2017 should be an opportunity for organisations to instigate a regular program of security risk assessments to stay ahead in cybersecurity. New technologies and ever-increasing levels of connectivity are transforming businesses and unlocking business development opportunities across the region.
What are Gartner predictions for Asia-Pacific in 2017?
Industrial control systems (ICS) are an integral part of any business, especially in Asia-Pacific. These include building management systems, heating ventilation and air conditioning (HVAC), and security doors, just to name a few.
Most businesses outsource their building management requirements so they don’t necessarily know whether the third-party provider has adequate security in place. It’s not impossible for a malicious actor to execute an attack that could cause significant damage.
Things to consider:
- When you think about it, nearly all businesses could be at risk of an attack like this. Business leaders have to consider security beyond the basic steps of protection. Organisations need to gain an overarching view of their potential weak spots through third parties as well as their own network. Additionally, they need to put a plan in place that would help counter any potential attacks.
- Have you checked what non-IT equipment your business depends on and what security they have enabled? Are they connected to the internet, managed by a third party?
- When outsourcing to a third party, what level of security assurance do they have in place? Are they able to provide information to you on how they secure themselves and, ultimately, how they secure and manage your network and systems?
IOT devices will be a target for cybercrime
Market research firm Gartner predicts that the number of connected ‘things’ will rise from 6.5 billion in 2015 to almost 21 billion by 2020. Anything that you connect into your computer or network is a potential risk.
The types of devices range from CCTV cameras to tiny sensors attached to complex machinery, and they may not always be top of mind for security professionals. But if they are connected to the internet or managed by a third party, then they could put the business at risk.
Things to consider:
- It is important to understand that the IoT is not a possibility or a project of the future – it is a current reality. Make a point to ask suppliers involved in security assurance how they can assure the security of the devices they provide. As we have seen many times, there may be no security, or the devices could be using some default username or password. These should be changed from the moment they are on your network.
- Any devices using factory settings for security are simply asking to be compromised. IT managers must change those standard administrator passwords to avoid being targeted.
- These devices should also be regularly checked to see if they adhere to the company’s security policy.
We may see a ransomware vortex with a nasty surprise
Ransomware involves attackers locking up a business’s data and demanding a ransom for its release. If you thought 2016 was bad for ransomware – where attackers access data and ransom it back to the victim – then 2017 will be worse. We can expect to see a higher attack volume, using more sophisticated technologies.
If the discovery of Locky ransomware was anything to go by, financial malware will continue on an upward trajectory in 2017.
Things to consider:
- If you have fewer than 72 hours to respond, do you have a comprehensive backup strategy and response ready to counter these attacks?
- When was the last time you tested and verified the backup?
- Have you applied basic file blocking to prevent threats from entering your organisation? Certain file types can be a risk to your organisation. Ask yourself, “Should we allow all files or should we manage the risk by not allowing malicious files types that may cause an issue?”
We will have serious data trust issues
People will continue to be too trusting or fooled into thinking something is safe when it really isn’t. For example, confidential data can be exposed, or made available, that looks like it comes from an organisation, when it was actually planted by a malicious party. Either way, there’s a business reputational risk and a monetary price to pay.
For years, information security professionals have been focused on a model known as the CIA triad, which looks at Confidentiality, Integrity and Availability and is designed to guide policies for information security within an organisation.
Many organisations have long looked at confidentiality as a means to protect their data from theft or availability as a means to ensure they can access their data or systems, but how much time has been spent focusing on the integrity of the data or systems?
Imagine a data project, years in the making, where the data an organisation has been collecting and analysing is corrupted. For example, a resource company that has invested heavily in research and development is prospecting for the next drill site where they collect petabytes of data, but an attacker manipulates the information, rendering it worthless.
If the integrity of the data is manipulated, where a few bits of information are changed, the company might drill in the wrong spot, wasting time and money and potentially creating an environmental disaster. This could cause companies to make incorrect decisions with significant ramifications.
The same could be said about cases where systems have been wiped after an attack, removing all traces that it happened.
So What Can Be Done?
Firstly, any business should welcome these changes as they are a way to further digitise services and enhance our way of life. But with any move to further digitising services that we offer or are offered to us, we need to ensure that the data is protected.
Verification should be at the centre of all platforms, at every stage of development, and at the core of every provider-customer relationship. Its integrity must be protected from being modified by unauthorised parties.
Data must only be made available to authorised parties to access the information when needed.
What you need to consider:
- Businesses need to look at two key things: where their sensitive data resides and what data is critical to the business to operate. Somewhat surprisingly, many organisations struggle to answer this question. This can lead to misappropriation of resources in the form of security controls being used broadly across the entire organisation, rather than being targeted to where they’re needed most. This then results in increased cost to acquire and use security measures.
- Who amongst our employees has access to our sensitive data? Simply knowing who has access to documents or big data stores stops short of understanding to what they have access.
- A key way to reduce risk to sensitive information is to also understand how the data is protected. Is there protection in place, and does it meet the right level to mitigate risk for something that could be mission-critical to a business?