Region’s companies and governments ‘years behind in terms of their understanding of cyber threats’, warns FireEye cyber security expert
Cyber risk is widely misunderstood in Asia, despite being a bigger problem in the region compared to the rest of the world, the cyber security firm’s Asia-Pacific chief technology officer (CTO) has told StrategicRISK.
Bryce Boland, who has lived and worked in Australia, New Zealand, Switzerland, the UK and now Singapore, said that firms in the region were “significantly more likely to be targeted by advanced attacks than we see globally”.
“There are around 35-40% more targeted attacks in this region [Asia] than what we see globally,” he told SR.
Boland said that, considering the amount of intellectual property held in Asia, organisations in the region were “gold mines” for cyber attackers.
“Organisations in Asia are very interesting targets,” he said.
“There is a lot going on in this region which makes organisations very valuable for attacks.
“The organisations have huge numbers of customers, and attackers want that much information.”
However, Boland cautioned, too many organisations in Asia did not realise how serious and pervasive cyber threats have become.
“Any organisation, even governments, in many ways are years behind in terms of their understanding of cyber threats,” he said.
“There are around 35-40% more targeted attacks in this region [Asia] than what we see globally,”
Understanding the threats
Prior to joining FireEye in 2013, Boland was at financial services giant UBS, where he progressed from an IT risk management role to become security CTO.
“I have spent the last 15 years in the financial services space predominantly, looking at technology and cyber security risk,” he said.
“I had responsibility for a number of aspects at UBS, such as helping set up their security operations, [and] establish their data protection and security consulting programmes and their IT risk frameworks.
Boland said he spends much of his time at FireEye “helping the market understand the threats that are current”.
“I then look at new, creative ways to address those [risks],” he said.
“You need to understand the needs in the market, the needs our customers have, so we can produce practical solutions they can deploy.”
Boland points out that “there is always a way to attack something as an attacker”.
“There is always a way for someone to break in. Everything has security flaws. There is no perfect system,” he said.
Furthermore, Boland warns, whenever a penetration test takes place, “it is not ‘whether we will get in’, it is ‘how long will this take?’.”
“If you have something of value, someone will come after it and the breach is inevitable,” he explained.
“It is not a matter of if you will get breached, it is a matter of when. So if the breach is inevitable, you need to find some way to address the business impact.”
Different levels of understanding
Boland stresses that IT security is an area that carries a great deal of baggage in terms of misconceptions, which have infiltrated many organisations.
“Different people have got different levels of understanding around cyber risk,” he said.
“Most organisations have a fundamental set of beliefs about cyber security and sometimes those beliefs just do not bear out.”
Many of these beliefs may have been true 10 years ago, Boland suggests, but not necessarily today.
“People think the focus of a cyber-security program should be finding malware, finding the attack tools; that is fundamentally not sufficient,” he said.
“The real threat – the real thing you should be focused on – is finding the attacker who is coming after you.
“This is because the attacker will use any tool they are able to utilise to gain access to what they are after.”
Boland believes malware is just one of the tools attackers will have in their arsenal.
“Last year we did 226 investigations in 13 countries and in 46% of the attacks we investigated, we did not find any malware involved in gaining access,” he said.
“That is usually because the attacker has used credentials they have previously stolen.”
Another cyber risk misconception that Boland highlights is the idea that organisations, perhaps led by their risk management team, think they can train their users to identify malicious emails and documents.
“That’s not true,” he said. “The smartest IT security people in the world cannot tell the difference between a PDF that looks like it came from a colleague but is from an infected machine, and a legitimate one.
“So you need technology to help you answer some of these questions.”
Buck stops at the top
Boland believes that the IT departments of most firms “focus on how to respond to the checklist of controls and information they are going to be asked by the risk department”.
“The reason that is not enough is because that revolves around the idea of an attacker trying to breach controls,” he explained.
“But what they are actually trying to do is by-pass the controls completely and get access to people and exploit the gap between a person’s ability to make a decision in terms of what is risky, and the technology’s ability to determine what is risky.
“What I find is really effective is when the risk manager asks the questions like, ‘if you assume a breach is inevitable, how do you detect when you have been breached?’, and asking questions like ‘how do we detect attacks?’, ‘how do we detect when a breach happens?’, ‘how do we respond to a breach when it happens?’, and ‘do we know who is attacking us today?’.”
Boland said it is also important for risk managers to understand both who is attacking them and why, as this enables the risk manager to know what information is at risk.
Ultimately, Boland believes that the cyber risk buck stops at the top.
“Cyber security is not something which can be relegated to a back-office function,” he said.
“It requires the oversight of the board and the attention of the senior management.
CEOs have lost their jobs “if they do not have the appropriate operational and management controls”, Boland added.
“That said, we also see the board of directors in many companies take an active role in the cyber security preparedness,” he said.
“That makes sense as the risks of cyber threats for many organisations are becoming almost an existential thing.”