The Fight for the Good
By Shanuka Kadupitiyage
As the number of waves continue to add up internationally, it’s clear that the ongoing global pandemic is a problem that’s going to stick with us for quite some time. Sadly, the pandemic has affected many aspects of society and order, causing massive rifts throughout the globe. With new problems arising caused by the pandemic, innovative thinking and technology have stepped up to create new solutions, bringing on a new era of change throughout the world.
Where there is change, there is opportunity. This is especially true in the world of computing and technology. The tech industry received a hefty dose of steroids the past year and is advancing in leaps and bounds as everyone across the world adapts to the ongoing pandemic. The same can be said for Sri Lanka.
The pandemic has become a catalyst for change, with more businesses and institutions ‘going digital’ faster than ever before. However, with these new opportunities also come new risks and potential threats we all have to be aware of. While cybercrime is yet to become a fully matured threat to Sri Lanka, the signs are already here. As more businesses, institutions, and people become dependent on digital technology, the importance given to protecting ourselves not only physically, but also digitally increases.
Microsoft has been at the forefront of building digital solutions for their consumers for many years so far. They are also committed in the effort of protecting their customers from any potential threats that may appear in the virtual world. Recently, Microsoft Asia held a special media briefing, speaking with journalists across the Asian region about the Asian perspective of it all.
Addressing the meeting was Corporate Vice President Vasu Jakkal who leads Microsoft’s security, compliance and identity management team. This means that she serves close to 400,000 customers relying on her to provide digital security every single day. Joining her was Regional Lead of Microsoft’s Asia Digital Crime Unit, Mary Jo Schrade. The Digital Crimes Unit (DCU) for Asia is based in Singapore but covers all countries in Asia, as well as Australia and New Zealand.
A transformational year
As said before, with great change comes great opportunity. However, this is true for both innovator and exploiter. Vasu had more to say about this. “I believe there are some fundamental inflections that are happening in our industry right now and security is at that inflection point, or that perfect storm. The first, the pandemic, rapidly accelerated digital transformation. Overnight we all became remote businesses, remote organisations and we had to pivot to this way of working,” she said.
“Now what that means is there are increased digital services which means an increase in digital attack services… We’re also seeing critical infrastructure that is getting digitised.” With this increased digitisation, the amount of cyber-attacks has increased. “We’re seeing, along with big attacks, the increase in sophistication, complexity, and proliferation of attacks.
Just some stats out there – 579 times a second is what attackers or hackers are attacking at an average, so that is an average of 50 million password attack attempts a day. That’s pretty mindboggling.” She continued to explain about Microsoft’s standpoint, revealing that a massive 30 billion email threats had been thwarted in the previous year alone.
The transforming threat
As the threat also evolves with the changing times, Mary Jo pointed out the importance of being vigilant about our digital interactions to mitigate the threat of a breach in security. “One of the things we’re seeing is that the vast majority of cyber incidents start with someone clicking on an email,” she said. “It seems so simple, but it’s really something that is tough in these days. And part of the reason is that the criminals have become much more sophisticated in the lures that they put into an email to try to get someone to click on a link that will download malware and give the attackers a way into an environment.
Some of the things that we’ve seen have been lures over time that are specific to an event that’s going on, for example, COVID-19. That’s an obvious one, so sometimes they’ll say something like the World Health Organisation has announced something and people are very anxious and really want to know what’s happening. Or it might be relief for people – so people who have lost their jobs may be concerned about when the Government payment might kick in or what is available for them to help them in a tough time. “And we see that criminals take advantage of that. They say, click here and you’ll find out more about how to get your money or how to keep your family safe. So that’s one thing that’s really challenging.”
The human element
Both Vasu and Mary Jo agree that the human element plays a massive part in each of these situations. From the random click on a link to taking basic protective measures such as installing updates and security patches that add protection to digital systems, it seems that we ourselves might be the biggest weakness that cybercriminals attack.
Vasu shared her thoughts on how we can sometimes be manipulated into making ourselves vulnerable. Other times, it may be our very own shortcomings. It’s very easy to be tempted to click on a link that says it will lead us to new information on COVID-19, or an ongoing circumstance in the country.
Mary Jo had more to share. “We’re seeing that in Asia, people are not always as quick to download the latest patches or do the latest updates to their software, which makes them immediately vulnerable in many cases and the criminals can scan across the Internet and see who’s vulnerable and take advantage of that,” she said. “The other thing we see is the length of time that they stay on a network. We see the criminals staying in a network, moving around, trying to figure out what’s there, what’s valuable, and also trying to get into the control of that system. One of the things we see is the ‘Zero Trust’ principles and making sure that people only have access to that which they need for their jobs, and perhaps for a limited period of time.
“We’re seeing that that’s not always happening in Asia, and so people are finding that they are more vulnerable and therefore, they have more to do on the back end in terms of dealing with ransomware and other things that impact their businesses. “And then, finally, I think that one issue that we’ve talked about before in Asia has been the prevalence of counterfeit software.
I think many people who acquire it now, rather than getting a disk somewhere, they get a download and one of the things that we see happening is that these downloads have malware hidden in them. At the time someone loads it on a new PC they might have, they start out at that point already infected with malware.”
Who is the most at threat?
While it is tough to say what aspect of society will be affected the most, it is clear that everybody needs to be extra vigilant with their digital security as we move towards a more tech-integrated world. However, if we are focusing only on businesses, the economy of Asia in general is predominantly made up of small and medium scale businesses. Mary Jo noted that the move to digitisation and digital protection is a lot tougher in these sectors.
They would no doubt find the job extra difficult due to the lack of a dedicated security team. However, that doesn’t mean that these sectors are not protected. Use protection Vasu mentioned some very simple, yet effective practices that would help even those people and businesses without a tech team or specialised security solutions to protect themselves. “The first one I would start off with is to use the tools that you have in your tool chest,” she said. “There’s so many things that we will be surprised to see we have basic security tools in our treasure chest like multi-factor authentication and cloud identity protection.
Start there and use those. It’s interesting that across our customers, just 18 per cent of our customers use Multi-Factor Authentication (MFA), and even that is up from single digits. So, having tools like that can help you get that first layer of defence and we all know that identity is the battleground for security right now.
So, I would say start using the tools that help you protect them.” Another method she emphasised on was the adoption of a ‘Zero Trust Policy,’ which is an IT term for a model that is heavily used among those who want to increase their cyber security. Then there is also the adoption of cloud technology and cloud security.
“We’re seeing more and more migration to the cloud,” Vasu explained. “In fact, most organisations driven by the pandemic are seeing this cloud migration.” She went on to point out that, “Cloud does offer a robust foundation of security because it’s built in with the cloud to leverage those defences. Every person, every organisation, is on a different journey and we’re committed to helping you wherever you are on the journey, on the cloud.” The real star of the show however, is the use of MFA.
According to Mary Jo and Vasu, about 99 per cent of all cyber security threats. “There are some simple things that you should know as almost cyber hygiene, for lack of a better term, that could be used by people to avoid these issues. We really keep coming back to those fundamental things that if you do these things, you know you really are going a long way in your safety journey,” she commented.
Why is it important?
“Companies around the world are starting to think about their own future models for the workplace, with many transitioning to a hybrid mix – people working from home and people working in the office,” said Mary Jo, revealing statistics that a large number of people do prefer the adoption of remote working.
“Forrester, which is a leading analyst firm, predicts that once people have really settled into their new work patterns post pandemic, we’re going to see a 300 per cent increase in employees working remotely,” Vasu revealed. “We did our own work trend survey at Microsoft and 53 per cent of the people surveyed in Asia plan to move because they can now work remotely. Overall, I think the figure in the world is 46 per cent.
So, you know more and more people have flexibility and choices in their work and what that means is we’re going to have to think about home networks and work networks and increasingly operate in this boundaryless or perimeter-less world, which is going to pose interesting challenges and opportunities for us from a security standpoint.” Mary Jo had more to share. “When you’re working from home, you’re connecting to the Internet through a router, your home router, and so you know there are threats.”
What should you do?
Once again, the emphasis was on getting the basics right. Besides that, the importance of giving adequate training in digital safety and security was also stressed. Having a staff following good digital hygiene could make a substantial difference in protecting against any cyber threat trying to exploit human weakness.
“So the four things I would say are; to start with the tools you have such as Multi-Factor Authentication, take a Zero-Trust approach and really embrace it, migrate to the cloud, and use cloud security where you can and then, don’t forget to train and skill your people; embrace that diversity because ultimately security is an asymmetric battle.
It’s a cat and mouse game and for defenders, for the good people, to stay one step ahead,” Vasu explained.
The field is ripe
With the increase in cyber security threats is the increased demand on cyber security experts to combat these threats, a field of opportunity ripe for anyone who’s willing to thrust their sickles. “There is such an intense talent shortage right now in our world. We have 3.5 million jobs just in the US, which are unfulfilled, and I know there’s a ton in Asia that I would love for you to talk more on.
We need to elevate the security posture. Doesn’t matter where you are, in which journey you are across the board, whether you’re a youngling starting out or if you have been in the industry for decades. However, if you want, if you have the passion to be a defender, you know we are committed to training you there and we need more defenders. Plus, just basic education awareness is going to go a long way. Microsoft has put a ton of great content and skilling and certifications to help along this journey.”