| Danial Norjidi |
BEFORE preparing a strategy to deal with cyber threats, it is crucial for organisations to first identify the risks posed to them.
This was one of the points put forward during the afternoon session of Royal Brunei Technical Services’ Cyber Security Forum at the Rizqun International Hotel yesterday, in which a panel of speakers discussed how risks associated with cyber threats are now a board-level concern.
The scene was first set by Steve Ledzian, the Technical Director (Asia) of cybersecurity company FireEye, who gave a presentation on the topic of “Cyber Risks and the Board Room & Core Demonstration”.
He then joined an open discussion with two other panellists, one of whom was BAG Networks’ Technical Consultant & Project Manager, Peter Byford, who said, “Before you can come up with your strategies on how you can approach security, you need to identify the risks. What are the risks to your business? Once you have identified those risks, you should be able to prioritise them. Once you’ve done that, then you can put your strategies in place on how you’re going to deal with cybersecurity.
“There are a number of methods you can use. A lot of what we’ve talked about in this forum is related risk mitigation and putting firewalls in place. However, there are other strategies you can use for cybersecurity.
One such method is risk transference. As an example, he said, “When you move your data to the cloud, you are not handing over your security responsibilities. You still need to control who has access to your data, even when it is in the cloud. It doesn’t matter where you put your data; you’re still responsible for who can access it.
“Next is risk avoidance. If you don’t need to save confidential information such as financials on your servers, then don’t. That way, if you are breached, that information is not in the system. The last strategy is risk acceptance, which is probably one of the hardest to do. I’m talking about the board accepting they’ve already been breached. As Steve mentioned, 96 per cent of companies have experienced a security breach.
“People think differently about this, maybe that their company is small, or their company is too strong, but the reality is that breaches happen. For this strategy, the aim is to contain the breaches. Keep track of which risks are affecting your business, remove any unnecessary risks, and if you identify new risks add them to the risk register, but this is something that needs to be reviewed on a regular basis.”
Session moderator George Platsis, the Chief Administrative Officer at SRI Professionals recounted a quote from the Director of the US Federal Bureau of Investigation, during an interview on American TV show ‘60 Minutes’, who said that “there are two types of companies in the world: ones that have been hacked, and ones that don’t know that they’ve been hacked yet”.
Associate Professor Dr Suresh Sangkaranayan, ITB’s Programme Leader of Computer Networks was another of the panellists, and he spoke on the opportunity that exists to bring research and industry together in the field of cybersecurity and on how innovative research could become commercialised.
Speaking on the importance of prevention, Steve Ledzian said, “A breach is inevitable. Prevention is important, but we also need to address the problem of what happens when prevention fails.”
Associate Professor Dr Suresh highlighted that when someone builds a house, they need to keep it secure, and the same thing applies to leading organisations and preparing for cyber threats.
“When you are running an organisation, you need to make sure it is secure,” he said, highlighting that we live in a digital world, and organisations need to make sure that they are secure enough to exist in it.
BAG’s Peter Byford responded by reiterating the need to have a regularly updated risks register in place. “Once you’ve identified the key risks that will affect your business objectives then you will know what to allocate your budget towards.”
Associate Professor Dr Suresh highlighted the need for more research to be done to come up with ideas that will meet with the cybersecurity needs of the industry, while Steve Ledzian reaffirmed that FireEye has “the best experts in the world combined with the best technology in the world” to deal with cyber threats.
At the end of the forum, George Platsis said, “We hope this turns into something that you can bring up more often and that it can become a regional event.
“One common theme through everything that we talked about is that we still really don’t know what’s going on,” he said. “This is not only for the very advanced countries like the US, China and Russia, but also smaller countries. If there’s one word that can encompass everything that has happened today, it’s ‘awareness’,” he concluded.