Cybersecurity is no longer a mere IT matter. It has evolved to be an important management issue that bosses need to be aware about constantly. This point, made by Mr William Saito, Special Advisor to the Cabinet Office for the Government of Japan, showed how cybersecurity has become an issue cutting across an entire organisation.
“There are two types of organisations – those that have been hacked, and those that have been hacked but don’t know it yet,” Mr Saito said. “The problem I see is, the IT and cyber people know this, but it’s how one can communicate it up to the people who can actually make the executive authority to put the right amount of emphasis on cybersecurity.”
Mr Saito was speaking during a panel discussion at the Kaspersky Cybersecurity Summit 2015 on the sidelines of the inaugural INTERPOL World 2015 held in Singapore. The Summit addressed the issue of how businesses can be better equipped to combat cyber threats. Businesses need assistance from governments in this field, but they also do not wish for too much regulation – how does one find that “happy balance”?
The role of sector-specific regulation
Mr Eugene Kaspersky, CEO and Chairman of Kaspersky Lab, said: “Businesses are not keen on regulations, but I’m afraid they are necessary here, especially for critical data and infrastructure.” He added that what he was particularly afraid of was the threat of cyberterrorism.
He also pointed out that it was difficult, but probably necessary to draw a difference when regulating between critical and non-critical data, and large organisations versus SMES. “We need different sectoral regulations. You can leave the SMEs alone, but perhaps there should be regulations for large companies or top management which are more likely to be targeted [for cyber-attacks]. In addition, companies must be made to report cyber incidents so governments are aware of the situation, and companies must be required to use selected technologies to protect their critical systems,” he said.
Collaboration between government and private sector important
The speakers noted the inherent challenges in government intervention in the technology domain, because there is always a chance that the light touch regulation may swing the more onerous way. But they acknowledged the role of the government in educating organisations on the importance of cybersecurity and in developing talent in the form of cybersecurity experts, which have so far proved to be insufficient or inadequate for the growing market.
The speakers were in agreement that companies need to work with governments and both sides should share information and experience on cybersecurity efforts. Mr Saito’s grim prediction for 2015? “This will be the first year that a publicly-traded company will go out of business because of a cyber-attack.”
That would be the company which does not pay attention to cybersecurity, of course. Let it not be yours.
Best practices for Financial Institutions
“We promptly report threats and incidents to our regulator. That’s number one. I’m also heading up the Financial Industry’s Security Programme, which is co-chaired by Monetary Authority of Singapore and the Singapore Police Force. It does have a financial crime intelligence track. This is a platform where regulators, enforcement agencies and trusted financial institutions come together to share intelligence. We quickly reach out to our members and strategic partners to minimise strategic impact. We also engage the Commercial Affairs Department regularly, since it has a better idea of the total threat landscape.”
“We cooperate with entities like INTERPOL, Kaspersky and other financial institutions in Singapore. Last year we received advanced threat intelligence from another bank, and were able to take preventive actions. Similarly, we will share such findings with other local banks in Singapore. When there is fraud, we work with the beneficiary or originating bank to ensure everyone is aware of the situation. We try to arrest the criminals, but if this is not possible, we will at least try to prevent the funds from leaving the bank .”