Implementing Cyber Security in Sri Lankan organisations
Many organisations in Sri Lanka hastily took to some form of online business operations during the pandemic-riddled two years. While some opened up online stores digitising order placement and payments, others took to social media such as Facebook and WhatsApp extensively to receive orders from customers. Although most continue with their online operations due to cost efficiency, and wider consumer reach, few still pay attention to the cyber threat landscape of their company. Security breaches can lead to the loss of critical business information and customer data. This means loss of credibility and revenue as well as hefty expenses in litigation and data and systems recovery.
Biznomics spoke to three experts in the field to understand the root causes of breaches and obtain guidance for organisations to improve their security positioning.
We learnt that many Sri Lankan organisations lack an overall view of what “security” entails, how to do a proper threat analysis, and how the multitude of different aspects of security interplay to achieve a common goal. Apart from those, finding talent and changing top management’s attitude towards security will be long-term battles Sri Lankan organisations fight.
While cyber-attacks are not 100 percent preventable, they can be managed effectively. Here is a summary of the advice given by the three experts: Dr Primal Wijesekera – Research Scientist (Security and Privacy) ICSI, UC Berkeley, Nisa Vithana – Director of Operations of the UK based cyber security consultancy Meta Defence Labs, Namal Gunapala Karunaratne – Senior security engineer.
Think security from the design stage; set up org structure to support quick action
Primal notes that organisations must ensure “Security is a part of the design discussion of IT systems, and not as an afterthought.” On managing these systems, he says: “it is important to have a very clear line of ownership for each asset with a plan in case if something goes wrong. Each asset should be part of the threat analysis and the monitoring framework.”
Similar to many organisations around the globe, Sri Lankan entities leave IT systems to the IT department. The fact is that almost every employee accessing systems have a responsibility to ensure security.
If the important messages about security are to be heard and practised by every part of the organisation, there has to be top-level involvement. Information and relevant action on security cannot suffer delays due to needing several levels of clearances before reaching the top for relevant action to be authorized and implemented. Therefore, security leads should ideally have a seat at board level.
Set up controls and conduct continuous testing
Conducting a threat analysis is an important step of the security process. It is like carrying out a thorough security checks of one’s house: checking if the locks are stable, if the alarm systems are in place, and if all other security measures and features have been put in place. The most fundamental tactics even the smallest of companies can implement on their own, would be to start using stronger passwords for device access, updating software regularly and automatically, securing hardware and routers with firewalls and other means, and backing up files.
Regular supervision of these crucial steps is necessary.
“Regardless of company size, domain security testing has to be the cornerstone of any security posture. Testing could be as primitive as internal quality assurance testing for software development organisations or running many open source tools to test deployed systems or internal network configurations. Organizations with more sensitive information, such as banks, should do frequent red teaming exercises and external pen-testing engagements. Bug bounties are also an attractive cost-effective testing model with a broader testing pool”, Primal advices.
Bug-zero is one such platform that will perform security checks round the clock through its 500+ freelance testers from 34 countries. This platform will do security checks free of charge for organisations as part of an ongoing campaign.
Draw up a security policy to protect important assets
Organisations engaging in any kind of online activity need to have a clear idea of what information (assets) is critical to their business continuity and safeguard them – this is widely known as threat modelling. Microsoft provides a useful threat modelling tool, currently released as a free, click-to-download application for Windows, for anyone to use.
How these critical assets should be safeguarded is outlined in the security policy of the organisation.
Regardless of their size, all organisations should implement their security policy diligently.
“A typical security policy should entail a detailed threat model, what sort of a test the org should do and how often, and a detailed plan on the monitoring (also known as blue teaming), incident response and contingency plans. A good policy should also cover aspects such as authorization and authentication mechanisms and restrictions,” Primal elaborates.
Create awareness and support information flow: Fix communication gaps and encourage top to bottom, bottom-to-top information flow
The security policy should be communicated to the organisation clearly. Clarity along the line of communication helps rectification of security-related issues swiftly. Failure to do so will leave room for ambiguity and security breaches to take place.
Sharing observations from his research of the security management of a large number of organisations covering several geographies, Primal says: “One of the most significant communication gaps occurs between security professionals and their higher management. Security teams could have difficulty converting their security concerns into opportunity costs and profits related numbers to convince the higher management to get the resources they need to secure the organisation. While bridging this gap isn’t an easy task, frequent discussions with the security team and mapping the security concerns into PR and legal concerns might attract attention from the organisations’ leadership.”
People’s ignorance, but mostly their lack of discernment or common sense seems to lead to security breaches.
Examples include employees opening links and file attachments or scanning QR codes that come with emails or social media channels without checking where they originated from, making their data vulnerable to malware. Even a simple act of negligence such as in spite of having a strong password, writing it down on a post-it note and sticking it on the computer to ensure it is not forgotten, defeats the purpose of a password and leads to a security breach. Entrusting the password to someone who does not have access rights to a system is another such common act of negligence.
If employees are not educated they will continue to be negligent with passwords, open unsolicited attachments, and forward such messages, causing malware to spread. All of these result in an unbreakable cycle of firefighting rather than successfully mitigating cyber security vulnerabilities.
Nisa Vithana notes that people are often called the weakest link in security.
“As security professionals we must understand that there is a very thin line between people, processes and technology. No matter how great the technology you use, one single wrong click can put the whole organisation in trouble. Human error is part and parcel of life but when it comes to security it can be a costly affair. Train your employees to proactively defend themselves and their work assets from cyber criminals. Help them to understand the importance of cybersecurity and make them feel that they are an integral part of strengthening a solid cybersecurity posture. Similarly, leadership must play a critical role in creating a safe digital environment for their employees by encouraging the practice of good cyber hygiene and building a rewards-based security culture within the organisation.”
Take action: enforce and implement policy
Senior security engineer Namal Gunapala Karunaratne points out that “some Sri Lankan organisations have security policies and practices but fall short of implementing and maintaining them.”
“The key to staying on top of the security game, is to have reasonably good policies and practices that are diligently enacted and continuously improved with time, as opposed to having a perfect set of policies and practices right off the bat that are poorly implemented and rarely improved,” he further notes.
Ensuring cybersecurity is like securing one’s house. If one has many doors and windows, all of them need to have locks.
Here are some useful resources you can look at to secure your companies, by yourselves:
Cybersecurity Basics for Small Business | Federal Trade Commission – YouTube
Cybersecurity For Small Businesses – YouTube