Companies in Asia are starting to ask for more advanced cyber security services such as ‘reconnaissance or early kill chain’ services, according to Adura, a specialised cyber security consultancy. Beyond meeting basic compliance requirements, companies in the region are now seeing value in threat intelligence, network A.I. behaviour, and phishing susceptibility services.
Traditional cybersecurity programs are aimed at ensuring compliance, usually through ethical hacking, cyber audits or staff awareness training. However, these rely on older frameworks which are behind the security curve. By the time a framework is approved and auditors are trained, a whole new set of cyber security challenges must be tackled. Hence, companies must approach cyber security with a long-term view beyond compliance.
For example, last year Adura’s Threat Intelligence Services identified and successfully neutralized over 750 high risk Darkweb assets exposures for its clients. These included leaked confidential files, pre-emptive cyber attack intel, VIP and corporate impersonation, harvested staff system credentials, social media exposure, email forensics and security configuration. Conventional cyber security tools and compliance measures would not be enough to capture these exposures as doing so requires skilled personnel and analytical know-how.
“The lack of a strong network of national and regional-level cyber security regulations across Asia is a major gap in the cyber security landscape here,” according to Adura’s Head of Cyber Security Services, Barnaby Grosvenor.
Responding to Networks Asia’s emailed questions, Grosvenor said that while individual countries including China, India, and Singapore have some frameworks and legislation in place, the overall regulatory landscape remains patchy. He note that this lack of a comprehensive legislation across markets, makes it difficult for companies here to identify and apply a clear, robust approach to cyber security within their organization.
“Globally, the world has been focused on the European Union’s General Data Protection Regulation (GDPR) which comes into effect on 25 May 2018. The GDPR places an onerous burden on organizations with regards to reporting on data security and is the most significant legislation in this area in recent years due to its far-reaching extra-territorial impact. As Asia slowly moves towards increasing regulation, it remains to be seen if countries in this region will take a page out of the EU’s book,” said Grosvenor.
Legacy technology a major issue
Grosvenor said that legacy technology is a major issue as the lack of product support and timely upgrades means that organizations can potentially have dozens of vulnerabilities at any given time.
“As past incidences have shown, some organizations do not even apply the security patches that are available in a timely manner. For example, our work in Asia showed that 99 percent of web servers lack at least eight critical security patches due to weak in-house cyber security processes. Organizations cannot afford to be slow in taking these basic steps as the risk of a potential breach is simply too high. Cyber criminals are becoming more sophisticated and organizations in Asia should put together a plan to their IT systems have robust and secure technologies as quickly as possible.”
Grovesnor also said that the traditional perimeter-based cyber security strategy is obsolete. “Perimeter defense focuses on technology i.e. tools and systems that detect intrusions and only allow legitimate business activity to continue within the network. However, this strategy largely ignores People and Processes, two areas that tend to be the weaker links in the security chain. The example shared earlier about security patches not being applied highlights how important it is for organizations to make sure that they have robust cyber security maintenance processes in place.”
Adura’s work with email phishing simulations for clients also shows that cyber security awareness is typically where an organization’s defenses break down, according to Grovesnor. In the phishing simulations, 20 percent of staff opened phishing emails disguised as social media invites or internal organizational messages. Despite receiving training on how to spot phishing emails, finance and HR department members, two departments that manage sensitive employee and business information, were found to be more likely to be misled by phishing emails. Continuous, effective cyber security training and education is, therefore, extremely critical.
Role of AI and machine learning
New technologies such as machine learning, deep learning and artificial intelligence will no doubt help in the fight against cyber crime, according to Grovesnor.
“These technologies can help automate a lot of the repetitive, low value-add tasks that need to be done in order to continuously detect and tackle cyber threats. However, it must be noted that these technologies are available to cyber criminals too and they can just as easily make use of them for their nefarious purposes.
“The best approach to cyber security preparedness is to go back to the three key pillars of People, Process, and Technology, identify any gaps in these areas and then work to continually reduce risk exposure and maintain it at as low a level as possible.”
Simplifying Cyber Security Management
Major incidents over the past year have shown how cyber attackers are getting more sophisticated. Adura helps businesses put structure into their cyber security management approach through its proprietary Cyber Essentials Framework covering the three key pillars needed for effective cyber security management - people, process and technology.
Trends such as bring-your-own-device coupled with highly variable employee awareness of cyber security best practices and shadow IT can open the door for cyber criminals. It is vital to educate employees about cyber threats, lowering their susceptibility to social engineering attacks and email phishing. In phishing simulations run by Adura across its clients, 20 percent of staff opened phishing emails disguised as social media invites or internal organisational messages. Despite receiving training on how to spot phishing emails, finance and HR department members, two departments that manage sensitive employee information, were found to be more likely to be misled by phishing emails. This highlights the importance of continuous and effective employee training on cyber security issues.
Managing cyber security risk requires a well-rounded approach, and Adura works with companies to put in place the right processes and plans depending on customers’ size, industry and business goals. In Adura’s experience, 99 percent of web servers lack at least eight critical security patches because of weaknesses in in-house cyber security processes, leaving businesses exposed to cyber threats. Adura helps customers reduce their risk exposure by identifying vulnerabilities, and prioritizing security updates.
As the technology landscape and cyber security best practices continue to evolve, companies need skilled cyber security personnel on hand at all times to help them assess and manage their risk profile. Adura has found that 20 percent of companies in the region do not have a Chief Information Security Officer (CISO) or sufficient specialist staff. To help ensure companies always have access to the best talent at hand, Adura offers a Virtual Chief Information Security Officer (vCISO) service, that provides the senior-level counsel and insight of a traditional CISO, without the customer needing to hire additional personnel in their IT team.