Cybersecurity Risk Management in the New Normal
Working from home, which has been necessary to a large extent in the past two years due to the Covid-19 pandemic, has seen businesses confronted with new challenges. Organisations have had to speed up their digitisation process, and cybersecurity is playing an increasingly critical role in ensuring business carries on with as little disruption as possible. But this has become more complicated as larger numbers of employees have been required to work from home in order to reduce the number of infections, as levels of security at home and in an office environment differ substantially.
Cybercrime is growing; total losses attributed to this in 2020 totalled RM 247 million, said speaker Lee Chin Hon, at a recent IERP Tea Talk on the topic of Cybersecurity Risk Management in the New Normal. Lee, who is Head of Data Governance and Cybersecurity with a listed corporation, covered the top five cyber threats: social engineering, malware, ransomware, data breaches and compromised passwords. Figures from MyCERT, the Malaysia Computer Emergency Response Team, indicate that between January and September 2020, 8,366 cybercrime incidents were reported; this underscores how critical it is for organisations’ systems and networks to be constantly protected.
Not only does having the right kind of cybersecurity help an organisation prevent data breaches and attacks, it also reduces the cost of damage and increases the level of customers’ confidence. Personal information, sensitive data and payment information, for instance, always need to be protected. The impact of loss caused by data breaches can be expensive; rectifying breached systems is not cheap, and there may be knock-on effects caused by the loss of data as well. A business that has good cybersecurity increases its customers’ confidence. In fact, survey results show that two out of three consumers are likely to avoid doing business with firms which have experienced cyberattacks.
Going into detailed explanations of each of the five cyber threats he had mentioned earlier, he defined social engineering as a broad range of malicious activities accomplished through human interaction. Using psychological manipulation, social engineering tricks users into making security mistakes. The five most common forms of social engineering, he said, were baiting, scareware, pretexting, phishing and spear phishing. Baiting lures users into traps that steal their information or releases malware into their systems; scareware is usually spam emails that give out bogus warnings, or makes offers for worthless or harmful services.
Phishing aims to create a sense of urgency or curiosity in the target, so that the user will respond to requests for information, and spear phishing is when the attacker customises or tailors the message according to details already obtained about the victim. Explanations were illustrated by real-life examples emphasising the danger of such threats. One such incident occurred in May 2021, when the Irish Health Service was forced to shut down its entire IT system because of a ransomware attack. The attack forced Ireland’s national health and social services provider to revert temporarily to paper-based systems, causing delays and cancellations of patient services.
In such circumstances, health was endangered, and even lives could have been lost. Explaining data breaches, Lee said anyone – individuals, enterprises or governments – could be vulnerable or at risk of this. Data breaches expose confidential, sensitive or protected information to unauthorized parties, and can happen due to weaknesses in technology or because of human behaviour; they can occur through human carelessness, lost or stolen devices or through the actions of malicious external parties such as hackers. One of the biggest incidents of this kind involved the US cable operator Comcast Corporation in 2021; 1.5 billion of its data records and other internal information were exposed.
Another incident involved Facebook, which saw the personal information – including phone numbers, full names, locations, birthdates and e-mail addresses – of 533 million users from 106 countries that the firm described as ‘scraped’ from its systems. Data breaches are also harmful as they can expose passwords, thus further compromising systems and networks. Lee pointed out that passwords are much sought after by hackers as a lot of information can be obtained from just one source. Privileged passwords are particularly valuable as they are often privileged credentials with the potential to unlock a wealth of information.
With so much at risk, what should organisations do to minimise the possibility of systems hacking, data breaches and the resulting disruption to business? Lee suggested several measures that can be applied, such as keeping software and operating systems updated; using anti-virus software and firewalls wherever possible; and using strong passwords. He also advocated not clicking on links from unknown senders, e-mails or unfamiliar websites as these are common methods used to spread malware. Users should be aware of what they click on, such as pop-up windows, social media articles or advertisements.
He also warned users not to share passwords or OTPs, adding that banks and service providers will never ask for this. PINs, CVV numbers, expiry dates of debit cards and 16-digit debit card numbers are only for personal use. Users should be careful to connect to secured public networks whenever possible, and avoid unsecured WiFi networks in public places. They should also avoid accessing their bank accounts or sensitive information over unsecured public networks. Laptops, tablets and phones should not be left unattended in public places, and shopping online using public WiFi should not be undertaken.
His presentation was peppered with a host of relevant examples that the audience could easily identify with to illustrate how quickly systems could be breached and information could be stolen – often in a matter of seconds. Because of the ease with which systems, equipment and networks can be compromised, he urged caution at all times. Concluding his talk, he recommended some measures that users can take to safeguard their systems. These measures include having strong passwords, and checking applications on devices in use for log-in records. For instance, if there is a record of logging in from another country which you have never visited, a hacker may be trying to breach the system.
Lee also urged users to ensure their data, especially critical data, was backed up. He warned about the importance of managing social media settings, as a great deal of information can be gleaned from social media accounts, by those with malicious intent. While many active social media users post or comment regularly and vigorously to increase ‘likes’ and their fan base, personal information should always be kept private to decrease the possibility of misuse or abuse in the future.