The world has become connected more than ever and everyone has a part to play in securing IT systems.
Digital technology provides the opportunity to do this at speed and scale. However such steps requires the sharing of sensitive information across borders in a way that can make it vulnerable to cyber criminals. The challenge is for varying levels of knowledge and maturity in individuals, organisations, or governments, to ensure the sharing of data can be done with privacy protective at the forefront.
Josh Lemon certified instructor at SANS Institute and MD for digital forensics & incident response at Ankura said it is unfair to think every individual can defend against a nation-state threat actor, nor should they need to, this would be like asking a shop owner to be able to protect themselves from a military force breaking into their shop, and there is unlikely to be a change anytime soon in the speed at which we’re progressing with technology.
However Lemon believes it’s everyone’s responsibility to be aware of cyber threats and how they manifest and it’s not realistic to expect everyone to become a cybersecurity expert, but it is “essential everyone understands what to look out for; similarly, to how we teach kids in school about animals and which ones are dangerous”.
According to Lemon the process of education falls on the shoulders of both educational institutions and governments. We need to see more consistent and timely information on cyber safety introduced into schooling. Providing cybersecurity information to the commercial sector that is actionable, timely and relevant should be the government’s responsibility. The challenge with this is the government is often busy protecting itself, resulting in challenges to provide timely and detailed information to the commercial sector.
The three pillars of cybersecurity that are extensively used to aid CISOs in building a solid cybersecurity team: people, process, and technology.
Employees are responsible for all three of these building blocks, so they act as the front line to defending an organisation against cyberattacks and are the individuals responsible for investigating, eradicating, and recovering from a cyberattack.
Recently there have been instances of human failure to prevent the release of personal data held by an organisation.
According to rulings by the Personal Data Protection Commission (PDPC) Singapore recently St. Joseph’s Institution International is an independent co-educational Lasallian Catholic international school was found to have put at risk the personal data of over 3000 parents and students.
The PDCP wrote the Incident occurred in October last year when staff of the organisation downloaded and deployed a Google Chrome browser extension developed by VirusTotal for additional security scanning. Unknown to the staff, apart from security scanning, the extension also forwarded scanned samples to premium members of VirusTotal (the “3 rd Parties”) for security analysis and research.
“This use of samples was made known in VirusTotal’s privacy policy covering the use of the extension,” stated PDCP. “As a result of the Incident, the personal data of 3155 individuals including both parents and students were put at risk of unauthorised access.
The personal data affected included the names of parents and students, parents’ email addresses, students’ date of birth, students’ classes, students’ year and grades.”
PDCP noted users of the VirusTotal Chrome extension would have to agree to VirusTotal’s Privacy Policy, which provides that once files are uploaded to the VirusTotal website for scanning, copies of these files will be kept by VirusTotal and shared with their subscribers for research purposes.
“The risk of such file sharing and in turn disclosure of personal data to 3rd Parties ought to have been known to the said staff of the Organisation, but was overlooked due to oversight,” stated the Agency. “Such oversight could have been prevented if the Organisation had sufficiently robust processes for assessing such risks prior to deploying downloaded software, including Chrome Extensions.”
In April, the PDCP also released undertaking by financial corporation Manulife of enforcements for a data breach notification that occurred on 23 March 2020.
At the time, a Manulife representative who was licensed to provide financial advisory services representing MLS had misplaced an unencrypted thumb drive which contained the personal data of 104 individuals on 19 March 2020.
The personal data consisted of NRIC images, passport images, MLS forms used to conduct financial needs analysis for clients, MLS insurance application forms, medical reports, claims documents (current and past claims), insurance summaries for client portfolios.
It was found that MLS’ financial representatives were not continuously conveyed and trained on up-to-date requirements on the permissibility of using personal devices for business purposes and the proper use of removable storage media via onboarding and refresher training sessions, circulars, and quarterly bulletins.
“There is also a misconception that technology or tooling will defend an organisation, therefore employees aren’t critical to the technology component,” said Lemon. “However it’s the employees that select and operate the technology. Regardless of how expensive or well-made a technology tool is, it is a human that has to implement, maintain, and interpret anything it produces.”
Government agencies finding a consistent approach to cybersecurity has always been a challenge. Their IT equipment and capabilities have all matured at different rates and started at different points in time, noted Lemon.
Government agonies that end up merging with other agencies are then expected to join their IT systems,” he said. “Taking several organisations, then pushing them together will always have long-lasting challenges from a cybersecurity perspective. This isn’t unique to government agencies, it is the same in the commercial sector with acquisitions.”
According to Lemon the big difference between government organisations and commercial organisations is their motivation to get cybersecurity correct. As a customer, if I’m unhappy with a commercial organisation, I can use another one, whereas, with government departments a customer has no choice but to continue to use them.
“The challenge I’ve seen with multiple government agencies is they are pushed to treat cybersecurity as a check box approach rather than an integrated part of their ongoing operations,” he said. “Government agencies should be provided with practical requirements and actions that span across all cybersecurity areas and are tiered based on maturity within each area.”
They can then use this information to assess their current cybersecurity posture and understand what practical steps they need to take to increase their maturity. Alternatively, an independent organisation could use this framework to evaluate government agencies’ cybersecurity maturity or work with the agency to increase their maturity.
In a joint statement by Privacy Authorities Australia the COVID-19 pandemic has highlighted the need for public confidence in the use of personal information by government agencies.
“As we strengthen our efforts to overcome the impacts of the pandemic, personal information will be a key factor in our recovery,” states the Authority. “In our increasingly connected world, securing personal information is critical to protecting privacy, maintaining data flows and preventing harm.”
According to the Authorities “organisations and agencies entrusted with personal information need to build in privacy protections to their systems and services from the ground up. A privacy-by-design approach means assessing privacy issues early and minimising risks from the outset”.
Lemon notes that having governments produce requirements in their own bubble should really be replaced with directly engaging the industry. There are many brilliant subject matter experts in various areas of cybersecurity, and they should be bought together to assist governments in building a practical cybersecurity maturity framework.
“Relying on one agency or one organisation to cover all the areas that makeup cybersecurity is a mistake that will end up with vague requirements that government agencies will struggle to implement and result in minimal defence against future cyberattacks or an uncoordinated response following an attack,” he says. “It’s also worth noting that different countries have matured at different rates when it comes to supporting their government agencies, so this does vary across the APAC region.”
CISOs securing the security team
Lemon noted that one of the overwhelming gaps that cybersecurity teams are struggling with is knowing how to understand better the threats they face and defend against them.
“In our analysis of the survey results, this essentially came down to sound education for cybersecurity professionals,” he said. A strong education on current threats and tactics helps staff make decisions that better defend an organisation.
Even when it comes to selecting new technology or tooling, staff need to have a strong understanding of what the technology needs to achieve and if it is capable of doing this.”
However, he warns there is a “little downside to over-investing in education for your staff”. “While I understand this may not be seen as an immediate tangible investment for an organisation, it will result in your educated and informed staff realising that three of the technology tools you’re paying for annually can be done by just one instead,” he said. “Lastly, organisations need to understand it’s not a matter of if they will end up with a cyber breach, but when—once this occurs, do you want your staff that have a wealth of knowledge helping you, or the staff you decided to not continually educate on new cyberattacks?”
The headache for CISOs and CIOs is more in the significant move to remote working and rapidly changing the direction for technology within an organisation,” noted Lemon.
“Before the pandemic, organisations may not have been focused on remote working or collaboration tools, however, all of a sudden, organisations had to quickly change focus and acquire or implement remote working tools for employees,” he says. “Unlike the standard process for an organisation to conduct planning, testing and slowly rolling out new technology for staff, there was a need to quickly keep employees working and organisations alive.”
With this rapid change to using remote tooling, many organisations did not get the chance to review or implement hardened security controls. CISOs and CIOs are caught in this cycle of trying to maintain these new tools, or making changes to them, while also trying to backtrack over what has been changed or rolled out to secure them.
