This article first appeared in Digital Edge, The Edge Malaysia Weekly on May 17, 2021 - May 23, 2021
Although companies are increasingly at risk of cyberattacks, few are keeping up with the evolving threats or spending enough to counter the hackers. Some companies complain that it is difficult to hire cybersecurity talent while others find their budgets for cybersecurity insufficient.
These are the results of a survey that global cybersecurity firm Sophos published in March. Wong Joon Hoong, country manager of Sophos Malaysia, shares with Digital Edge his thoughts on how companies can hire to address cybersecurity threats.
What is the state of cybersecurity adoption in Malaysia?
Wong Joon Hoong: Malaysian companies are familiar with cybersecurity threats such as spam, phishing and hacking in general, but they are still playing catch-up on the new threats that are evolving daily.
To protect an organisation against hacking attempts, there are three important elements they must incorporate: people, process and technology. In Malaysia, companies spend a lot of time purchasing technology, but lag on the other two elements.
We have seen Covid-19 become a strong catalyst for the adoption of cybersecurity. However, companies are still playing catch-up and find it difficult to hire IT security experts. The right processes are also not in place.
Why is it difficult to hire cybersecurity talent?
Talent in cybersecurity is scarce, not just in Malaysia. We should encourage more universities to conduct this kind of training. But threats keep evolving. The only people who can continue to stay in the cybersecurity profession are those who keep improving their skills to meet the ever-evolving threats.
Another source of frustration is that the executive team always underestimates the level of damages. They think that handling cybersecurity threats is easy. But when they find out [the extent of the damage], it is too late.
According to statistics [from the survey], companies also lack the budget [to hire]. They struggle to decide between hiring more people or buying more cybersecurity tools.
How can companies hire cybersecurity talent?
There are two strategies. One is to build the whole team internally or work with cybersecurity professionals who can transfer skills to employees. This depends on whether the company has a large enough budget. The challenge is retaining the talent. Hiring is easier than retaining because the talent is in high demand.
The second strategy is to borrow [staff]. For instance, Sophos has a managed threat response solution, where customers leave it to us to manage their cybersecurity matters. We monitor the security threat landscape and do threat hunting, which means we look for potential risks in the organisation and eliminate or neutralise malicious activities.
Who should consider building or borrowing?
In general, building a security team can be costly. And by the time you stabilise it, retaining the talent will be another challenge. That’s why we encourage companies to consider the ‘borrow’ strategy. We did a study and found that borrowing can be far superior in terms of stability and service levels.
Borrowing is cheaper because it doesn’t have hidden costs, which come from recruiting, retaining, training and retraining talent to deal with new threats.
What if companies worry about relying entirely on a third-party service provider?
We don’t mean that you shouldn’t hire an internal team. I suggest that companies maintain a set of people or at least one person to collaborate with the external provider. This is important because the internal team knows about the infrastructure and business operations. They need to interpret all this for the cybersecurity experts.
For instance, during the pandemic, hackers no longer attacked the corporate firewall and instead, targeted people who were working from home and gaining access to corporate data through a virtual private network (VPN). This kind of knowledge about the internal infrastructure is important and must be communicated with the cybersecurity experts.
Companies may be wary about letting an external party manage their critical infrastructure. Third-party vendor breaches have also occurred before. How worried should companies be?
As third-party service providers are effectively custodians of your data and infrastructure, it is important to know what measures they are taking to safeguard and protect your information. You should assess and evaluate the security measures deployed by these entities.
Additionally, you should use cybersecurity assessment and rating services to create risk profiles for third parties. There are cyber threat intelligence reports that provide benchmarked data comparing third parties to industry-leading practices. This information can be the basis for creating risk profiles.
How can companies look for cybersecurity talent?
They can go to the universities that train this kind of talent. They can also form a partnership with external parties to train their people in a few topics. This includes data management and compliance, cybersecurity reporting and testing, how to handle incident responses, as well as investigation and remediation of cybersecurity incidents.
What is your advice for companies?
For the time being, they should adopt next-generation firewalls to monitor things such as traffic going in and out of their system, tighten the security of the workforce at home and build web security applications. For instance, the application will ensure their employees do not access highly malicious websites.
When people come back to work in the office, there should also be security automation, where all the infrastructure components [such as the CCTV system or access card] talk to each other. The whole idea is to make sure that if there is an attack on one of your [employees’] laptops while they are working from home and accessing corporate data via the VPN, the laptop can be isolated. Traditionally, this kind of attack can compromise the company server. With technology, this process [of detection and isolation] can be automated.
Save by subscribing to us for your print and/or digital copy.
P/S: The Edge is also available on Apple's AppStore and Androids' Google Play.