Plugging the cybersecurity expertise gap

Hong Kong operators HKT and SmarTone aim to join the already crowded managed security services market because, frankly, enterprises lack the expertise to secure their networks, and their customers are already starting to notice that.

Photo courtesy of Liam Tucker

Hong Kong operators are jumping into the managed security services (MSS) business to offer services to enterprises – and not a moment too soon, as a number of new research reports indicate that enterprise security is still terrible for the most part, and their customers are increasingly worried about that.

At the end of March, Hong Kong’s incumbent telco HKT teamed with Palo Alto Networks to launch an endpoint threat protection service for enterprises. The services leverages Palo Alto’s Traps, an endpoint detection and response (EDR) solution that detects malware, exploits and ransomware by determining techniques and behaviours before they can infect endpoints, and coordinates policy enforcement with network and cloud security. HKT – who has already been reselling Palo Alto’s solutions – is now offering 24/7 support for the solution via its local security operations center.

Earlier the same month, mobile operator SmarTone launched its own Cybersecurity Solutions service in partnership with Cybereason (which handles endpoint monitoring), ZecOps (which performs threat hunting and forensic analysis;) and KnowBe4 (which provides security awareness training).

The common thread in both MSS launches is that Hong Kong enterprises face an increasingly dangerous cyberthreat landscape, and most enterprises – especially SMEs – lack the skillsets and resources to defend their networks on their own.

“Every [SME] customer has one common problem in that they run out of resources when it comes to cybersecurity,” says Wickie Fung, general manager for Hong Kong and Macau at Palo Alto Networks. “They cannot afford to have dedicated software security people or highly skilled, sophisticated people.”

That’s why it’s not enough to simply sell them technology to secure their enterprise networks, he continued. “They need partners to help them to run it and manage in a more cost effective manner, rather than hiring dedicated people to run it.”

SmarTone’s cybersecurity service takes the security expertise angle a step further, arguing that if good cybersecurity is a combination of “people, process and technology”, enterprises need to put greater emphasis on the “people” bit – and not just by having a cybersecurity-savvy CIO or a dedicated team with security skillsets, but by literally getting every employee in the company up to speed.

That’s because one of the most common attack vectors for enterprises is employees who fall for social engineering tricks or phishing emails, says Harry Poon, head of Cyber Risk & Security Practice for SmartTone Business Markets.

“You can have the best process and technology but if you don’t have the best people, everything can still fall apart,” Poon says. “There are many companies focusing too much on the technology part, or are doing the bare bones minimum to meet compliance requirements.”

Put another way, even cybersecurity-savvy CIOs should never assume that everyone knows what a phishing email looks like by now.

That’s why SmarTone roped in KnowBe4 into it MSS offering – the company helps put rank-and-file employees on the cybersecurity front line by training them to recognize phishing attacks or social engineering attacks.

Poor cyber-hygiene

HKT and SmarTone are jumping into what is already an increasingly crowded managed-service segment – on the other hand, it’s also a fast-growing one. As more enterprises move to digitally transform themselves to stay competitive in an increasingly digital world, there is also growing awareness of the crucial role security plays in digital services.

In fact, IDC’s latest semi-annual security spending guide expects investment on security related products and services in Asia-Pacific (excluding Japan) to reach $28.2 billion by 2022 (that’s over 20% CAGR from 2017). Of that, security-related services will be both the largest ($6.5 billion in 2019) and the fastest growing (23.8% CAGR) category, and of that, managed security services will be the largest segment in the services category.

Meanwhile, evidence is mounting that enterprises desperately need to outsource more security expertise – particularly in Hong Kong, where security incidents have increased tenfold between 2009 and 2018 according to the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT), yet a study last year from the Hong Kong Productivity Council (which oversees HKCERT) found that local companies only scored 38 out 100 on its cybersecurity awareness index (with 40 being a passing score).

However, that’s not to pick on Hong Kong – lack of cybersecurity readiness among enterprises is a widespread problem, according to Keysight Technologies subsidiary Ixia, which released its third annual 2019 Security Report in April.

“Compromised enterprise networks from unpatched vulnerabilities and bad security hygiene continued to be fertile ground for hackers in 2018. Misconfigured security and access policies were also a major source of data breaches in 2018,” said Steve McGregory, senior director of Ixia Application and Threat Intelligence at Keysight Technologies. “Network and application complexity pose serious security threats and create new vulnerabilities every day. Hackers continue to leverage the complexity as well as existing vulnerabilities and misconfigurations to their advantage.”

The Ixia report found that software security flaws caused the majority of product vulnerabilities, but – as mentioned above – humans remain the weakest link, thanks to the continued prevalence of phishing scams and malware-infected websites.

Even worse, the report says, cyber hygiene is at an all-time low: “IT vendors created code or configurations that led to many successful security breaches in 2018, but IT operations and security personnel also shared the blame. Well-known attacks and attack vectors remained successful because security personnel did not address vulnerabilities, either due to lack of knowledge of the latest patches or challenges in deploying them in a timely manner.”

It’s only going to get worse from here. Ixia expects pretty much all kinds of attacks to increase and evolve, from abuse of low-value endpoints and brute-force attacks on public-facing systems and resources to phishing, cryptojacking, multiphase attacks that use lateral movement and internal traffic and … well, everything.

Customer confidence

If that’s not enough incentive for enterprises to beef up security (either by investing in expertise or outsourcing it to an MSSP) there’s also the fact that slipshod security not only puts enterprise assets at risk – it also hurts customer confidence in their services and their ability to protect their personal data.

A survey released by Microsoft and IDC Asia/Pacific in April found that less than one-third (31%) of consumers across 14 markets in APAC believed that their personal data would be treated in a trustworthy manner by organizations offering digital services. (Point of note: in Hong Kong, that figure is 21%.)

“Most consumers still do not perceive organizations to be trusted data stewards,” said Antony Cook, associate general counsel, corporate external and legal affairs at Microsoft Asia.

More to the point, customers won’t be forgiving of enterprises that breach that trust, whether it’s due to being hacked or business practices that compromise their privacy. According to the survey, consumers that have a “negative trust experience” would either switch to another organization (53%), reduce usage of the digital service (36%) or stop using the digital service altogether (34%).

“Trust is critical for organizations to succeed in this digital world as consumers overwhelmingly prefer to transact with organizations with a trusted digital platform,” said Simon Piff, VP of security practice at IDC Asia/Pacific. “As competition between digital services becomes more intense and global in nature, advocacy through word of mouth can be a strong differentiator for the organization and a shot in the arm for the brand.”