Every one a cybersecurity defender

Information flows seamlessly via the internet in this digital age, and the vast majority of our interactions take place online.

Yet, this convenience and connectivity does not come without risks: Hackers are on the prowl, seeking out vulnerabilities in computer operating systems to steal information and wreak havoc.

However, not all hope is lost, according to cybersecurity experts at the CyberSafe CyberReady 2017 seminar and exhibition organised by the Government Technology Agency of Singapore (GovTech) at the Suntec City Convention Centre on 16 October.

By understanding how hackers think and work, organisations can put in place the necessary measures to prevent data theft, protect against malware and mount a strong defensive response in the event of a cyberattack.

“There is a very clear realisation by the Cyber Security Group [at GovTech] that cybersecurity is no longer a niche field,” said Mr Chan Cheow Hoe, GovTech’s Deputy Chief Executive and Government Chief Information Officer, in his opening address to 800 public servants from a wide swathe of government agencies.

“Every one of us must ensure that cybersecurity is part of what we do every day.”

Of wars and walls

Large-scale cyberattacks such as WannaCry and Petya have grabbed headlines in recent months, shutting down computer systems across the globe to cause rampant chaos in the virtual and real worlds alike.

As new weapons are continuously brought to bear by hackers in this invisible war, organisations need to adapt their defences to keep cyberattackers out.

Like medieval sieges, cyber defence software solutions function as ‘walls’ to protect the precious city centre — data.

“But what we’ve found is that even by building the highest walls, hackers can still climb over them,” said Mr Chan, underscoring the level of sophistication of modern day cyberattacks.

Thus, defence in depth is another important consideration, meaning that multiple barriers should be erected to impede infiltration, he added.

While walls give the impression of rigid structures, Mr Richard Koh, Chief Technology Officer at Microsoft Singapore, recommended flexibility and cooperation in laying down cyber defences.

“There’s not going to be one silver bullet to solve all cybersecurity problems. It requires us to have a discussion about the policies, processes and tools that can help combat cyber threats,” said Mr Koh during the panel discussion, which also involved Mr Daniel Teo, Director of the Smart Nation Sensor Platform Programme office at GovTech and Mr Gerry Chng, ASEAN Cybersecurity Leader and Partner, Advisory Services at EY.

(Editor: EY refers to the global firm previously known as Ernst & Young.)

The panel was moderated by Mr Ian Loe, Director, Government Cybersecurity Operations, GovTech.

Mr Daniel Teo from GovTech agreed on the need for flexibility when it comes to cybersecurity solutions.

He said that “a gradient of security solutions” should be developed, and this could be achieved by dividing cybersecurity into tiers of varying importance.

The objective, he added, would be to create a security system that is “trusted, reliable and scalable”.

Chinks in the armour

Even if an organisation deploys state-of-the-art cybersecurity defences, it will all be for naught if the individuals of the organisation do not practice good ‘hygiene’ in their online activities.

Mr Loe highlighted that within the government, a significant proportion of all security incidents were initiated by employees opening malicious email.

Humans are thus the weakest link in the cybersecurity chain.

Mr Chng echoed this sentiment. “A lot of the attackers now are reaching out to the individuals because they are the ones with limited awareness or resources to safeguard their data and information. So, if each of us can be an entry point for the bad guys, security has to be the shared responsibility of everybody,” he noted.

But how can one guard against phishing emails?

Mr Loe, the panel moderator, recommended looking out for tell-tale signs like spelling errors and urgent messages, even providing the acronym SUNDAE for easy recall.

Mr Koh of Microsoft also suggested the use of an intelligence security graph to monitor logins and emails, so that suspicious online activities can be detected — and safely contained.

This point was raised earlier by Mr Chan in his keynote, stating that such data goes a long way towards identifying behaviours that could be a point of compromise.

“We need to move away from being reactive to being proactive [in our approach to cybersecurity],” he said.

Beyond the breach

Falling prey to a cyberattack is not a question of if, but when.

In the same way our bodies mount an immune response to infectious microbes, organisations must be prepared to deal with a successful breach of cyber defences.

Walking the audience through a simulation of a cyberattack was Professor Marco Gercke, Director of the Cybercrime Research Institute in Cologne, Germany.

By asking delegates to place themselves in the position of the cybersecurity department of a fictional country called ‘Atlantis’, Professor Gercke demonstrated how confusion can arise during a cyberattack.

The key lesson at the end of the exercise was the need for emergency procedures to be established so that key decisions can be made even in the absence of complete information.

Organisations must also plan for varying levels of attack because hackers often conduct simultaneous and opportunistic raids that exploit panic and uncertainty.

“You know your systems and structures best,” said Prof Gercke.

“So, prepare for those attacks and exercise under realistic circumstances.”