Cyber criminals have been quite busy during the pandemic, taking advantage of the massive shift to remote work. With many employees accessing sensitive company data from their homes, malicious actors have been lurking in the shadows, waiting for the most opportune time to strike. This could be a lapse in judgement, such as downloading files using an unsecured device, or falling prey to phishing scams, the latter draining the life savings of countless account holders.
Hence, business organisations are stepping up efforts to safeguard their IT infrastructure, alongside intensified customer education on avoiding data breaches. However, what exact measures can be taken to have a fighting chance of beating cyber criminals out to seek a massive payday?
To find some answers, Jicara Media gathered cybersecurity experts in a panel entitled “The Cyber Threat Landscape in the Post-Pandemic Era,” during the latest IT Security Frontiers online conference.
For Frankie Shuai, Director, Cyber and Technology Risk at UBS, the pandemic has changed the banking behaviour of their customers, therefore they must also adapt accordingly.
“We have seen (that) COVID has changed the way the clients think about the bank, how they’re interacting with the bank, from client onboarding, to the credit card service, from non-life financial investment to the payment transaction,” Shuai said.
“Digital first or mobile first is not the alternative anymore, but (rather) the mainstream nowadays,” he observed. “Our clients cannot travel, they cannot visit the physical branch easily, or they are prepared to do so because of hygiene concerns. This has minimised the work of face-to-face interaction and enabled digital transaction adoption.”
The challenge, Shuai said, is how to make sure that the client instruction or client files are securely transferred and stored, and how to make sure the integrity of client instruction and files are protected.
“Cybersecurity prevention and detection play a key role (there),” he added.
Aside from customers conducting their transactions online, business operations have also gone remote, at least for the initial phase of the pandemic.
For Yong Jan Nem, Head of Information Security at digital wealth management firm Stashaway, the urgent adoption of remote working arrangements meant a lot of security issues which needed to be dealt with straightaway.
“People tend to mix work and personal life together because they’re working from home. So they either access work resources from their personal devices, or they actually access personal emails from their (company) devices. So this actually increases the threat to the company as a whole,” Yong remarked.
“So far, we have adapted quite okay to the situation. We moved from a traditional VPN approach to SASE-based and zero trust. We have a cloud VPN, (and) secure web gateway, which helps us to enforce policies on the endpoint. So users cannot turn off (the) secure web gateway on the agent on the endpoint itself, which gives us the much-required visibility that we have, to know what is actually happening. And if there’s anything that is suspicious, we can actually act on (it) immediately,” he shared.
Apart from reinforcing their IT infrastructure, Yong noted the importance of empowering their staff on how they can do their part to prevent data breach.
“We do a lot of awareness sessions around our various channels, like our messaging channel, emails, your whole awareness workshop, to continuously educate people and share with them the day-to-day trends that are happening, how they should react, and so on. I think it’s a continuous journey for everyone. And we just need to continuously maintain awareness and visibility,” he added.
Lennart Lopatecki, Head of CSRM, Regional Information Security Officer – APAC for German multinational Bayer, shared Yong’s perspective on employee education to counter cyberthreats.
“If you’re still using WEP encryption, for example, on your Wi-Fi, (then) that is a problem. If you’re sharing your Wi-Fi with five (persons) around you, and they have complete transparency on your devices because you’re not using guest networks or whatnot— those are still issues that we see,” he observed
“I think it’s very difficult sometimes to see (that) it’s a lot about user education. So awareness training and education material provided (by) Bayer to our users – so that they can check ‘Are we okay?’ – are super important,” Lopatecki said.
One step ahead
In order to further dispel cyberthreats, businesses must be well-versed with their customers, and more importantly, their assets, the panellists noted.
“KYC, In the financial industry, we call ‘know your customer,’ but here is a wider meaning, called ‘know your critical service, (or) critical product.’ It covers front to back, end-to-end identification, assessment, testing, monitoring, and incident response on your critical business process. Critical system, critical data access, critical people, critical client experience, critical third-party suppliers, et cetera. Once you know your critical service, then you could play a risk-based approach to protect them as needed,” Shuai pointed out.
“These days, cyber criminals are really creative, and they put in a lot of effort into trying to phish you, trying to trick you to do what they want you to do. Some of them are so real, that people easily fall for those phishing emails and traps. I think KYC in that aspect is very important, both from a company’s perspective, and from a customer’s perspective,” Yong added.
Meanwhile, Lopatecki discussed the usage of one-time passwords, or OTP, as a gateway to steal customer data.
“It is more important than ever to stay vigilant when you’re doing financial transactions. One very frequent type of fraud right now would be (through an) OTP. People that are saying, ‘Well, I’m sending you an OTP, now, you only have to tell it to me, so then I can continue with your request,’ whereas in reality, they already have our bank account. They’re just waiting for the OTP to really move forward,” he explained.
On a macro level, Lopatecki emphasised the importance of having established relationships with business partners, in order to minimise and/or eliminate security risks.
“When it comes to finance, we typically know our customers anyway, because it’s B2B relationships. We have our verification processes internally, and we don’t need to have that unknown person that logs onto our service. We need to find out how much trust we need to get to actually be able to work with them. That is a little bit different in our industry, where we really have a very good established relationship with purchasing units for all partners that we purchase from,” he added.
The post-pandemic landscape
With businesses forever changed by the pandemic, best practices moving forward have to be aligned with the latest technology, in order to keep up with the level of sophistication employed by cyber criminals.
One such technological component of enterprises’ digital transformation is API.
According to Shuai, a concept called open banking has captured people’s interest in the past few years.
“(No) longer only satisfied with the banking service offered by a particular bank and a particular mobile banking solution, people start to enjoy the wider ecosystem (and) revenues through the extension of the banking application service, which are provided by other partners through the API. Out of the typical banking service, we could say payment service has been the (foremost) case of API, in many countries, especially in Asia, due to the nature of payment and transaction in this area. That’s why today, we have so many options to pay and receive the fund easily and efficiently. That’s a typical use case of API,” he said.
Shuai also shared some steps to secure the use case of API:
- Make your strong API inventory management.
- Use strong authentication.
- Remove information that is not meant to be shared.
- Do not export more data than necessary.
- Encrypt the API traffic using the latest layers for sensitive data that are passing through the API.
For Lopatecki, there is no one-size-fits-all approach when it comes to API security.
“There are some API’s that are just having very generic data, not very critical data. You need to know what information you’re exposing. The parameter is, in the end, what you need to monitor. So an API in that sense is not changing, that it’s a machine-to-machine discussion or information exchange typically. There, you don’t have the user, such as it’s a machine that’s using the service. But after all, the same principles that you would want to see from (an) authentication perspective would still be applying,” he said.
Meanwhile, the ability to assess the level of API security at any point in time is paramount, Yong noted.
“At the end of the day, visibility and audit trail definitely has to be there, so that you know what is happening, and you have that visibility if you need to investigate. Even for API security, assessment is definitely something that needs to be done. For an end, make sure that things like penetration testing have been done, to make sure that the best practices are implemented on endpoints,” he concluded.