You are here
Enterprise-wide cyber agility for the digital age
ORGANISATIONS have been strengthening their cyber defences for more than two decades. In spite of their efforts, Gerry Chng, EY Asean Cybersecurity Leader, observes that large organisations are still suffering significant financial and data loss due to attacks on their corporate systems. In fact, the frequency and scale of attacks is increasing. The cyber criminals have been able to prosper because the digital landscape has shifted, explains Mr Chng.
He notes the recent exponential explosion of data, which presents more avenues of attack to hackers since data is accessible by a broader ecosystem of consumers and partners on a multitude of diverse platforms. Cyber criminals are also becoming increasingly sophisticated and are leveraging digital innovations to mount their attacks. Cyber security is not new but the landscape and cyber enemy has changed completely.
New vulnerabilities Many organisations struggle to detect and assess "data loss". In a data breach, the data is not physically missing. Rather, the confidentiality of the data is compromised and part or all of the "lost" data may have been copied.
This makes it hard to ascertain the extent of a breach unless there is complete visibility of all transactions relating to that data. This is even harder in cases where the data is shared with other business partners or customers in the normal course of operations.
Not only is it hard to define "what" could be lost, it is impossible to anticipate all possible attack vectors that an attacker may use. Given the speed at which new technologies and platforms are being invented, new cyber security flaws are constantly emerging, rendering the security systems that are meant to protect data quickly ineffective against the "unknown unknowns".
Perhaps the greatest risk is for organisations to use a cyber security strategy from the past to deal with the cyber risks of the present.
Mr Chng highlights that one of the first steps to beefing up cyber security involves a mindset shift. He says: "One of the key risks organisations face is assuming that cyber security risks are the sole responsibility and ownership of the chief information security officer. This mindset is often seen in established organisations where the IT function may have begun merely as a back-end support service."
He warns against cyber defence initiatives taken in silos based on implementing point products or solutions. He says: "The fight against cyber threats should be an enterprise-wide effort, meaning everyone - including those doing front-end business operations - has a role to play."
New enterprise-wide cyber agility
To this end, companies need to identify risks, assign responsibilities across the company, and implement a clear reporting structure that delivers the right information to the right decision makers. In such a structure, the dedicated cyber security professional plays more of an advisory and supporting role.
As a result, employees will clearly understand their roles and responsibilities within the organisation - a good first step that will instil a "holistic risk culture" in a business.
However, the lack of qualified cyber security talent is real. This is where organisations need a balance of both technology and people in cyber warfare. Mr Chng shares: "Emerging technologies can help organisations augment their resources and security capabilities to better deal with increasingly sophisticated cyber attacks."
Robotic process automation (RPA) is one particular technology that can help by streamlining repetitive and predictable tasks. For example, clients of EY have leveraged RPA technologies to automate the entire user account onboarding process. This frees up valuable manpower, particularly since there is a shortage of cyber security talent in the market.
Artificial intelligence, machine learning, and cyber analytics algorithms can help perform preliminary triage cyber security activities such as assisting the analyst to spot abnormalities in the transactions for subsequent investigations, and assisting in collating related data points for the drill-down investigations.
As these new technologies require substantial financial investments, organisations can beef up their capabilities by leveraging on Cybersecurity-as-a-Service. These are platform-centric, end-to- end outcome-based cyber security services that are provided by a professional services organisation like EY. More importantly, companies can work with their advisers to build a holistic strong risk-aware culture, combined with the right mix of talents and technologies to protect, monitor, and respond to cyber security threats, to confidently grow in today's digital economy.