In the new world of millions of connected devices, security is moving to the top of the agenda for many businesses. By Nareerat Wiriyapong in San Diego
Asia Pacific is making great strides in digital transformation. High-speed communication and connected devices have opened up new horizons for businesses, while also allowing many employees to work remotely with flexibility and, in most cases, higher efficiency.
While that has opened up greater avenues for growth and development, it also provides more opportunities for threats to affect businesses and individuals. As well, attackers are getting increasingly sophisticated and are employing cutting-edge techniques to breach organisations.
As the Internet of Things (IoT) era takes hold, cyberattacks are taking place on an unprecedented scale, yet cybersecurity measures are still often reactive responses instead of cornerstones of a sound digital infrastructure. To put this into perspective, in Asia Pacific, the average company receives six threats every minute but only half of those alerts get investigated.
"Security is an ongoing concern, with 20 billion security threats daily, which breaks down to one every 39 seconds," said Chuck Robbins, CEO of Cisco Systems Inc, the US-based technology conglomerate.
"Privacy, which we believe is a basic human right, is another topic that people care about," he said at Cisco Live San Diego 2019.
"We want to be number one in [dealing with] every single major threat factor that our customers face," says John Maynard, vice-president of global security sales at Cisco Supplied/Cisco
Cyberattacks are having far-reaching ramifications that include financial and reputation losses to companies. According to Cisco's 2018 Asia Pacific Security Capabilities Benchmark Study, 51% of all cyberattacks in Southeast Asia resulted in a loss of more than US$1 million. Nearly 10% of respondents said cyberattacks cost them more than $1 million with 33% indicating that security breaches can cost them anywhere between $1 million and $5 million.
Conducted by an independent third party, the study was based on responses from over 2,000 respondents in 11 countries: China, Korea, Japan in North Asia; the Southeast Asian nations of Singapore, Thailand, Malaysia, Indonesia, Vietnam and the Philippines, as well as Australia and India.
"The form of cyberattacks is also changing," it said. "Attackers are now not just targeting IT infrastructure, but are now also targeting operational technologies (OT) that impact the day-to-day functioning and running of a business."
In addition to financial losses, cybersecurity incidents are also undermining organisations' ability to win the confidence of consumers and other stakeholders, with 72% saying greater privacy concerns from their customers are adding more time to the sales cycle, added the report.
"When we talk about IoT, security is top of mind for our customers," said Vikas Butaney, vice-president of IoT product management at Cisco Systems.
In the current industrial environment where robots on factory floors are commonplace, companies have to step up measures to ensure that their networks are protected.
"If there is one device infected with malware, your entire network will get infected," Mr Butaney told a group of Asian journalists on the sidelines of the Cisco event.
Unwanted email is a major source of annoyance for most of us. It is also the biggest source of cyber threats. According to Enterprise Strategy Group (ESG), an IT research specialist, email remains a primary source of communication and collaboration for businesses and a primary target for a security breach.
"Companies are increasing the urgency level with which they view email security. Organisatons are vulnerable, and the stakes are high," said the report.
It cited the Data Breach Investigations Report (DBIR) compiled by the US wireless carrier Verizon, which said 98% of incidents and 93% of breaches involved phishing and pretexting scams.
Steve Martino, Cisco's senior vice-president and chief information security officer, said spam accounted for 85% of all email sent last month. Citing the 2018 DBIR, he said email was the number one vector for both malware distribution (92.4%) and phishing (96%).
"When we talk about IoT, security is top of mind for our customers," says Vikas Butaney, vice-president of IoT product management at Cisco. Supplied/Cisco Systems
"Attackers know that, unfortunately, this channel just works," he pointed out. "Because email forces the user to stop and at least scan every message they receive, it presents the perfect opportunity to serve up malicious links and file attachments that people in a hurry sometimes mistakenly click on.
"Phishing and social engineering have gotten so sophisticated that it can be hard for even cyber-savvy users to discern the legitimate from the malicious.
"Our most recent CISO Benchmark Study showed that 56% of CISOs (chief information security officers) we surveyed felt that defending against the user behaviour of clicking a malicious link in an email is very or extremely challenging. This ranks higher than any other security concern surveyed -- higher than data in the public cloud, and even higher than mobile device use," added Mr Martino.
In a separate Cisco survey commissioned last year, 70% of respondents reported that protecting against email threats is becoming more difficult. Discussing the consequences of email-borne attacks, 75% of respondents said they experienced significant operational impacts, and 47% reported significant financial impacts.
"The picture is grim, and sadly, the numbers are trending up," said Mr Martino. Overall volume of spam email is currently at a 15-month high, according to Talos Intelligence data, and the number of new phishing domains showed a 64% increase from January through March 2019, indicating that attackers could be gearing up for more phishing attacks.
As has long been the case, Mr Martino said a layered approach to security is critical in defending an organisation from email-borne attacks. He recommends the following preventive steps:
Run regular phishing exercises to teach employees how to recognise even highly tailored and sophisticated phishing attempts and report them;
Use multi-factor authentication to prevent attackers from gaining access to accounts;
Keep software up to date -- email gateways, apps, operating systems, browsers, plug-ins; make time to patch;
Never wire money to a stranger. Set up strict policies that require high-ranking authorisation of wire transfers; have a designated secondary signature requirement;
Stop and think: Does the message in the email sound technically plausible? Does the pitch make sense? Are there holes in the sender's story?
Users: check the sender's email address against the message signatory. Do they match? If not, don't touch it.
"At Cisco, we practise all of them regularly as part of our foundational and extensive security efforts -- and it has paid off through significant declines in email-based compromises of our network," Mr Martino noted.
BIGGER THREATS, HIGHER INCOME
Nowadays, more and more employees are working outside of the central office -- and often outside its protection. Securing remote workers and locations requires a fundamentally different approach.
According to a recent survey of 450 cybersecurity experts by ESG, 88% of organisations have five-plus remote offices and 40% of today's workers are roaming users. The workforce has never been more distributed -- or more at risk.
Around 78% of respondents believe roaming or remote users are most vulnerable to attack while 66% have experienced a targeted attack.
"Most organisations are still using traditional methods to protect roaming and branch users, but they just can't keep up with today's needs and expectations," said the report.
"Today's users work everywhere, which means you need to protect everywhere. More and more organisations are looking for different solutions such as cloud-deployed and consolidated."
John Maynard, Cisco's vice-president of global security sales, said that in the past security was pretty much an issue for individuals but now it has become a challenge for businesses with higher complexity.
Users clicking a malicious link in an email ranks higher than any other security concern among chief information security officers (CISO), says Steve Martino, senior vice-president and CISO for Cisco Systems. Supplied/Cisco Systems
"People think of security as an enabler of the business rather than a blocker," he told Asia Focus "[But now] they are struggling with complexity, with demand in different lines of business."
The automotive industry, he said, is a good example of how IoT has evolved substantially, and that has posed a threat.
"Secured automotive and connected vehicles are on the mind of every automotive manufacturer, and when you connect vehicles to the internet, it causes security vulnerability risks," said Mr Maynard. "We work across Cisco on how we can make connected vehicles a reality in the mainstream and as part of that security by design, we think upfront security is front and centre."
Harry Kekedjian, advanced controls and digital factory manager at Ford Motor Company, said security is now a top concern in every aspect of the automotive industry.
"Whether in the collaboration space or privacy -- from a manufacturing point of view -- security of our system and our network is at the forefront of our operation," he told Asia Focus on the sidelines of the Cisco Live event.
"We are potentially under risk and we go through every assessment on how we design the network and how we protect our networks," said Mr Kekedjian. "We try to stay one step ahead of the potential attackers out there."
At Cisco, security has been a growing business with revenue surging 21% year-on-year in the first three months of 2019. Through a number of acquisitions, Cisco has become the largest enterprise private security company in the world in terms of size.
"We have been strategically building the business over a number of years, making a number of acquisitions that have been consolidated into a security business unit," said Mr Maynard.
"The business is doing very well. It has been consistent quarter on quarter. We made the decision four to five years ago to strategically build the portfolio end to end so we want to be number one in [dealing with]every single major threat factor that our customers face -- whether network, or email or cloud. We want to make sure we have the best-in-class solution for customers for those specific threat factors."
To beef up its security business, Cisco in late 2015 acquired Lancope, a privately held company headquartered in Alpharetta, Georgia. Lancope helps customers monitor, detect, analyse and respond to threats.
For example, Lancope's StealthWatch alerts customers to suspicious traffic patterns inside the network to quickly detect a wide range of attacks. This helps businesses reduce time to detection, respond to incidents faster, improve forensic investigations, and reduce risks for the company.
Lancope had been part of Cisco's security solutions for many years before they came together as one entity. The combined solutions secure customers' resources and critical assets by using their network as a sensor -- providing enhanced visibility, context and control over threats.
Cisco Umbrella, meanwhile, was rebranded from OpenDNS enterprise security products following the acquisition of San Francisco-based Open DNS, also in 2015, for $635 million. It offers cloud-delivered enterprise network security that provides a first line of defence against cybersecurity threats.
"So we built the security business organically and we built it through mergers and acquisitions," Mr Maynard said. "We have customers across all sectors. We are engaged with customers which are pretty much most of the Fortune 100. We have customers in commercial and mid-market space, in the public sector in US and outside the US, those in the service provider space, utilities and energy.
"We have a presence all around the world and America is the biggest market. We spend a lot of time in Asia. … Pretty much every country has security threats. For us, Asia Pacific is a high-growth market and while America is large, the Asia Pacific market is growing well for us."
An organisation's security budget, he said, was typically set as a percentage of the IT budget, somewhere around 8-12%.
"Somewhere around that [proportion]goes into security and it is growing, so it indicates that it has become more important. I think that's an acknowledgment that security is a broad-level issue and it is not a matter of if but a matter of when, so be prepared."