What is the best way not to fall victim to a scam? To be invisible perhaps?
In speaking to Sherif El Nabawi, vice president, Engineering, Asia-Pacific and Japan with CrowdStrike, I spoke of the idea of perhaps disconnecting altogether from the Internet to minimise the potential for falling victim to the cybercriminals.
Nabawi said that while in theory disconnecting from the Internet altogether “sounds like it would limit your exposure, the reality is that we have seen many examples during the past decade of organisations that have had their entire air gapped networks compromised. The reasons why those issues have happened could include people inserting unsecured thumb drives into air gapped devices, etc. The point is, it is easy to say “let’s not connect to the internet” but that would make it hard to do business, manage machines and update devices.
In a PodChat for FutureCIO episode, we dive deeper into the risks and opportunities that organisations discern as they undertake their transformation to become digital-native businesses.
So yes, this is a discussion on security, and aptly so given that Covid-19 has revealed just how badly enterprises in Asia are when it comes to security. According to CrowdStrike the highest ransomware payments recorded to date came from Asia.
Some key points raised during the podchat with Nabawi:
What are the key findings of the Global Security Attitude Survey?
Sherif El Nabawi: The Global Security Attitude Survey has a number of very important findings for APAC specifically. With respect to ransomware, the big problem that 31% of respondents in APAC that have been impacted by ransomware actually paid the ransom, which is a larger percentage compared to the US and EMEA. On top of that, it cost the organisation in APAC an average of almost US$1.2 million, which is again higher than the average cost for the US and EMEA.
At the same time, the Survey has also highlighted that the awareness of these types of attacks has increased (i.e. the expected security risk) across the board. This then sets organisations up well to have an informed conversation about security maturity and reducing exposure.
What are the motivations for paying the ransom?
Sherif El Nabawi: In terms of the decision-making process, it depends on executives’ awareness of the cybersecurity landscape. Is it due to the low awareness level and not knowing what you should do when you are under attack?
Do you need to report this to the authorities, of which such requirements are different in different countries? What action will the authorities take – how quickly will you get any type of response from them or any type of investigation going?
Lastly, do you have time as a business to remain in this situation? If your whole business is crippled, perhaps some might think it is better to pay and move on. The more aware executives and organisations will say that they need to investigate this, involve the right technology, processes and people to mitigate such a situation, at the right time.
Is there a preference towards taking security in-house or outsourcing, as in via managed security services?
Sherif El Nabawi: In APAC specifically, the Survey respondents felt that there's a very large shortage in terms of the skills and expertise needed when it comes to security, and specifically security practitioners with an adequate level of experience. As a result of this, organisations are now more open to hearing about the value proposition when it comes to managed security service providers (MSSPs) or managed threat detection and response (MTR), to understand how these can help them until they can get the right in-house security team in place.
One example of how organisations have used these external resources was during the pandemic when everyone was rapidly sent back to work from home. Organisations lost people for various reasons and had a wider surface to protect than ever before, so they had to turn to third parties to help them monitor their security infrastructure and protect their workloads, specifically around the endpoints.
What should the CEO and the CFO should ask the CIO, whenever the new IT budget requests come in at the end of the year and the CIO says that a percentage of this is going to security?
Sherif El Nabawi: If I am at the CEO or CFO level, I'll ask really specifically: “With the type of data we have, the breaches that are happening now, and the fact that we need to enable and go on this digital transformation journey, how secure is all of that right now?”
That's where the CIO or the CISO – or in some cases they are the same person – need to collaborate and work together very closely, as we’ve seen scenarios where the CIO had to embark on digital transformation overnight but the security team was not yet able to implement the right security measures, and this meant that it all became a massive gamble.
As we come to the beginning of 2021, what do you see will be important considerations for the CIO and the CISO with regard to securing the enterprise?
Sherif El Nabawi: To be honest with you, the basics are the basics and they haven't changed. I think one key factor, especially with the pandemic and what we've seen in terms of COVID-19-themed attacks, is the awareness level. Majority of attacks, as you know, start with a phishing campaign. Phishing over email is still the number one issue, so we need to make our employees very aware of these types of attacks by having internal dry run and phishing exercises. That is definitely the first thing to focus on.
Secondly, as organisations are investing in digital transformation, which is mostly associated with the cloud, they have to look at security technologies and tools that support the cloud and are cloud-native, so there is zero reliance on having to be on-premises to provide protection when people are working from home. Organisations also need to remember that in the cloud, there are workloads and they have to protect these workloads, the same way they protect their physical devices like servers, desktops and smartphones etc.
Lastly, organisations have to think about how quickly they can respond to an attack. The Global Security Attitude Survey found that the average organisation still takes around 117 hours to detect an incident or intrusion alone, so striving to build in the people, processes, and technology for quicker levels of detection, investigation and containment is key.
Click on the podchat player and listen for details of the dialogue that includes:
- What exactly does CrowdStrike offer? There are many security companies out there and I wanted to understand what differentiates the company from the rest of the market.
- Now, if we look at the Global Security Attitude Survey report that was issued by CrowdStrike. Are the findings from the report unusual? I have to admit that I've been getting a lot of reports coming toward the end of the year. They all seem similar in terms of messaging. The numbers may be slightly different, but by and large, they're all saying the same thing – we're unsecure regardless of what we're doing. Maybe we shouldn’t even be connecting to the internet.
- You mentioned that there's a higher willingness to pay a higher premium when hit by ransomware attacks. If we speculate on the motivations for being more willing to pay, what would it be? Is it the lack of understanding of what we need to do to protect ourselves? Or is it just complete surrender at the other end of the spectrum?
- With regard to the Global Security Attitude Survey findings itself, do you see a preference toward doing security in-house or outsourcing, as in via managed security services?
- We've had instances in the past where large prominent companies have taken up a managed security service and then they got breached. There's then a lot of finger pointing between the internal teams in the organisation and the external entity – the service provider. Who owns the responsibility for securing an organisation and to what extent should outsourced service providers be accountable for any data breach that happens? And I'm not just talking about managed security service providers, but also when cloud service providers themselves offer these platforms and they say they invest a lot in security in their infrastructure and then you get downtime through something like a denial-of-service attack that happens every now and then.
- Let's take this to a technical level a little bit. There are two schools of thought in cybersecurity – one is ‘layered security’ and the other one is ‘defence-in-depth’. For many years, I've been hearing security vendors talk about defence-in-depth as the better approach. I understand that organisations can't afford both of them. We've also invested so much money every year into security and we still get these attacks happening, so what are we doing wrong?
- What should be the question or questions that the CEO and the CFO should ask the CIO, whenever the new IT budget requests come in at the end of the year and the CIO says that a percentage of this is going to security?
- As we come to the beginning of 2021, what do you see will be important considerations for the CIO and the CISO with regard to securing the enterprise?
- If I'm the CIO and I'm not totally familiar with a lot of the latest and greatest in security, what should I be asking the security vendor that comes knocking on my door and offers me a solution at the point in time when I'm reviewing my security strategy?
- Going into 2021, what can we expect from both the threat actors, as well as the industry that’s trying to protect enterprises against threats? Are we still going to be in catch up mode?