Addressing APAC’s unique cybersecurity and trust challenges
The APAC region has always been a place of contrast, with hectic city life alongside natural, peaceful beauty, and deep spiritual traditions. In technology too, there’s contrast: on the one hand, parts of the region lead the world in technologies like 5G, high definition media, and digital infrastructure and, at the same time, finding entire organizations running Windows 95 desktops isn’t rare.
Yet the level of technological complexity doesn’t hamper the growth of commerce. The region continues to develop economically in leaps and bound, and the markets are rife with mergers, acquisitions, takeovers, and robust expansion plans. Home to home-grown and foreign businesses alike, the challenges in terms of technology’s risks are the same for the startup as for the global multinationals.
The specific Asia-Pacific challenges
When any company enters a new market, either by expansion, or acquisition, it will need to develop new products and services, or change their existing offerings. In Asia, where localized traditions and preferences can change in the space of just a few kilometers, that’s especially true.
Each market will typically come with its own data provisions, infrastructure, technology stack, and established business processes. For cybersecurity experts, and for managers across the business (like HR bosses, marketers, operations managers), that’s a big challenge.
The result is often that there is no person or department that has a deep insight into every single use of technology across the company. Every connection point, API, interface, or hand-off to a third party offers opportunities for data loss, privacy breach, or just mediocre, inefficient practices.
The nature of the APAC’s geography also comes with the threat — real or imagined — from North Korean government actors, and, if America’s blizzard of PR pronouncements is to be believed, China too. While digital threats are not dictated by physical proximity, the perceived threats have a measurable impact on policy both in the boardrooms and data centers of APAC businesses and those of the multinationals operating in the region.
Technology comes with risks
Using new technologies like multi-cloud, hybrid cloud, or the latest in edge-based technologies means companies’ cyber stances need to alter. The days of perimeter defense being enough are gone, and even the tech that may have been thought of as cutting edge just a few years ago, like cloud-centric intrusion detection, or WAFs (web application firewalls) are no longer enough to guarantee cyber safety.
There are also more tranches of legislation and data governance that need to be considered. Australia, China, Europe, and the US each have governance procedures that need to be adhered to, and mere adherence is not enough: proving to governments that systems are in place is one thing and proving adherence practices is quite another!
However, when things go awry — such as in the case of the Starwood/Marriott breach — the consequences can be highly damaging financially, as seen in the fine levied on the company by the European Union for infringement of its GDPR regulations. And that is, of course, in addition to the lasting adverse effects in terms of public relations, investor confidence, and future business.
Managing risks, protecting the enterprise
Until data frameworks like that suggested by Hong Kong’s iBDG (Institute of Big Data Governance) become the basis on which safer transnational APAC data movements can take place, how can companies protect themselves from cyber and legislative pressures, as they scale in Asia?
With an end goal of changing mindsets to be “data-aware” right across the organization, companies can take practical steps now. Following these steps should be prioritized and undertaken either as an internal exercise or by utilizing one of the two suppliers we at Tech Wire Asia highlight at the foot of this article.
First step: create data maps
Businesses often map their processes as part of enterprise architecture exercises and change management procedures. Process diagrams need to include the underpinnings comprising technology and information flows. Before any new initiative or a change to a process, ask the questions:
– who owns the data?
– where is the information stored?
– what other processes contribute to, effect, or otherwise use the data?
– whose responsibility is resilience and security of the data, from creation to archive?
Second step: step-wise consideration of risk
Related again to enterprise architecture procedures, considering data’s movements and risks presented at each stage helps identify where issues might present themselves. As new manual or automated processes are devised, assessing each based on data risk is essential: after all, each step may be “considered” too by bad actors, or by governmental officials granted oversight of your systems to ensure legislative adherence.
Each step in a new business process may also have deeper complexity. If secure systems are being used, how do users (or automated processes) authenticate? Is there password management in place across the enterprise? Are security certificates present, and how might data be encrypted?
Third step: assess existing & new technology and hardware carefully
Even unsophisticated, elementary connected devices can open new areas of concern, so their security facilities need careful consideration. As a prime example, in industrial settings IIoT presents massive opportunities to companies engaged in Industry 4.0-style transformation but bringing devices online in existing networks opens new attack vectors and risk.
In every company too, connected, smart devices like building management systems, surveillance cameras, and digital entry systems may be designed to protect the organization but can offer loopholes which could be exploited.
Fourth step: create controls and the risk-aware mentality
The first rule of cybersecurity and risk is to nurture a “when it happens” attitude, not an “if it happens” mindset. Therefore, every business decision must be considered with the data resilience and risk factors given significant weight. Proposed business processes or strategy may work, but if they involve unsafe data practice, decisions may have to change.
In data terms, retrofitting controls is inefficient and rarely 100 percent effective. To give one example, spinning up a new cloud service may be the answer to a process-based problem, but unless the service can integrate the enterprise’s central PAM system (password access management), it may need to be avoided.
Here at Tech Wire Asia, we’re considering two suppliers of the type of security, risk and governance management solutions that we feel can help change your company’s stance when it comes to protecting itself from undue risk. As ever, there is no 100 percent guarantee of safety or a simple box-ticking platform that ensures proper legislative compliance. It remains the organization’s own responsibility to protect itself. We think the following vendors offer something unique.
As one of the largest companies offering cybersecurity and risk management solutions in the world, EY is well-placed to offer the types of services that are particularly relevant to APAC businesses that operate locally and beyond.
As companies’ topologies change, their risk posture also alters, and therefore EY suggests an innovative approach to data security and resilience: Trust by Design.
Trust By Design effectively “bakes-in” good data practices into the enterprise’s operations, but goes significantly further, ensuring that all stakeholders in the company build significant trust. As well as internal bodies, services and functions, stakeholders will also include partners, suppliers, contractors, and customers. External stakeholders and customers are particularly sensitive to issues of data mismanagement from a PR point of view, so ensuring that there’s the correct weight given to information security at all steps is essential for maintaining good relationships in business.
The company’s holistic approach means that Trust By Design can spread right across the enterprise, not just focus on IT departments and the CISO: every department, division and business function today deals in data, so ensuring best practice end-to-end is of paramount importance.
As you might expect from a company that’s successfully transitioned from de facto hardware suppliers to one of the world’s leading IT services companies, IBM’s substantial portfolio can be a canonical source of solutions for the full gamut of data security.
As your company transitions from in-house data centers to multiple cloud networks, with an ever-changing topology of hybrid, in-house, and multicloud provisions, the IBM framework helps protect and ensure.
The IBM Critical Data Protection Program, for example, starts with an analysis of the entire enterprise’s security stance and identifies potential weak points — either in terms of practice, but also for potential data breaches. The audit process helps categorize data types and importance and sets up frameworks for assigning responsibility in the enterprise for each discrete silo (and interactions between silos).
IBM security services can then provide the overarching monitoring and control of data governance, security, and data integrity, wherever information might be. The company’s centralized data security automation and management solutions bring overall control to the different points of responsibility in the enterprise: IT, finance, HR, logistics, and so on.
You can read more about IBM’s Critical Data Protection Program here.
*Some of the companies featured are commercial partners of Tech Wire Asia