Cyber-security is not just an IT problem, it’s a business problem
By Chong Jinn Xiung July 17, 2018
- Scary figures show mounting cyber-attacks as industries become more digitised
- Adoption of AI required to fill the gap of cyber-security professionals
AS MALAYSIA’S economy gears up to go high tech so too has the rise in cyber-crimes. This, however, is a big concern for Malaysian companies going digital as 62% said they fear cyber-attacks and this has hindered digital transformation projects.
“Technology is developing so fast and the democratisation of technology in the form of the Internet has allowed for the rapid rise of digital companies. But the underlying way of doing business has not changed,” said Microsoft Malaysia’s national technology officer Dr Dzahar Mansor during the launch of a study Microsoft did in collaboration with Frost and Sullivan.
Worryingly, CyberSecurity Malaysia found that 80% of Small Medium Enterprises (SME) have not invested in cyber-security due to cost while others are not aware that they need to.
Its chief executive officer Dr Amirudin Abdul Wahab warned that cyber-threats can target any industry. The bigger the organisation, the more likely they are to be attacked as they make for compelling targets.
He found that it was all too common that top executives view cyber-security as an IT problem that needs to be addressed by the IT department. The reality is that these incidents affect the organisations as a whole resulting in economic loss.
CyberSecurity Malaysia found that there were more than 20,000 cyber-security incidents recorded from Jan 2016 to May 2018.
But at the same time, SMEs are not excluded as they make up for this in terms of volume and are typically not well protected.
Microsoft’s Security Intelligence Report backs this observation as it found that hackers tend to target easy marks, i.e. those that are unprotected first, so it is imperative that companies invest in good security to deter them.
As many industries, from smart cities, autonomous vehicles and energy, grow more connected they will be exposed to these threats warned Dzahar.
“The average number of days a cyber-criminal remains undetected in a corporate network is 99 days and that figure is double in Asia,” he noted.
This has a profound impact on businesses as a recent study led by Microsoft and Frost & Sullivan revealed that cyber-security incidents can cost organisations up to US$12.2 billion in losses which is more than 4% of Malaysia’s total Gross Domestic Product of US$296 billion.
Shockingly, more than 53% of organisations in Malaysia have experienced a security breach but only 47% have the mechanisms to conduct a forensic investigation or data breach assessment.
As such, organisations need to assume that they have already been hacked and prepare accordingly.
The problem is that networks are easy to penetrate into and despite setting up plenty of security measures, humans remain the weakest link.
Even if an organisation has complex security solutions in place, the number of solutions doesn’t necessarily mean they are safer. In fact, a more complex system reduces the ability to respond.
Need for security best practices
So, what can be done? Microsoft believes that cyber-security needs to be built by design and the use of AI and machine learning algorithm to help detect intruders sooner before they can do more harm.
Dzahar added that it was essential to embed cyber-security at the very beginning of software development. Before any code is written by developers, the code writers need to be trained in the security development cycle and threat modelling.
“We cannot let our guards down as we need to regularly assess the status of networks and ensure that compliance protocols are being enforced,” he said.
Cyber-security can’t be looked at from a technical standpoint any longer as it needs to be viewed from a holistic perspective that emphasises people, policy, process and technology.
Threats are getting more high tech, hence the traditional approach of erecting firewalls and applying anti-virus security measures is no longer sufficient.
Companies shouldn’t just focus on responding or being preventive but they also need to strengthen their protection and predictive capabilities.
The utilisation of artificial intelligence in cyber-security needs to be taken seriously given that cyber-security is challenging to maintain due to the limited number of talents to address this.
CyberSecurity Malaysia is attempting to address this with its target to train more than 10,000 cyber-security professionals by 2020. It currently has trained close 8,000 though they admit that even the targeted number is not enough hence it is imperative for AI to be adopted to enhance cyber-security in organisations.