Many organisations have realised that traditional network defences are no longer adequate as attack surfaces grow wider by the day. As a response, they stacked security solutions one after the other.
Despite this, businesses are still at risk of being breached. What could organisations be doing wrong, and how can they rectify these errors before there is irreparable damage? More importantly, what measures can be taken to achieve security resilience?
To zero in on these pressing enterprise security concerns, several industry experts gathered for a forum titled “Rethinking Enterprise Security Resilience,” hosted by JOS, and organised by Jicara Media.
According to Kelvin Foo, Solutions Director, JOS (Singapore), the prevailing corporate mindset towards cybersecurity has not yet caught up with the sophistication of threat actors.
He observed that “most” companies are still reliant on legacy antiviruses, which identify known threats and signature-based threats immediately. Today, however, bad actors are “very smart”, said Foo, as they try to tamper with the company’s data or payload to evade the antivirus.
Not long ago, businesses were heavily investing in on-prem security because people rarely worked from home.
However, as networking technologies and company needs have evolved, many enterprises adopted a hybrid work arrangement. Thus, securing the company’s data and applications is no longer limited to the four walls of an office building.
Kelvin Foo noted that solutions are needed to protect today’s end users because their work parameters have become dynamic, as they may be working from home, at a café, or elsewhere.
Across industries, the concept of zero-trust security gained prominence, especially during the pandemic. While technically not a new principle, zero trust transformed organisations’ approach to security, from “Trust, but verify,” to “Never trust, always verify.”
How then can enterprises begin their zero-trust journey? For Juan Huat Koo, Cisco’s Cybersecurity Sales Director in ASEAN, zero trust meant layer after layer of tightened security protocols, which are used to thwart attackers looking to exploit vulnerabilities in the system.
“You have to be the right user, and use the right device. The device is particularly important; you may be the right user, but if you are using the wrong device, like a personal laptop, then that device may already be infected, and it is therefore a gateway into the network environment,” Koo said.
In addition to verifying users and devices, the network — as well as the company’s applications — should also be put under the microscope, under a zero-trust approach, the security expert asserted.
Path to security resilience
As many security experts would point out, there is no one-size-fits-all approach for enterprise security. In the same manner, no single solution would be able to solve all of an organisation’s security issues.
Consequently, many organisations have deployed multiple security solutions, with some even having as many as 60 or 70 products installed. Aside from being a costly undertaking, interoperability is an issue as most of these solutions do not communicate with one another.
In many instances, this is where hackers find a way in: When organisations have so many solutions and yet do not have a clear picture of their attack surface.
According to Cisco’s Juan Huat Koo, consolidating security solutions can help organisations gain better visibility of what they are trying to protect, and what is happening to their assets in real time.
“From a Cisco perspective, we are helping organisations to consolidate security to be more effective. Let’s be honest, you can never go down to just one or two security solutions, but if you can consolidate down to 50%, that is already a very good achievement, especially if you have 50 or more products being deployed,” he said.
Indeed, visibility is one of the most important attributes an organisation must have. It is the first of a multiple-step strategy, which Koo shared, to achieve security resilience.
- The organisation must see more.
“You cannot protect what you don’t see,” he said. “Imagine putting surveillance cameras only at a building’s entrance. While you can see people come and go, you cannot see what they are doing inside, or where they are going.”
- The organisation should embrace shared intelligence.
“Security is something that’s evolved much over the past 10 years. A decade ago, many customers kept everything to themselves, even if there’s a breach. But guess what? Hackers and threat actors are sharing information. They know where to look for, and they know the vulnerabilities,” said Koo.
- Take action, prioritise what’s important, and close the gaps in the IT infrastructure. This, said Koo, includes securing vulnerabilities between data centres and public cloud.
- Organisations should optimise efficiency.
“Humans alone cannot do the job. Today, we are faced with so many vulnerabilities and applications. Use AI to help you remove some of the mundane tasks. That way, you don’t need to get a human to respond to attacks every time,” Koo suggested.
Tighter security controls
Beyond visibility and reducing network complexity, organisations can employ additional protection measures to shore up their security posture, and make it harder for malicious actors to gain access.
One particular strategy, which many may take for granted, is the use of multi-factor authentication.
“If you look at cyberattacks, more than 50% start off with loss of credentials. Depending on just usernames and passwords won’t prevent a breach. MFA is critical to protect your users and applications, and is the first step towards zero trust,” Koo remarked.
Aside from MFA, organisations can also deploy identity and access management solutions, noted JOS’s Kelvin Foo. “That way, you can have a list of what privileges the users have, or what each person is allowed to access,” he said.
Ultimately, however, technology is only as good as the people using it, said Francis Yeow, Head of Information Security and Country Information Security Officer at Parkway Hospitals Singapore Pte Ltd.
For example, during the height of the COVID-19 lockdowns, as children shifted to home-based learning, not everyone had a laptop that could be spared for online classes. As a result, there were times when employees working from home had to lend their office devices to their kids.
Yeow remarked that this practice gave hackers an opportunity to penetrate business organisations. Hence, an issue as basic as cyber hygiene must be taught to all employees.
“At the end of the day, even if you have the best security technology, you probably can’t prevent any incident if the user does not have the right understanding and knowledge of how to prevent data breaches from their end,” he said.
As the enterprise sector has entered an era of rapid digitalisation, one cannot be too careful, especially when it comes to securing data assets.
To solve the lack of visibility resulting from multiple disjointed security solutions, organisations are consolidating platforms with the help of IT-as-a-service providers. Then, heightened security measures, such as zero-trust adoption, provide better defences for the organisation, making it more difficult for threat actors to cause mayhem.
Meanwhile, information campaigns directed at internal stakeholders — as well as external partners — will prove most beneficial in the overall goal of beating cybercriminals at their own game.