Global Cyber Security Outlook
@ the IERP® Global Conference, October 2022
This session, presented by IERP faculty member Lee Chin Hon, covered the trends likely to shape cybersecurity in the near future, what threats and opportunities will arise from emerging technologies, and how organisations can manage new models of public-private information exchange, develop talent and improve management in the process. Lee’s presentation covered a wide range of issues, spanning the state of global cybersecurity and its link to sustainability, to how to set passwords and identify possible systems breaches. From the outset, he stressed the link between sustainability and technology, pointing out that including technology was integral to the ESG agenda.
The future, he said, was not about dollars and cents anymore. Instead, it was about technology, the future currency that will drive everything forward. It was important, therefore, to identify vulnerabilities now, so that the foundations laid would be robust enough to withstand the challenges of the future. Noting that sustainability means maintaining the ability to meet current needs without compromising the ability of future generations to meet their own, he urged improvements in the application of technology in a way that could continue to provide economic growth; cybersecurity plays a critical role in this.
“Cybersecurity can preserve the benefits of digitisation,” he said. “Everything is digital today. How do we preserve the benefits of utilisation, so that we can provide equal access to economic resources?” Dependence on apps has grown exponentially in the pandemic. Food supply, especially, has come to depend highly on ICT particularly in the area of logistics. As industry rapidly digitises, spurred by the pandemic, the supply chain has become increasingly vulnerable as well. But this, together with long-term production, can be protected by cybersecurity which more robustly covers the online resources that businesses and consumers have come to depend on.
Cybersecurity needs to be applied to a plethora of platforms, including connectivity, automation, mobile payment systems, transportation, protection of systems for automated ordering, delivery and inventorying; and for confidentiality and integrity of information that supports transparency of organisational decision-making. The level of connectivity of networks and systems today is unprecedented. With the Internet of Things (IoT), for example, even everyday devices like home security systems, refrigerators and air-conditioners may be connected, enabling machines to ‘talk’ to other machines.
Because of the application and integration of AI and ‘smart’ systems, cybersecurity has become a must-have for almost everything. “A lot of data is stored online so protection is crucial,” he added. It has become even more so considering the growing use of cloud computing facilities for data storage and accessibility purposes. Here, again, uncertainty and security issues may arise because while users know who owns the cloud services, they do not know where the data actually is. Why then are people still willing to spend on cloud services? Lee said these were comparatively cheaper; even governments were beginning to use them for storage of large amounts of data.
“Cloud is big business,” he said. “But what is actually being stored is unknown.” More organisations were beginning to use cloud computing providers, indicating that it is gaining traction; the trend appears to be an increase in use for a number of functions including HR and payroll but the question is, is the cloud more secure? “There are two schools of thought about security,” he said, remarking that financial institutions, for instance, will not do cloud-based things. “The first school of thought is yes, it is secure. But this is the response of cloud service providers. This is their business, so they will promote it as such.”
The second school of thought is that it is not as secure as it should be. Lee advised, therefore, that organisations should not use cloud services before doing their own investigations regarding the suitability of these for their own operations. Companies should familiarise themselves with what is best practice, and do their own assessment; they may even want to implement technological improvement and see cloud computing as a solution. But Lee cautioned that from the cybersecurity point of view, the more points of access there were, the more opportunities there will be for cyberattacks.
There are mitigative measures; one of the most effective is setting passwords, he advised. “But you need to know how to set them for maximum effectiveness,” he said. “Don’t share passwords, for example.” Lee’s presentation also covered the way ‘bots’ work, and new ways of hacking. He singled out ransomware attacks as particularly damaging, as these can lead to denial of service (DoS) situations which can be costly. If customers are unable to access services online, the firm’s revenue will be directly affected. But how can organisations know if their systems have, in fact, been breached? Lee said the first indication was often a slowing down of the system.
Identifying an actual breach and the point at which it happens is not easy, leading many users to attribute it to “just an IT issue” when it could in fact be the first signal of a major problem. In response to a question on how to respond in cases like these, he said that it would depend on the organisation’s incident response plan, and whether there were appropriate controls in place to manage such breaches and cyberattacks. But in the current environment, these were inevitable. “No matter how good your controls, events do happen,” he said, advising that organisations should nevertheless regularly test their systems end to end.