the efforts of the government and ensure that residents here can enjoy the benefits of digital information driven world in a Smart Nation?
Viktor: The latest national cyber-security masterplan relies on a number of key enablers, such as developing human capital, increasing collaboration and industry development. To complement the government's effort, companies should look at promoting security awareness and developing a cyber-security culture in the organisation. Furthermore, the private sector should contribute to development of security professionals and increasing skill levels of security professionals in Singapore.
Tse Gan: This new national agency can play a transformative role in improving our nation's ability to effectively address risks and build a level of readiness within the government and market place. Companies can complement the government's efforts by collaborating in private-sector partnerships to research, innovate and collectively develop ideas to drive our Smart Nation initiative and also develop a multifaceted approach of cyber-security.
Following the lead of the CSA and supporting government efforts to secure the nation's security is beneficial for every stakeholder, there should also be regular dialogues between the government and private sector during their collaboration to improve and strengthen the foundations of the city's Smart Nation project through a practice of information sharing.
Lionel: The drive towards a Smart Nation is commendable, as an integrated and holistic environment where data can be transmitted, shared and utilised to increase a citizen's well-being and make day-to-day living easier, is an ideal objective. However, the increased connectivity and ease of data exchanges leads to the inevitable rise of cyber criminals seeking to exploit the opportunities. Companies have to strike a balance between investing in more integrated systems that leverage off a Smart Nation objective, while at the same time investing sufficiently in measures to protect such integrated systems.
Seng Wei: Everyone needs to do their part. Organisations can help by improving their own security systems so that they do not become easy victims of cyber-security attacks. The CSA has initiatives that work with the nation's critical industries to strengthen defence controls, share cyber threat intelligence, lessons learnt and best practices regularly. Active information sharing of attempted attacks and incidents to the CSA will also help the authorities to identify larger patterns and provide advisories to other industries. All these will contribute to Singapore successfully becoming a trusted and secure Smart Nation.
This series is brought to you by Deloitte Singapore
Amendment note: An earlier version of this article incorrectly said that the name of Managing Director, Technology Services & Information Security Services, DBS, is Seng Wei Keng. Deloitte Singapore has since clarified that it is in fact Keng Seng Wei, and the article above has been revised to reflect this.