You are here
Getting it right in cybersecurity
As more organisations migrate their operations online, the ability to protect their data and systems has climbed to the top of their management team’s to-do list. The need for adequate protection has become even more urgent in recent years as digital attacks on corporate systems become more widespread.
The numbers are alarming. According to a recent report by cybersecurity firm SonicWall, over 10.5 billion malware attacks were blocked in 2018, the most ever recorded to date by the company. There was also a 217 per cent increase in Internet of Things (IoT) attacks last year.
Closer to home, Singapore experienced its largest data breach ever when 1.5 million patients of SingHealth’s specialist outpatient clinics had their personal information stolen in 2018. This included names, National Registration Identity Card numbers, addresses, gender and dates of birth. Meanwhile, more than 46 million mobile subscribers’ data were stolen from the Malaysian Communications and Multimedia Commissions and leaked online in 2017.
According to IT networking company Cisco, such cyberattacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes. Common threats include Ransomware designed to extort money by blocking access to files or the computer system until the ransom is paid; and Malware, which is a type of software designed to gain unauthorised access or to cause damage to a computer.
Cybersecurity has become such an important issue that it is taken into consideration when conducting due diligence in M&A deals today. “As part of the technology due diligence, the security posture has to be looked at when we take over a company in an M&A deal. For example, if you are going to bring a company on board and you think that their security posture is way below corporate standard, then there is quite a lot of investment that has to be put in,” says Neo Eng Hoe, Chief Technology Officer at ComfortDelGro Group.
In light of its importance, cybersecurity is no longer the sole responsibility of a company’s IT department, but must be shared across an organisation’s different functions. In particular, the finance department led by the chief financial officer (CFO) has a critical role to play in identifying and mitigating the risks from cyberattacks.
“I would say that the conversation has been taken a step higher to the whole board, the senior management, and especially the CFO as well. It is a crucial component because when CFOs looks at risk, they don’t look at just financial risk anymore, they need to look at it from a more holistic view,” says Edwin Lim, Director, Cyber Professional Services at Singtel.
He adds: “Raising awareness of the need for cybersecurity is another critical issue. Awareness doesn’t stop at the end user or employee level, it has to go up all the way up to the board level and senior management, especially the CFO and CEO.”
However, implementing effective cybersecurity measures has become increasingly challenging because of the proliferation of devices and the rapid advance of technology. Devices like the iPad only emerged in 2010, while average broadband speeds have increased five-fold in the last decade, making it possible for companies to conduct more of their business online. This has been facilitated by the rise of services that enable corporates to deploy business-critical applications on Cloud platforms.
While this has allowed for easy online document sharing, and email and data that’s available on any device, it has also significantly increased the number of entry points for hackers looking to gain access to a corporate system. As such, companies will need to ensure that their digital shields are up-to-date as the technological landscape continues to shift.
“We have controls put in place to close off risks, just like how we would close the windows of a house to protect us from the elements. However, today, we need to assess whether these windows remain closed off to evolving cyber threats. This is because many of those controls were put in place years ago and may not have been well-maintained,” explains David Ng, Head, Group Technology Information Security Office at OCBC.
“There are also newer features of these controls that we may not have turned on. This may inadvertently create opportunities for hackers to leverage and put your company at risk.”
Not helping matters is the fact that hackers and the software they use are getting increasingly innovative, making it harder for cybersecurity professionals to keep up.
“What worries me is the technology used to hack is very advanced, and it is improving by the day. I can bet you right now this time, there is a conference going on somewhere that is a hacker symposium. Five guys sitting there, sharing with the folks about how they cracked British Airways, what tool kit they used to crack Sony and where to download the tool kit,” says Lee Kok Keong, Chief Technical Officer, ASEAN, Cisco.
British Airways revealed that the personal and financial information of 380,000 of their passengers had been hacked in 2018, while Sony Pictures had a large number of confidential documents stolen and posted online in 2014.
The weakest link
While having the right technology and processes in place is key to tackling cyber threats, it is often an organisation’s people that is the cause of breaches to occur. To breaches, experts urge employees to comply with basic data security principles like choosing strong passwords or being wary of attachments in email. (See sidebar)
“The weakest link in cybersecurity is not the technology, but people, because it is a psychological game. Hackers are making use of your curiosity and carelessness,” said Mr Lee.
“We tend to think that the hacks are very sophisticated. In reality, one of the most useful hacks is actually a thumb drive. They just need to leave a thumb drive in the meeting room or at the reception. There is going to be a chance that somebody is going to pick it up and say “What is this? Maybe I can make use of this” and stick it in their laptop. That is all it takes.”
TEN CYBER SECURITY TIPS
- Realise that you are an attractive target to hackers. Don’t ever say “It won’t happen to me.”
- Practice good password management. Use a strong mix of characters, and don’t use the same password for multiple sites. Don’t share your password with others, and don’t write it down.
- Never leave your devices unattended. If you need to leave your computer, phone, or tablet for any length of time lock it up so no one can use it while you’re gone.
- Always be careful when clicking on attachments or links in email. If it’s unexpected or suspicious for any reason, don’t click on it. Double check the URL of the website the link takes you to.
- Sensitive browsing, such as banking or shopping, should only be done on a device that belongs to you, on a network that you trust.
- Back up your data regularly, and make sure your anti-virus software is always up to date.
- Be conscientious of what you plug in to your computer. Malware can be spread through infected flash drives, external hard drives, and even smartphones.
- Watch what you’re sharing on social networks. Criminals can befriend you and easily gain access to information that could help them gain access to more valuable data.
- Offline, be wary of social engineering, where someone attempts to gain information from you through manipulation. If someone calls or emails you asking for sensitive information, it’s okay to say no.
- Be sure to monitor your accounts for any suspicious activity. If you see something unfamiliar, it could be a sign that you’ve been compromised.
This article is part of a series in collaboration with CPA Australia to share knowledge on accounting, business and finance issues.