Narrowing the gap between physical and digital security

Image courtesy of Philipp Katzenberger

Not long ago, physical security and digital security were two separate disciplines, each with their unique set of challenges and safety protocols. However, with the rapid adoption of technologies such as 5G, the Internet of Things, and artificial intelligence, securing a building, for example, is no longer a bridge too far from safeguarding a company’s data assets.

Because cyberthreats are also evolving alongside the development of new technology, IT experts are always advocating for enterprises to design their digital modernisation from a security standpoint. But what exactly are the steps towards a holistic view of security and IT risk management?

In a panel entitled “The Convergence of Physical and Digital Security,” organised by Jicara Media as part of the IT Security Frontiers 2022 online conference, senior IT experts discussed security challenges across verticals, as well as strategies on how to reconcile the merging of physical and digital infrastructures.

For Pang Tzer Yeu, the head of Information Security at Mediacorp, any approach to designing an organisation’s security roadmap must first and foremost be systematic.

“Identifying what is our key challenge, what key problems we’re trying to solve— I think that is a good way of starting. But the question is, beyond this, how can we make this a system? I think we need to improve the way that we do risk assessment, so that we can lay out the threat scenarios, in such a way that it starts all the way from the entry of an attack, (down) to the actions and objectives. Once you are able to lay out the attack of the threat scenarios, you should be able to lay out your defences, and it should be very clear at that point in time, where you might need more help, or more investment,” Pang said.

Challenges so far

Like the majority of companies during the last two years, fintech firm Investree also adopted a work-from-home setup, which brought along a multitude of security challenges in itself.

“We never know if one of our team members probably accessed (our data) from a free Wi-Fi. Even though we tell them to stay at home, you can never stop them from going to, let’s say, a cafe. I think securing the access to our back office system, wherever they are, that’s one of our biggest concerns,” noted Dickie Widjaja, Investree’s CIO.

Aside from this, the company also had to ensure that the security measures being implemented by their counterparts are up to par.

“We deal with a lot of financial information, and we do work with other partners, where you can’t avoid it, there will be transfers of data or information from one partner to another— either incoming to us or outgoing to other partners as well. Unfortunately, not everyone is working on the same standard. So we have to secure not only the transfer of the data, but how the data is being utilised by our partners as well,” Widjaja said.

Travel booking platform Agoda, on the other hand, has become more cautious about choosing security vendors amid the rise of cyberattacks. 

“Supply chain is probably one of the biggest threats that we have these days. I’m sure a lot of us read (about) the latest supply chain attacks. We are all suddenly untrusting of any software that we are purchasing or using. So it’s becoming much more of a challenge because we’re trying to protect the perimeter in our infrastructure, but we need to start making sure that our vendors are also secure in the right way— that they’re doing some basic or advanced measurement of security, that they will not get hacked, as well,” said Yaron Slutzky, Agoda’s CISO.

Furthermore, data privacy laws across territories also pose unique sets of challenges. 

“In international companies, the attack surface is much wider, and we do have local regulations and international laws that we need to comply with. So obviously, it’s become much more challenging. We need to protect all our customers around the globe, because we have different nationalities from different origins. (Hence), we have different laws and different regulations to apply and comply with,” Slutzky added.

Meanwhile, for Mediacorp, IT staffing is one of the issues they are looking into.

“We have a big challenge here in getting really good people to staff cybersecurity roles. No thanks to the (Singaporean) government, which is actually pouring in tons of money to hire people as well, pushing up the market. It’s good news for all of us who are cybersecurity practitioners, but it is really tough when you are trying to lead a team and trying to build up a team,” Pang said.

Unlocking the solutions

With the growing number of security challenges, enterprises could be overwhelmed with which to prioritise. Is the physical office secure enough? Are employees working remotely protected against malicious actors? How to protect both in the age of hybrid work?

As such, many businesses rush into decisions and jump on the first vendor promising to solve all their problems. But according to experts, this behaviour is treading on dangerous waters.

“Every vendor will say how great their solution is. And I’m seeing the increase of intensity in them believing (their pitches), which is good, and it means they believe in their solution. I think at the end of the day, you have to see what fits your environment and your budget, as well as the technical skills that your internal team has, because it has to be a joint project between the external bodies as well as the internal team,” Widjaja said.

“For us, we see that once we choose a solution, it’s not the end— it’s just a journey, it’s a starting point. There is no such thing as, once you choose a vendor, you have to stay with them forever. We see what fits our needs at the moment. And what we’ve seen is that, with every year passing, with our team increasing more skill sets and knowledge about it, we might upgrade, or we might change the solution that we use. It really depends on your needs as well,” he added.

For companies still having second thoughts on which security vendor to engage, Slutzky offered a practical solution: “If you can eventually go and find a solution that can fix, let’s say 10 issues, and not only a specific one, it will be much easier to manage, operate, and support everything together. But, and there is a but— it’s not sure that this vendor would be good in each category the same as others. It’s always a balance that we need to control.”

“One of the things that we like to do is, we like to test new tools and new solutions. It’s interesting for the security guys, of course. So we love doing it, but we need to eventually make sure that we have the right budget, the right capacity of people, or resources to actually manage it and operate it,” he added.

From an IT infrastructure standpoint, Pang said that designing for cyber resiliency, which is different from physical resiliency, is one of the measures to prevent disruption to services.

“It’s about understanding the systems and networks that you have, and what the connections and interconnections are. I think most of us do have a plan on paper, but it’s always probably wrong. Because over time, things do happen. You can actually build some capacities and resources to try some of these things out, get some guys or some team to actually test it out, if you think that that is really critical for you. As part of your annual pen (i.e. penetration) test, perhaps add one additional scenario you perform every year,” he suggested.

The role of government

Aside from practical industry tips on improving the physical and digital infrastructures of enterprises, the experts agreed that government can do more to advance the security mindset and compliance of the entire business landscape.

“I think they (government) need to strengthen their ability to engage the various industry sectors, because the rules being set are very, very generic for everybody, but the (security) requirements (for each) are very, very different,” Pang said.

“I really hope maybe in five to ten years, we will see a more granular kind of regulation that will be specific to the industry, rather than something that applies across the board,” he added.

Meanwhile, Slutzky pushed for more government assistance in terms of complying with new data rules.

“Each country now has much better privacy protection, or regulation to make sure that the data of the customer is protected as it should. We see more and more in each country now, as in Singapore, Thailand, Vietnam— we have all these countries wishing for a new kind of GDPR regulation for the companies to apply. If the governments want us to comply with those regulations, I expect them to also help us protect this data in a manner that even if something would happen, they will be able to stop it before it’s actually getting into the companies,” he remarked.

“There has to be some kind of a minimum standard that everybody would have to meet, not just from a security point of view, but also that it’s good for business,” Widjaja said.

“You don’t want to have a data breach. It’s basically how to turn cybersecurity needs as a competitive advantage, and the government has the power to set the policy— a very minimum standard, and then we can work from there,” he concluded.