It was recently revealed that the personal data of 20 million South Koreans (40% of the country’s population) was stolen by a contract worker at the Korea Credit Bureau, toppling consumer trust in Korean credit card companies. The theft was carried out by an insider over a period of time and begs the question: How could such an incident go unnoticed? We have found that breaches such as this are usually due to:
Poor system controls for privileged users. Privileged users often have more access than they really need to do their job. By definition, these users need broad access rights, but “broad” shouldn’t imply “unlimited.”
Indian firms have become cognizant of the fact that they have entered the age of the customer — an era in which they must systematically understand and serve increasingly powerful customers. These firms are leveraging mobility to empower their employees to win, serve, and retain customers. For example, the Tab Banking initiative by ICICI Bank uses tablets to enable sales representatives to visit customers to give them the convenience of opening bank accounts without leaving their home or office. However, since consumer mobile technologies have entered the enterprise, the management of mobile device platforms has become more complex; enterprises have started realizing that security controls should be around the apps and the data and not the device. In India, mobile application management (MAM) has leapfrogged other strategic telecom and mobility priorities in 2014 (see the figure).
The importance of supporting a workforce that wants (and has come to expect) to work anywhere, anytime, and on any device has necessitated a paradigm shift in security and risk (S&R) mitigation approaches and techniques. S&R professionals must therefore implement a security program that centers on mobile applications. This is because:
Digitally empowered customers are disrupting every industry; the age of the customer brings with it some inherent risks that will push organizations to increase spending on security software. In Asia Pacific, security software has leapfrogged other software categories and leads the region in terms of expected software spending growth in 2014 (see figure below).
We believe that the high growth in security software spending in Asia Pacific is primarily due to the following risks related to the age of the customer:
Migration to public cloud services. In a recent survey, 41% of Asia Pacific firms identified public cloud and other as-a-service offerings as a high or critical priority for 2014. Increased adoption of public cloud-based services like storage and disaster recovery is stretching the attack surface, exposing enterprises to a variety of security issues related to confidentiality, integrity, availability, and accountability. In response, firms must strengthen their security infrastructure.
Increased mobility. Nearly 45% of the Asian organizations in our survey identified mobility as a high or critical priority for 2014. As enterprises introduce mobility into their environment and add devices to support the initiative, the footprint of their infrastructure increases. The new access points attached to the network create opportunities for attackers to break into the infrastructure directly or via mobile application portals that provide gateways to protected, sensitive data.
Needless to say, Indian service providers pioneered and developed the outsourced software development space; currently, they generate a combined $3.2 billion of revenue annually. Although Indian software service providers claim high standards, it is apparent that there are still weaknesses in their delivery. I just published a report that highlights the main culprits for this: a lack of executive commitment, poor application coding, and the industrialization of software development:
Poor application coding persists despite lessons learned. The security vulnerabilities are hardly obscure: More than two-thirds of applications have cross-site scripting vulnerabilities, nearly half fail to validate input strings thoroughly, and nearly one-third can fall foul of SQL injection. Security professionals and software engineers have known about these types of flaws for years, but they continue to show up repeatedly in new software code.
A lack of executive commitment within outsourcing firms leads to poor security. Although most of the service firms’ executive leadership teams mean well, few appear to grasp the true potential for security breaches at their customers, the implications of those breaches, and the part that the outsourced partner must play in preventing them.
The industrialization of software development expands the attack surface. Development on an industrial scale can put clients at significant risk. In some cases, offshore development centers serve multiple clients but lack effective network segmentation.
The digital age brings some inherent security risks, like cyberattacks and hacking, that can have a significant impact on governments. The governments of Singapore, Philippines, South Korea, India, and Japan are some of the recent major victims — and the list is growing by the day.
Why are Asia Pacific (AP) governments a soft target for cyberattacks?
Aging, vulnerable infrastructure. Many servers that host critical government websites still run outmoded operating systems and are plagued by problems such as obsolete software and insecure coding, making them vulnerable to cyberattacks. For instance, only a handful of government computers in India use the latest version of Java; more than three-quarters of them are running unsupported versions of the software, which has been a common target for malware since 2010.
Low adoption of advanced security technology coupled with lack of security expertise. Governments still rely on conventional security controls like antivirus, antimalware, and firewalls that are powerless against sophisticated attacks. The problem is exacerbated by the fact that governments lack highly skilled personnel to combat cyberattacks effectively.
On July 2, the government of India released the National Cyber Security Policy 2013. This policy extends to a spectrum of ICT users and providers, including home users, SMEs, large enterprises, government and non-government entities. The policy aims to serve as an umbrella framework for defining and guiding the actions related to the security of cyberspace. The policy has been much delayed but is now released amid reports of snooping by the US globally - and ever-increasing threats to India as a country.
The policy defines 14 diverse objectives that provide an overview of the government’s approach to the protection of cyberspace in the country. A few objectives that will have a positive impact on S&R professionals in India caught my attention:
- Appointment of chief information security officer (CISO): Organizations may or may not have a designated person responsible for cybersecurity initiatives today. With the release of National Cyber Security Policy 2013, organizations will be mandated to appoint a person in a senior management role as CISO.
- Strong security workforce: The government plans to create a strong workforce of 500,000 security professionals in the next five years through skill development and training programs. This will mean more opportunities to enhance skills and more job opportunities for S&R professionals.
Trend Micro held its first Asia Pacific (AP) Industry Analyst summit on April 9, 2013 in Singapore. The most obvious message for me is that the company is clearly seeking to expand its focus well beyond the “legacy” antivirus market. Throughout the event, Trend Micro emphasized the need for cloud security solutions and the opportunities that exist in the Asia Pacific market. Speakers also highlighted the need to invest in breaking Trend Micro’s image as an antivirus vendor to help capitalize on the market opportunities for enterprise cloud security.
Below are the two key themes highlighted by Trend Micro during the event and my take on each:
Enabling cloud-related security is central to company growth.Security-related concerns remain the most prominent reason that organizations cite for not adopting cloud services. Recently Cloud Security Alliance (CSA) outlined the “Notorious Nine” threats for 2013, and the top three cloud-related threats include data breaches, data loss and account hijacking. (Source:http://www.zdnet.com/clouds-risks-spur-notorious-nine-threats-for-2013-7000011820/). Forrester’s Forrsights IT Budgets and Priorities Survey conducted in Q4 2012 shows that 30% of organizations in the AP region aim to create a comprehensive strategy and implementation plan for public cloud and other as–a-service offerings over the next 12 months. Cloud-related spending therefore represents a big market opportunity. Security will be central to organization’s cloud strategies, and hence spending. Trend Micro is aiming to meet this nascent demand but must better explain why they’re best positioned.