This article is part of our Essential Guide: Essential Guide: How APAC firms can ride out the pandemic

Coronavirus shines spotlight on cyber security

Programme committee chair of this year's RSA Conference Asia-Pacific and Japan talks up the challenges that IT security professionals in APAC are facing to mitigate security risks amid the Covid-19 pandemic

The Covid-19 pandemic has put the spotlight on cyber security professionals, many of whom are now calibrating their approaches to mitigate the security risks of a growing remote workforce.

That is according to Hugh Thompson, the conference’s programme committee chair and former chief technology officer (CTO) of Symantec, who noted that the pandemic has accelerated plans by companies to support remote work, with some wondering if they are implementing the right measures.

“We’re seeing that show up in questions about whether they are properly educating people on spear phishing attempts that might take advantage of the fact that we’re doing things differently now,” Thompson told Computer Weekly on the sidelines of this year’s RSA Conference Asia-Pacific and Japan. “People are much more vulnerable to those kinds of attacks when things are changing around them.”

Noting that organisations are in various stages of maturity in dealing with the security implications of remote work, Thompson said more advanced firms are looking at security paradigms such as zero trust, which enables access to resources based on policies and rules to ensure appropriate permissions are granted at the right time for each user to access applications and services.

Implementing the zero-trust security model, however, is a lot easier said than done, but Thompson believes more cyber security practitioners will gravitate towards that model which goes back to the basics of IT security.

“On day one of a computer security class, the first thing you go through is a set of principles, like the principle of least privilege where you should only give people the access that they need, no more no less,” Thompson said. “There’s also the principle of least exposure, where we should only expose resources to somebody that actually need those resources.”

On balancing between security and usability as organisations roll out more remote work initiatives, Thompson said it has been a perennial challenge to make something secure yet easy to use and cost effective.

“Unfortunately, there have only been a few examples where that’s actually been pulled off, such as the move to biometrics on a smartphone,” Thompson said. “The fact that you can use your fingerprint or your face to unlock the device is very odd occurrence that lets me get into my device more conveniently and securely.”

“People are realising that we have to make the path of least resistance and least cost that’s also the most secure. Otherwise, it just won’t be followed because when where work has to be done, people often circumvent the system.”

Against this backdrop, Thompson said the only way to get to the point where remote work is secure is to put in place the right governance and controls and making sure that even the workarounds that are possible are secure.

He added: “This is spawning a lot of innovation in the security space, and I’ve never seen a more vibrant time in the way we run multiple startup competitions as part of RSA Conference. And it is interesting to see the different approaches that people are taking to balance usability and security”.

The vibrancy of the cyber security market also means enterprises now have a harder time differentiating one security vendor from another. For one thing, Thompson said the descriptions put up by security vendors about themselves at the RSA Conference are often similar, even when the vendors are doing vastly different things.

“This is a very challenging time for security practitioners that are trying to decide what tool they’re going to bet their business on,” Thompson said. “So, there’s never been a more important time for people to connect with each other. And one of the best ways for them to get around the marketing fluff is to talk to peers who have had time and resources to look at some of these solutions.”

Read more about cyber security in APAC

Read more on Business continuity planning