Commentary: Here's how to win the cybersecurity arms race
One advantage cybersecurity departments have over hackers is this - hackers cannot work in the open, says Red Hat's Dirk-Peter van Leeuwen.
SINGAPORE: It has been said that cybersecurity is like an arms race, with both sides constantly evolving their weapons and defences.
On one side are the keepers of data and information, and on the other are the cyber criminals who want to steal and profit from that information.
WHAT’S THE COST?
In one of the largest data heists in history, it came to light in November that the data of 500 million customers of the Marriott hotel group had been stolen. Earlier last year, cyber criminals took the records of some 145 million customers of credit-reporting agency Equifax.
In Singapore, the information of 1.5 million healthcare patients, including those of the Prime Minister, were stolen. Separately, the records of 14,200 HIV-positive people in Singapore were also leaked online.
In Bangladesh, rogue hackers in 2016 robbed the country’s central bank of US$100 million, with some of the money later traced to Sri Lanka and the Philippines.
These cases are not isolated. Cyber crimes cost businesses close to US$600 billion per year, or 0.8 per cent of global GDP, according to a study. This is up from an estimate in 2014 that put global losses at about US$445 billion.
While it could be argued that cybercrime affects “only” 0.8 per cent of the world’s wealth, that is 0.8 per cent too many. You’d be mad to think it’s okay to hand over US$600 billion to hackers every year.
On top of suffering from the economic costs, businesses preyed by cybercrime would also have to deal with the impact on their reputation, the loss of productivity, potential fines by regulators, and perhaps the most crucial – the loss of trust from their customers.
From what we have observed, our digital information can be grouped into different types. First is our identity, or our record of who we are. Second is our transaction histories, which, with artificial intelligence (AI), could predict when we will next watch a movie or buy a car. Third, and more specific to banks, are our assets – our money.
All these are now in the digital realm, which criminals are only too happy to hack.
As online transactions become more popular, we could assume that online fraud would increase as well.
This raises some questions. How can companies regain the trust of customers if their data has been stolen? Can we reverse or at least slow the growth of cybercrime?
HOW WE’RE MISTAKEN
The trouble is, there are some stubborn misconceptions about cybersecurity.
Until today, one of the most popular but mistaken beliefs we’re hearing from ordinary consumers is that “Cybersecurity is not my problem”, or “Cybersecurity is someone else’s responsibility”, passing the blame – sometimes, rightly so - to banks, credit card companies, online stores, or other companies which allow online transactions.
Among corporations, I am still hearing top executives say
Cybersecurity is handled by the IT department.
These misconceptions form just one aspect of this scourge of being vulnerable to cyber breaches, and they are the biggest hurdle.
But even if consumers and corporate leaders get past that mental hurdle – what’s next? Next is having to contend with so-called legacy or ageing platforms. These are the hardware and software which host applications and services.
Upgrading these core platforms can cost money, is time-consuming, and could mean downtime of services and millions in lost revenue while systems are being upgraded. That is why you would hear groans from heads of businesses when their heads of IT departments present their upgrading plans and the costs involved.
Sadly, many companies are jolted into action only because of two things - either a country’s regulators introduce new guidelines and requirements, or a company falls victim to a catastrophic breach and therefore gears up to recovery mode.
It is also unsurprising that during these times of crises and breaches, some organisations or even governments resort to the knee-jerk reaction of disallowing their staff from accessing the public Internet.
WHAT TO DO?
Indeed, we should not wait for catastrophes to happen before preparing ourselves.
At the basic level, consumers, company executives, third-party providers and regulators need to agree that cyber security is everyone’s business. We’re all in this together.
Consumers need to keep their accounts secure by following basic rules, including creating difficult passwords, not giving them away, changing passwords often, using two-step verification processes, and logging out of accounts or computers not in use. That sounds easy, but worryingly, a survey has shown that 35 per cent of Americans do not change their passwords.
Companies have far more complex duties – a combination of policies and practices. These include backing up data, setting up firewalls, securing office computers and devices, managing admin passwords, using spam filters to reduce phishing emails, educating employees, and having IT security and risk-management policies in place.
Educating staff about data security is highly important. Studies have shown that around half of data losses arise from actions by a company’s own employees.
But, even more worryingly, a study sponsored by IBM Resilient, showed 77 per cent of companies surveyed globally do not have a consistent cybersecurity response plan.
DON’T LET THE BAD GUYS WIN
By any measure, we still have a lot to do and cannot let the hackers win.
To beat cyber criminals, the IT industry has been hiring so-called ethical hackers, whose job is to discover security vulnerabilities in the computer systems of companies and organisations.
Regulators also have the duty to issue directives to compel companies and organisations to protect their systems from cyberattacks, including viruses, worms, denial of service attacks, ransomware and malware.
Early indications show that the European Union’s General Data Protection Regulation (GDPR), sometimes called the “granddaddy” of data regulations and in force since May last year, has some level of success in shifting more power over personal data back to the consumer.
A MATTER OF TRUST
This answers our first question above. Customers would trust companies that adhere to duty of care over data, with the help of best practices in cybersecurity.
Consumers need to know clearly what information is needed from them, and how this will be used. Companies, on the other hand, would have to collect only data relevant to the business.
In case of a data breach, customers want companies to explain what happened and what they are doing to solve the issue. If a company makes a mistake, consumers want to hear an apology and see some action, or even compensation.
THE 'OPEN' APPROACH
Of course, there needs to be some financial investment in removing obsolete IT systems and replacing them with robust ones.
To any doubtful business executive, we ask this: How would you weigh that IT investment against the cost of a security breach? How does it compare with the cost to regain your reputation and the trust of your customers, who are the lifeblood of your company?
For many years, experts have also said that open-source software like Linux is more secure than proprietary software. Why is that? It’s because the open-source community of developers, in which Red Hat is a strong contributor, can discover software vulnerabilities more quickly as codes are shared openly and vetted more thoroughly by the community.
Vulnerabilities in proprietary software, on the other hand, are not discovered as quickly because proprietary software codes are developed in-house with less transparency.
Based on my experience in helping customers, I have seen how the open-source way of development can also be a strategy template in solving cybersecurity problems. This involves openness and sharing between all involved.
There have been calls for companies to be more open about getting support from “white” or ethical hackers, and we have seen cybersecurity firms forming their alliances to deter attackers. But these measures are not enough.
It is also not enough to jail cyber criminals and create software patches every time a new virus is unleashed. Perhaps it is high time to change tack, to be more proactive, and use a far more collaborative, “open” approach, where consumer groups, industry bodies, regulators, think tanks and experts come together, share views and technical knowledge, and draw up longer-term strategies to combat cybercrime.
Fostering this openness could also make us quicker in responding to crises, and could give us access to resources and talent within this unified community
This is something which hackers do not have, for they cannot work in the open. To answer our second question above, this open approach could stem the tide of breaches in cybersecurity.
Dirk-Peter van Leeuwen is the Senior Vice-President & General Manager of Red Hat Asia Pacific.