IT has been more than a year since we first started to work from home. But is it safe to be working from home?
Sophos, a network security specialist company, shared its findings of the second edition of its survey report, The Future of Cybersecurity in Asia Pacific and Japan, in collaboration with Tech Research Asia (TRA).
The study reveals that despite cyberattacks increasing, cybersecurity budgets have remained stagnant and executive teams continue to underestimate the level of damage threats can do to organisations.
We talked to Sophos Malaysia country manager, Wong Joon Hoong.
Q: In the report, it says that Asia Pacific organisations are becoming more mature with cybersecurity, but we continue to be hit by a number of attacks - 56 per cent suffering from a successful attack in 2021 up from 32 per cent from 2019. Does being security matured mean one is safe from successful cyber attacks?
A: We see that cybersecurity in its current form is a known factor – meaning that the market is familiar with the emerging threats and solutions available. For the most part, while there is still some element of "playing catch up" with new threats, new tools patterns, the focus of organisations is on operational excellence through improving culture, education and the optimisation of technology.
In a time of rapid digitisation and remote work initiatives, companies need to move into a continuous improvement approach with their cybersecurity strategy to build resilience against cyberattacks.
Additionally, we find that maturity levels among organisations can be highly subjective unless properly quantified and regularly tested. This is because company self-assessment results can sometimes be influenced by a sense of complacency or over-accomplishment and our data trends to suggest the maturity reality may be a little different.
For instance, in 2019, 51 per cent of companies stated they last reviewed their strategy more than 12 months ago. With maturity capabilities increasing significantly in 2021, our expectation was that companies had moved to a more continuous improvement approach with their cybersecurity strategy. But, this was not the case. While only a small increase of 3 per cent, the 2021 data showed that 54 per cent of all companies had not updated their cybersecurity strategies in the last 12 months.
Q: We were unprepared for the security requirements driven by the sudden need for secure remote working caused by Covid-19. How can organisations manage remote working security situations?
A: Remote working uses a decentralised structure, therefore strong endpoint security is essential. Employees working from home in a less formal environment may be more inclined to let their guard down on the security front and click on links they normally wouldn't in the office. Just one wrong click from an employee may result in serious implications and losses – data, reputation, money – for the business.
Adding to this, many company-issued devices may not have been able to install or enforce software updates, which means an increase in unpatched network devices containing vulnerabilities, exposing organisations to cybersecurity threats.
On the flip side, before devices used for working at home re-enter the corporate network, organisations should implement a quarantine network to isolate these devices. The guest Wi-Fi function of the office network makes this easy to execute, while enabling productivity to continue with the added safety of being able to quickly block or disconnect insecure devices.
Many employees working remotely are using their own devices, not company-issued ones, which creates another security blackspot for companies potentially opening unprotected, or easily penetrated, doors for cyber-criminals to enter the corporate network.
As such, organisations need to strengthen their internal cybersecurity infrastructures to identify and neutralise evasive threats faster. An endpoint detection and response solution that features a Live discovery and response mechanism allows organisations to quickly respond to and resolve any potential cyber issues through one simple panel.
Q: Personal devices and IoT are common tools used to access systems remotely. How far do these devices pose as a threat in a company's general security breach?
A: Using personal devices in the workplace is also known as bring your own device (BYOD). Over the past few years, BYOD programs have increased in popularity as more organizations aim to increase employee mobility.
However, these devices do pose a risk of a company general security breach depending on the type of business the organisation is running. It could lead to data breaches, data privacy breach, malware or virus attack. Moreover, it could possibly create an unauthorised backdoor access to the organisation's network system.
As such, they have little to no protection against these kinds of threats and because they are personal devices, they cannot be monitored nor protected by the organisation.
Q: Skills shortages, cloud migrations and increased threat activities are some of the reasons behind successful security breach, what can organisations do to minimise threats even if the issues remain?
A: Based on data between 2019 and 2021, we see that companies are increasing their reliance on managed service providers this year to alleviate some of the challenges associated with skills shortages, cloud migrations and increased threat activity.
However, it is still important to maintain in-house cybersecurity education and training to employees – this is actually one of the more significant challenges that businesses face.
Also, to help manage, companies should look into exploring more efficient and innovative technology solutions that incorporate automation, machine learning and artificial intelligence.
Q: Education seems to be one of the most common problems for many organisations. Other than continuous training against human errors, does having a strong password policy for employees give any difference in terms of keeping security breaches at bay?
A: Definitely, passwords are an important aspect of computer security - they are the front line of protection for employees in a very wide variety of services and systems. With a strong password, employees are securing their company's confidential data and the resources that they are authorised for.
One of our recommendations that we tell our clients is to adopt pass phrases to deter attacks. Some of the easy ways to remember passwords are not words but phrases or sentences. They can make use of a line from your favourite novel, song, or poem.
The stronger your password, the more resilient and protected your work device will be from hackers and malicious software.
In addition to strong passwords, we highly recommend the use of multi-factor authentication to increase the security, without increasing complexity.
Q: Lead up to 2021, respondents said that overall the top three security threats were Ransomware; Malware; and Phishing. But, leading up to 2023 the expected threats are: Phishing, Malware and Poorly designed/vulnerable supplier systems. As Phishing remains a threat, what are some of the things organisations/government/authority can do to help manage it?
A: The purpose of phishing is to collect sensitive information with the intention of
using it to gain access to otherwise protected data or networks. A phisher's success is contingent upon establishing trust with its victims. Hackers often research and examine the company's website and social media network, and even its employees' social media channels to learn more about their target before striking. This information will help make the phishing emails look more genuine or authentic to the user.
Some of the reasons that employees fall prey to phishing attacks is because of inadequate security training or a lack of security policies set by the employer.
Again, by providing regular security awareness training to employees in educating them on the tell-tale signs of phishing emails or links, a business can drastically reduce its exposure to these attacks and the subsequent risk.
Businesses can also conduct regular penetration testing. Organisations should have their internal security staff, or enlist the services of a managed security services provider, to conduct tests aimed specifically at social engineering techniques such as phishing.
Establish clear guidelines and protocols when it comes to internal processes to make sure these are not easily exploitable exposing confidential client information or financial statements.
Q: In the report it says 54 per cent of companies in Malaysia struggle to recruit people with the necessary cybersecurity skills. What can these companies do to minimise the cybersecurity risks without having to spend unnecessary chunks of their budget?
A: Despite increasing investment in cybersecurity technology, the job for IT teams across the globe isn't getting any easier.
Rather than continuing further with the same approach to cybersecurity, it's time to reconsider technology solutions out there that can help your IT team manage the load.
For example, a lot of companies use managed detection and response (MDR) services to help IT teams detect threats, but often it just notifies your team, it doesn't take action on it.
As it is difficult to find skilled cybersecurity professionals and companies have limited budgets, therefore a managed security service could close this gap.
Sophos Managed Threat Response (MRT) is our fully managed cybersecurity service – so that companies do not necessarily have to recruit, train, and retain cybersecurity talent.
This round-the-clock service can rapidly identify and neutralise sophisticated and complex cyber threats that could otherwise go undetected.
The solution focuses on threat hunting, detecting, responding to, and taking action on the hard stuff, so you don't have to waste time managing the threats yourself. Your team controls how and when potential incidents are escalated, what response actions want to take, and who should be included in communication.
Q: How often does a company/organisation need to test their cybersecurity response plan?
A: We recommend that a cybersecurity audit check and expose your system's vulnerabilities at least annually.
A cybersecurity response plan is important to have in any organisation. This needs to be regularly reviewed and updated. It is best to do this at least once per year and more frequently for larger companies. It should change to reflect current data at all times and service provider arrangements should be kept current so external professionals are available when needed.
Companies with data liability risk should consider running a test of the performance of the response plan team, top management and affected business units in various breach scenarios. This test should be run at least once per year or once every quarter.
Q: What's Sophos' stand on multi-vendors security solution?
A: First and foremost, organisations should not depend on one type of cybersecurity product category for protection – for example, it's not enough to just deploy a firewall. A multi-layered security approach that includes multiple product categories will provide the best protection.
Most organisations prefer a single vendor security solution as managing multiple vendors can get too complex, high cost and time consuming. Single vendor security solution is also reliable and ensures operations run smoothly as it streamlines your processes with a complete solution on a single platform. For example Sophos Synchronized Security is our cybersecurity system providing endpoint, network, mobile, Wi-Fi, email, and encryption products, all sharing information in real time and responding automatically to incidents and everything controlled through the Sophos Central cloud-based security platform.
Multi-vendor security solutions on the other hand require a large IT staff to manage each vendor or product, which is a drag on resources and increases the cost.
Q: Does having multi-vendors help?
A: As every organisation is different, it completely depends on the organisation and its security requirements. In many cases, a single vendor can provide what they need while going with a multi-vendor approach means the organisation can pick niche products.
However, it is important to choose security vendors strategically to ensure their products play well together and that they all integrate with the overall IT infrastructure.
Q: What are the risks associated with vendors and third parties?
A: Supply chain compromise is an issue for all organisations, large and small. We're all targets in someone's supply chain.
Supply chain security is one of the most difficult areas of security to assess.
Many organisations ignore it either because they didn't know where to start or they believed they weren't important enough to be targeted through the compromise of a trusted partner.
There are two primary methods of addressing these concerns. One is to attempt to assess the security of your suppliers and business partners; the other is to identify high risk interactions and implement compensating controls.
Q: Every industry has its own sets of risks and many threats are tailored to specific industries. Does Sophos have any data which industry landscape cyber criminals 'like'?
A: Our annual report, The State of Ransomware 2021 is a survey report aimed to deliver fresh new insights into the experiences of mid-sized organisations from a wide range of sectors across the globe. It explores the prevalence of ransomware attacks, as well as the impact of those attacks on victims, including year-on-year trends. It surveyed 5,400 IT decision makers across 30 countries including Malaysia.
It was found that 37 per cent of respondents' organisations were hit by ransomware last year. Although this is a significant drop from last year when 51 per cent said they'd been hit, we can see ransomware remains a major threat and attack levels vary across the globe. 54 per cent that were hit by ransomware in the last year said the cybercriminals succeeded in encrypting their data in their most significant attack.
India topped the list with 68 per cent of respondents reporting that they were hit by ransomware last year. While the ransomware actors that make the headlines are often out of Chinese, North Korea, Russia, and other former Eastern Bloc countries, SophosLabs sees high levels of domestic ransomware in India, i.e. Indian adversaries attacking Indian companies.
The US is a very popular target with cybercriminals due to the perceived potential to demand high ransom payments and just over half – 51 per cent – of US respondents report being hit last year.
Poland, Colombia, Nigeria, South Africa, and Mexico report some of the lowest levels of attack, which is likely a result of lower GDP and therefore lower ransom potential for the attackers.
Japan stands out as a developed economy with very low levels of ransomware – just 15 per cent of respondents reported being hit by ransomware last year. Japan traditionally reports very low ransomware levels in our annual surveys. It may be that Japanese organisations have invested heavily in anti-ransomware defenses, or that the unique nature of the Japanese language makes it a more challenging target for adversaries.