July 18, 2017
As one attack after another has been spotlighted by media in recent months, Computerworld Malaysia has engaged in a series of 'rapidfire' cybersecurity interviews. This, with the objective of gathering together mid-year business technology insights to help enterprises focus on securing and driving their plans.
[For coverage of this year's gathering of cybersecurity professionals and leaders in Kuala Lumpur, see - Combatting cyberattacks with a strategic mindset: Computerworld Malaysia 11th Security Summit]
For this article, we turned to an industry player that prides itself on presenting an 'always-on' mantra. Danny Allan, who is vice president for Cloud & Strategy at Veeam Software (Veeam) went through some of the fears he saw facing industry and IT leaders both in Malaysia and the region generally.
Photo - Danny Allan, Vice President, Cloud & Alliance Strategy, Veeam Software
In your dealings with industry, what would you say are the major security fears?
There are two security challenges that will continue to face the IT industry: the continued rise in the complexity of IT systems, and the difficulties in educating and ensuring that people act in a secure manner.
On complexity, we continue to see the adoption of multi-cloud deployments where systems are deployed on-premises, in the public cloud, across SaaS systems or through mash-ups of APIs and integrations from a complex supply chain.
This increased complexity leads to an increased attack surface caused by both a lack of awareness of where data is located, as well as an understanding of how the systems interact with one another. Complexity is the enemy of security and business availability.
Secondly, we have witnessed repeatedly that human actions result in a degradation of both availability and security.
From the misconfiguration of public cloud systems resulting in hours of downtime to the explosive growth of ransomware through 2017, these trends serve to show that people are the weakest link.
How can we tackle the human factor?
No matter the efforts that are put into education and awareness, ensuring effective behaviours in people in both a consistent and comprehensive manner has proven a failure.
A more effective way to provide a secure and available business is to not only focus on education and awareness, but also to build protection and resilience into the underlying foundations of the IT architecture.
What do you see as the silver lining in the security challenges faced by the IT industries in the current operating environment?
One of the significant benefits of security breaches and ransomware for the security and IT industry is the focus this puts on the essential nature of the IT business.
As 2017 has been called by some the 'Year of Ransomware,' this has served to escalate awareness to the executive and board level.
It is no longer enough to depend on compliance certifications and traditional methods of protection, but there is an executive demand to provide documentation of security and availability efforts as well as attestation of the implementation.
However, this growth in awareness has also created its challenges. We are beginning to see the formalised efforts to turn malware into a business.
Ransomware-as-a-Service and similar activities continue to grow in the underground space, and corporate and nation-state espionage appears to grow in size and activity as geo-political instability and globalization progresses.
One last challenge that has aided in organised crime is the awareness and growth of digital currencies. While the extraction of money from malware and malicious cyber activities has historically been a challenge, digital currencies have enabled the collection of money without the same level of government oversight and regulation.
Lately, security adoption has been touted as a strategic business driver/enabler: What's your take on this?
Yes indeed, secure design and architecture is and will be a strategic business enabler.
As enterprises look to provide better financial returns and stronger bottom lines, the pooling of resources through cloud consumption and shared IT models will continue to influence business behaviour.
To the extent that infrastructure, software and service providers can provide attestation of secure architectures and design that builds data security and availability into their business, this will be a differentiator in their market as the adoption of these consumption models increase. This is a step forward for the industry as they look beyond security products to the inherent inclusion of security and availability as a fundamental property of IT.
What should business leaders and IT professionals have in place in these days?
Executive and IT leaders should recognise that the survival of the business is dependent on the availability of their services for their end users.
Any disruption in the service as a result of security or availability carries significant financial and business impact.
Ensuring the proper design, development and delivery of these services is essential. This not only includes aspects of people, process and technology, but a cultural change in the organisation to recognise the fundamental nature of security and availability.
Practices should include education, awareness and collaboration within their employee and partner community, automation and processes that embed consistent and comprehensive security and availability protections, and technologies that can provide this level of service availability with attestation of implementation.
What's your takeaway message?
While the focus on security and security challenges are essential, it is not sufficient.
The executive view must broaden to recognise that it is the business availability that is the essential challenge. Delivering end user services with the needed protections and without disruption should be the focus of the enterprise.
For some other recent local cybersecurity news, see:
- WannaCry attacks: Former Malaysian hacker predicted healthcare target
- Global ransomware attacks prompt national 'WannaCry' alert from CyberSecurity Malaysia
- Crash Override, Industroyer malware: CyberSecurity Malaysia calls for critical infrastructure checks
- Why Malaysia's PIKOM has not received a single WannaCry report
- Is there a kill switch for the latest - Petya, EternalBlue related - global ransomware attack?
- 'Worrying' 96% of Malaysian companies still in cybersecurity infancy stage, IDC finds