ExtraHop Deputy Chief Information Security Officer Jeff Costlow unpacks how talent shortage in tech across the Asia Pacific region impact cyber security.
By Jeff Costlow
Companies can’t defend themselves against every single thing that can go wrong, because bad actors will continue to invent new ways to get inside the network. We also know that no matter how large a budget is allocated to enhancing your cybersecurity in 2020, companies will continue to suffer from the current cybersecurity talent shortage.
According to an International Information System Security Certification Consortium (ISC2) study from 2018, the Asia-Pacific region is experiencing the greatest talent shortage at 2.14 million, which is partially attributable to its growing economies and new cybersecurity and data privacy regulations throughout the region. Sixty three percent of respondents said their organisations have a shortage of IT staff dedicated to cybersecurity, and nearly 60 percent say their companies are at moderate or extreme risk of cybersecurity attacks due to this shortage.
To reduce the risks associated with this shortage in IT talent, enterprises in the Asia Pacific region will need to rigorously consider the weakest points in their systems and build a comprehensive security programme that includes network segmentation, network visibility and multifactor authentication. Organisations will also need to assess and catalogue the data they hold and where, then decide on the controls they want to put on it. This “defence in depth” or “security in layers” approach will continue to be the best for security. Along with creating a strong security programme, we anticipate that four areas will dominate the cybersecurity agenda for enterprises in 2020.
Bad actors have breached many organisations of all sizes, exposing passwords that provide a good statistical model to facilitate further attacks on companies or individuals. This will be a big cybersecurity threat for Asia Pacific companies in 2020 seeking to protect the integrity of their data without multi-factor authentication.
Multi-factor authentication continues to be one of the most important things enterprises should pay attention to, due to compliance regulations and the additional layer of protection it provides beyond passwords. Some of the large cloud service providers are taking the protection a step further with a hardware token. This level of protection is recommended for high value accounts in your organisation.
Last year saw too many cases of enterprises that moved their data to the cloud, but failed to adopt standardised controls, which unintentionally left the gate open to malign intruders. According to a study by Cisco, many security teams in the Asia Pacific region are also unaware of the number of vendors or products that exist in their environment. The Philippines and Malaysia lead the region with the highest percentages of organisations that do not know how many products they use, while Vietnam has the highest percentage that do not know how many vendors they use.
Cloud storage providers, such as Amazon, are improving how they interact with customers – by helping them identify any weaknesses in the configuration of S3 buckets, for example. However, it is likely that failures in compliance and certifications will continue to lead to cyber breaches in 2020.
Neither moving to the cloud, nor staying away from the cloud, will necessarily help companies with their data security. In 2020, enterprises will be better off moving to the cloud in a secure and conscious fashion, making clear decisions about what data they are sending to the cloud and what they want to do with it, rather than just moving information wholesale. Companies should make very conscious decisions about what controls they will be using and what protection is offered by the upstream cloud service provider.
Third-party risk will also continue to be a potential weakness in enterprise cybersecurity practice. Businesses need to consider exactly what data they are providing and what level of control is needed to ensure the integrity of that data. For example, the employee personnel information typically shared with an HR contractor is much more sensitive than data relating to a marketing campaign. Companies must do their due diligence around this issue to ensure that the relevant data security configurations are correct and leakproof.
This year will see the continuation of the IoT trend that has been developing for the past four or five years. The problem is that these devices have become much more powerful, without getting any smarter. The first IoT devices were relatively simple, and although they did offer intruders a way into networks, the damage was limited.
More recently, however, IoT devices have become a lot more powerful. They are expected to do a great deal more, and are more deeply integrated into enterprise networks. This means that if a bad actor is able to take control of the device the havoc that can result is extensive, and security around IoT devices is not keeping pace with the advances in their power and reach.
Companies must accept that the battle to protect enterprise data is now a permanent feature of the business landscape.