On April 8, 2014, Microsoft stopped technical support for Windows XP; XP customers will no longer receive security or technical updates, hotfixes, or free or paid assistance. Microsoft statistics show that around 25% of PCs in Asia Pacific still run XP. Asia Pacific enterprises haven’t migrated away from XP because:
Technology management departments didn’t communicate the need well enough and thus have not received the necessary funding to migrate to Windows 7 or 8.
Many firms rely on legacy applications that run on XP and are often incompatible with the latest versions of Windows. For example, an Australia-based oil and gas exploration firm faced application compatibility issues when migrating from XP to Windows 7.
Some enterprises underestimated the work required to migrate to a new OS and are still halfway through their project.
Asia Pacific firms are gradually beginning to understand how important big data is for responding to rising customer expectations and becoming customer-obsessed to gain a competitive edge in the age of the customer. Data from our Forrsights Budgets And Priorities Survey, Q4 2013 shows that 40% of organizations across Asia Pacific expect to increase their spending on big data solutions in 2014.
In addition to traditional structured data (from ERP and other core transactional systems), organizations are increasing seeking insight from unstructured data originating in both internal (IM, email) and external (social networks, sensors) sources to enhance the business value of data. But these initiatives pose a significant challenge to security and risk professionals:
Protecting sensitive data from fraudsters. Today’s fraudsters are active both inside and outside of firms, working to steal business-critical data. Inadequately secured and poorly controlled big data environments can potentially make the job of these malicious actors easier by reducing the number of systems or entry points that they must compromise in order to steal the data they need.For example, the personal data of 20 million South Koreans (40% of the country’s population) was stolen by a contract worker at the Korea Credit Bureau.
It was recently revealed that the personal details of 10,000 asylum-seekers housed in Australia were accidently leaked via the Department of Immigration and Border Protection’s website. This has damaged asylum-seekers’ trust in the Australian government and, according to Greens Senator Sarah Hanson-Young, potentially put lives at risk. Such incidents represent significant breaches of local regulations and can result in heavy penalties.
Recent amendments to existing privacy laws in Australia and Hong Kong allow each country’s privacy commissioner to enforce significant penalties for repeated or serious data breaches. Countries like Japan and Taiwan, where new privacy laws have been passed and/or existing ones are being enforced more strictly, also assess penalties for noncompliance.
You must treat the protection of sensitive customer data as a core responsibility essential to your enterprise’s success. Help earn and retain customer trust by formulating a comprehensive strategy for complying with local privacy regulations that includes the following action items:
Asia Pacific (AP) organizations have historically been slower to outsource critical information security functions, largely due to concerns that letting external parties access internal networks and manage IT security operations exposes them to too much risk. They have also not fully understood the real business benefits of outsourcing partnerships from a security perspective. However, this trend has recently started to reverse. I have just published a report that outlines the key factors contributing to this change:
Skill shortages are leading to higher risk exposure. Scarce internal security skills and a dearth of deep technical specialists in the labor pool are ongoing challenges for organizations around the world. This not only raises the cost of staffing and severely restricts efficiency, it may also increase the costs of security breaches by giving cybercriminals more time to carry out attacks undetected; at least one study indicates that the majority of reported breaches are not discovered for months or even years. The early adopters of managed security services in AP tell us that external service providers’ staff have more technical knowledge and skill than their internal employees.
It was recently revealed that the personal data of 20 million South Koreans (40% of the country’s population) was stolen by a contract worker at the Korea Credit Bureau, toppling consumer trust in Korean credit card companies. The theft was carried out by an insider over a period of time and begs the question: How could such an incident go unnoticed? We have found that breaches such as this are usually due to:
Poor system controls for privileged users. Privileged users often have more access than they really need to do their job. By definition, these users need broad access rights, but “broad” shouldn’t imply “unlimited.”
Indian firms have become cognizant of the fact that they have entered the age of the customer — an era in which they must systematically understand and serve increasingly powerful customers. These firms are leveraging mobility to empower their employees to win, serve, and retain customers. For example, the Tab Banking initiative by ICICI Bank uses tablets to enable sales representatives to visit customers to give them the convenience of opening bank accounts without leaving their home or office. However, since consumer mobile technologies have entered the enterprise, the management of mobile device platforms has become more complex; enterprises have started realizing that security controls should be around the apps and the data and not the device. In India, mobile application management (MAM) has leapfrogged other strategic telecom and mobility priorities in 2014 (see the figure).
The importance of supporting a workforce that wants (and has come to expect) to work anywhere, anytime, and on any device has necessitated a paradigm shift in security and risk (S&R) mitigation approaches and techniques. S&R professionals must therefore implement a security program that centers on mobile applications. This is because:
Digitally empowered customers are disrupting every industry; the age of the customer brings with it some inherent risks that will push organizations to increase spending on security software. In Asia Pacific, security software has leapfrogged other software categories and leads the region in terms of expected software spending growth in 2014 (see figure below).
We believe that the high growth in security software spending in Asia Pacific is primarily due to the following risks related to the age of the customer:
Migration to public cloud services. In a recent survey, 41% of Asia Pacific firms identified public cloud and other as-a-service offerings as a high or critical priority for 2014. Increased adoption of public cloud-based services like storage and disaster recovery is stretching the attack surface, exposing enterprises to a variety of security issues related to confidentiality, integrity, availability, and accountability. In response, firms must strengthen their security infrastructure.
Increased mobility. Nearly 45% of the Asian organizations in our survey identified mobility as a high or critical priority for 2014. As enterprises introduce mobility into their environment and add devices to support the initiative, the footprint of their infrastructure increases. The new access points attached to the network create opportunities for attackers to break into the infrastructure directly or via mobile application portals that provide gateways to protected, sensitive data.
Needless to say, Indian service providers pioneered and developed the outsourced software development space; currently, they generate a combined $3.2 billion of revenue annually. Although Indian software service providers claim high standards, it is apparent that there are still weaknesses in their delivery. I just published a report that highlights the main culprits for this: a lack of executive commitment, poor application coding, and the industrialization of software development:
Poor application coding persists despite lessons learned. The security vulnerabilities are hardly obscure: More than two-thirds of applications have cross-site scripting vulnerabilities, nearly half fail to validate input strings thoroughly, and nearly one-third can fall foul of SQL injection. Security professionals and software engineers have known about these types of flaws for years, but they continue to show up repeatedly in new software code.
A lack of executive commitment within outsourcing firms leads to poor security. Although most of the service firms’ executive leadership teams mean well, few appear to grasp the true potential for security breaches at their customers, the implications of those breaches, and the part that the outsourced partner must play in preventing them.
The industrialization of software development expands the attack surface. Development on an industrial scale can put clients at significant risk. In some cases, offshore development centers serve multiple clients but lack effective network segmentation.
The digital age brings some inherent security risks, like cyberattacks and hacking, that can have a significant impact on governments. The governments of Singapore, Philippines, South Korea, India, and Japan are some of the recent major victims — and the list is growing by the day.
Why are Asia Pacific (AP) governments a soft target for cyberattacks?
Aging, vulnerable infrastructure. Many servers that host critical government websites still run outmoded operating systems and are plagued by problems such as obsolete software and insecure coding, making them vulnerable to cyberattacks. For instance, only a handful of government computers in India use the latest version of Java; more than three-quarters of them are running unsupported versions of the software, which has been a common target for malware since 2010.
Low adoption of advanced security technology coupled with lack of security expertise. Governments still rely on conventional security controls like antivirus, antimalware, and firewalls that are powerless against sophisticated attacks. The problem is exacerbated by the fact that governments lack highly skilled personnel to combat cyberattacks effectively.
On July 2, the government of India released the National Cyber Security Policy 2013. This policy extends to a spectrum of ICT users and providers, including home users, SMEs, large enterprises, and government and nongovernment entities. The policy aims to serve as an umbrella framework for defining and guiding the actions related to the security of cyberspace. The policy has been much delayed but has now been released amid reports of snooping by the US globally — and ever-increasing threats to India as a country.
The policy defines 14 diverse objectives that provide an overview of the government’s approach to the protection of cyberspace in the country. A few objectives that will have a positive impact on S&R professionals in India caught my attention:
The appointment of chief information security officer (CISO). Organizations may or may not have a designated person responsible for cybersecurity initiatives today. With the release of National Cyber Security Policy 2013, organizations will be mandated to appoint a person in a senior management role as CISO.
A strong security workforce. The government plans to create a strong workforce of 500,000 security professionals in the next five years through skill development and training programs. This will mean more opportunities to enhance skills and more job opportunities for S&R professionals.