By Anil Bhasin
Cybersecurity has been elevated from a mere operational consideration to become an issue of international concern and cooperation. This year at the World Economic Forum, we even saw global business and political leaders at the highest levels make clear public commitments to greater openness, transparency and collaboration in the fight against cybercrime.
In the race to keep up with ever-evolving strains and attack modes, the onus of keeping our digital infrastructure secure can no longer lie solely with the IT team or the upper echelons of management, but is now the responsibility of everyone in a company with access to a computer or smart device.
This reality has been made even more apparent with the impact of COVID-19 which has catalysed a dramatic pivot towards telecommuting on a global scale. For the first time ever, millions of employees across industries are logging on remotely to access company servers via their home Wi-Fi network, pushing each nation’s digital infrastructure to the very limit – and inadvertently opening a multitude of new attack vectors for threat actors. Just a few months into the new decade, we’ve already seen the rise of sophisticated attacks that exploit COVID-19 panic and social engineering, along with successful attacks on critical healthcare infrastructure and official communication channels.
In these challenging times, a new perspective is the need of the hour. Many companies in the past decade sought to bolster their cybersecurity posture through diversification in a bid to plug as many holes as possible. This meant investing in multiple best-of-breed point solutions, creating a broad and disparate defensive system ecosystem. This way of approaching cybersecurity led to a chicken-and-egg-like challenge, where more security professionals were needed to support larger teams, which were then difficult to staff as a result of the all-too familiar skills shortage.
But was this all necessary? Our own research conducted in recent years revealed that more organisations in APAC are realising that tools and money don’t solve cybersecurity issues. With playing catch-up to attackers fast becoming the new norm, it has become abundantly clear that a reactive approach to cybersecurity will no longer be sufficient to protect businesses moving into 2020 and beyond. These are four such developments that will define how organisations prepare as we navigate the 2020s:
- The mistakes of 4G may carry over to 5G
Telecom Regulatory Authority of India (TRAI) is gearing up to open the 5G spectrum in 2020. Countries like Australia, Malaysia, Singapore, Thailand and Vietnam are all announcing plans to unveil networks in the year ahead. With telecommuting looking increasingly likely to become the new normal for many industries after the virus storm has been weathered, the promised lightning speed, increased reliability and low latency of 5G will be welcomed by enterprises and employees alike.
However, while this provides glimpses into the potential of 5G, we are not quite there yet. 5G is built on the foundation of 4G, meaning that the same security threats that were present in the 4G network will likely be magnified further on 5G networks – now moving at an ever-growing pace and connected to even more devices. If existing security risks are not dealt with now and roll over into the 5G era, mobile internet service providers could be the first point of failure during a cyberattack, grinding critical services from healthcare to banking to a halt.
- The Internet of Things will become a minefield
The Internet of Things (IoT) will result in billions of connected devices proliferating throughout networks across the world. In Thailand, the adoption of Agri-IoT solutions is seen as a key driver of the country’s Thailand 4.0 vision, while smart city projects in Malaysia and Singapore are aimed at empowering millions of citizens through innovation and disruption.
However, if left unsecured, these connected devices provide multiple entrance points to corporate networks. Furthermore, the 20s are likely to involve even greater use of sophisticated deepfake technology, which enables attackers to mimic biological identifiers, rendering multifactor authentication, and biometric identification significantly less effective.
In many organisations, unsecured IoT devices are already in place, creating a potential minefield of security ‘explosions’ that could go off at any time – particularly in healthcare IT environments where cyber hygiene, software patches and updates may be taking a backseat at the moment.
In the next decade, organisations will need to continuously retrofit and update IoT devices to remain secure, eventually adopting a “secure by design” approach with security built in from the start – measures for which are beginning to be taken. As India moves towards a new reality due to the COVID-19 crisis, digital vulnerabilities have also increased. In an attempt to provide a safer digital world, the Karnataka’s Centre of Excellence in Cyber Security (CySecK) has flagged off an accelerator programme, HACK, for cybersecurity start-ups. According to Karnataka government’s official statement, the accelerator programme has over 21 startups on board across three cohorts — 10x cohort, 0-1 cohort and virtual cohort. The applications for the programme were evaluated by an independent panel, which had representation from the government, academia, industry practitioners and investor community. The key objectives of the Centre of Excellence are to promote a cyber-safe and conducive environment for industry collaboration, address skills gap, build awareness and foster innovation in the emerging technology field of cybersecurity.
- Embracing AI to get ahead
The skills shortage feels real to many organisations – especially in India. Despite a steady increase in demand, India continues to witness a huge shortfall of skilled cybersecurity professionals. A lack of skilled professionals continues to haunt the country that needs about 1 million cybersecurity professionals, according to an estimate by the Data Security Council of India. The reality is that there is a mismatch between expectations and the actual needs of cybersecurity roles.
The industry could potentially train millions of cybersecurity professionals in the next decade, and still not be able to solve the cybersecurity challenge, unless they fundamentally change their understanding of what a cybersecurity professional actually is. With attackers embracing automation and artificial intelligence (AI) to launch attacks, cybersecurity professionals also need to stay a step ahead by leveraging AI. AI-driven solutions will be able to detect and remediate anomalies in network behaviour at phenomenal speeds well before any human cybersecurity expert could react. As the use of the technology becomes more commonplace over the next few years, the role of the cybersecurity expert will experience a fundamental shift in skills. This does not necessarily change the need for cybersecurity professionals, nor the number of open positions, but it does mean that the human factor will be a completely different element in cybersecurity design.
With many businesses currently in ‘survival mode’ and coronavirus-themed attacks being one of the largest security threats they will face, organisations that aren’t already exploring AI-driven cybersecurity may find themselves at a disadvantage. Putting the right AI solutions in place can help mitigate the skills shortage and let smart, innovative, talented people focus their skills where they can have maximum impact.
- Security will influence the next generation of tech products
A DevSecOps approach is one that integrates security processes and tools into the development lifecycle of new products. Baking security into products from the beginning is the only way forward given the uber-connectedness expected for networks in the 2020s, especially so with Asia’s soaring appetite for digital financial services and e-commerce. The DevSecOps approach makes everyone responsible for security instead of assuming new apps and devices will be secured by the user once in their hands. Instead, security will need to become the constant thread running through all phases of development.
It’s important to note that a 100 percent secure network is not practically achievable even in the next decade. Due to any number of factors, there are always likely to be gaps in an organisation’s security posture. This could be because resources are limited, or because vulnerabilities exist in connected partner networks, or simply because cybercriminals find yet another new way to sneak past current defences. The most important thing for security professionals to remember is that security must be based around priorities, so it’s essential to understand what the organisation’s crown jewels are and protect those effectively.
In this brave new world of cybersecurity, can the enterprise remain one step ahead of cybercriminals? Beyond these steps, the threat landscape will continue to evolve and have profound impacts on the way we design our security infrastructure. Just as how we’re all making concerted efforts to step-up our personal hygiene practices and terms such as “social distancing” and “self-quarantine” have entered our daily vocabulary, so too must we maintain the same level of vigilance when it comes to our digital security moving forward.
(The author is regional vice president, India & SAARC, Palo Alto Networks and the views expressed in this article are his own)