Businesses in APAC are particularly vulnerable due to the IT talent crunch. Here are an expert’s recommendations for tightening cybersecurity.
Companies cannot defend themselves against every single thing that can go wrong, because bad actors will continue to invent new ways to get inside the network. We also know that no matter how large a budget you allocate to enhancing your organization’s cybersecurity in 2020, you will continue to suffer from the current talent shortage.
According to an International Information System Security Certification Consortium (ISC2) study from 2018, the Asia-Pacific region is experiencing the greatest talent shortage at 2.14 million, which is partially attributable to its growing economies and new cybersecurity and data privacy regulations throughout the region. Sixty three percent of respondents said their organizations had a shortage of IT staff dedicated to cybersecurity, and nearly 6% said their companies were at moderate or extreme risk of cybersecurity attacks due to this shortage.
To mitigate this shortage in IT talent, enterprises in the Asia Pacific region will need to rigorously consider the weakest points in their systems and build a comprehensive security program that includes network segmentation, network visibility and multifactor authentication. Organisations will also need to assess and catalog the data they hold and where, then decide on the controls they want to put on it. This “defense in depth” or “security in layers” approach will continue to be the best practice for security. Along with creating a strong security program, we anticipate that four areas will dominate the cybersecurity agenda for enterprises in 2020.
1. Multi-factor authentication will be key to Access Management
Bad actors have breached many organizations of all sizes, exposing passwords that provide a good statistical model to facilitate further attacks on companies or individuals. This will be a big cybersecurity threat for Asia Pacific companies in 2020 seeking to protect the integrity of their data without multi-factor authentication. The latter continues to be one of the most important things enterprises should pay attention to, due to compliance regulations and the additional layer of protection it provides beyond passwords. Some of the large cloud service providers are taking the protection a step further with hardware tokens. This level of protection is recommended for high value accounts in your organization.
2. Cloud consciousness helps protect data
2019 witnessed too many cases of enterprises that moved their data to the cloud but failed to adopt standardized controls, thus inadvertently leaving the gate open to intruders. According to a study by Cisco, many security teams in the Asia Pacific region are also unaware of the number of vendors or products that exist in their environment. The Philippines and Malaysia lead the region with the highest percentages of organisations that do not know how many products they use, while Vietnam has the highest percentage that do not know how many vendors they use.
Cloud storage providers such as Amazon are improving how they interact with customers—by helping them identify any weaknesses in the configuration of S3 buckets, for example. However, it is likely that failures in compliance and certifications will continue to lead to cyber breaches in 2020.
Neither moving to the cloud, nor staying away from the cloud, will necessarily help companies with their data security. In 2020, enterprises will be better off moving to the cloud in a secure and conscious fashion, making clear decisions about what data they are sending to the cloud and what they want to do with it, rather than just moving information wholesale. Companies should make very conscious decisions about what controls they will be using and what protection is offered by the upstream cloud service provider.
3. Tightening data access to external vendors
Third-party risk will continue to be a potential weakness in enterprise cybersecurity practice. Businesses need to consider exactly what data they are providing and what level of control is needed to ensure the integrity of that data. For example, the employee personnel information typically shared with an HR contractor is much more sensitive than data relating to a marketing campaign. Companies must perform due diligence around this issue to ensure that the relevant data security configurations are correct and leakproof.
4. IoT devices on enterprise networks create uncontrolled risk
2020 will see the continuation of the IoT trend that has been developing for the past four or five years. The problem is that these devices have become much more powerful, without getting any smarter. The first IoT devices were relatively simple, and although they did offer intruders a way into networks, the damage was limited. More recently, however, IoT devices have become a lot more powerful. They are expected to do a great deal more, and are more deeply integrated into enterprise networks. This means that if a bad actor is able to take control of the device the havoc that can result will be extensive, and security around IoT devices has not kept pace.
Companies must accept that the battle to protect enterprise data is now a permanent feature of the business landscape. Organisations have to be on constant alert to evolving threats, and the actions outlined above should form the basic building blocks of corporate data protection.