With organizations adopting digital and remote working, triggered by the Pandemic, Cybersecurity has become one of the existential threats of our time. Remote working has enabled extensive use of new types of connected devices and compute platforms, from Cloud to IoT, which have exploded the cyber-attack surface. And more tools collecting more data doesn’t equate to actionable insight for the Technology Leaders, CIOs, CISOs, and the Leadership. The old way of simply scanning on-premises IT devices for vulnerabilities is no longer enough. It’s time for a new approach.
INFOCOM, India’s top business, technology and leadership conference from the house of ABP Media Group joined hands with Tenable, one of the innovative leaders in Cyber Risk solutions with specialty in Risk-based Vulnerability Management and CyberArk, a leader in Identity Security and Access Management solutions to host a special CIO CONNECT interactive discussion on the Next Frontiers of Cyber Risk. Technology Leaders from Bangladesh comprising CIOs and CISOs came together for a Virtual Roundtable Discussion on the Theme: “Cyber Risk - Lessons Learnt from Remote Working”.The objective of the interactive session was to delve deeper into Cyber Risk enhanced by remote working and to enable us with the visibility and insight on the way forward.
The Question
The Pandemic triggered digital and remote working making Cyber Security one of the top priorities for organizations. In this context, tell us briefly how your organization managed the transition to remote working during the pandemic? How did you manage employees logging into the corporate network or accessing critical resources and remain protected from cyber-attacks?
Tell us about some of the unique security best practices that you have implemented to protect your organization against cyber-attacks?
Perspectives from the Moderator:
Harish Agarwal, Partner, Ernst & Young LLP and COO, Ernst & Young India Consulting
The COVID-19 pandemic forced everyone indoors, and forced organizations to transition to remote working. However the need for remote working brought new risks to the security requirements including confidentiality, integrity, and availability of critical company data and supporting systems.
Some of the areas that we must focus on:
- How is yourorganisation’s cybersecurity posture optimized, and has the organisation ensured that its technology and operations are secure?
- Has the management reviewed the IT security features?
- Has IT security monitoring systems been beefed up taking into account remote working?
Cybersecurity has not always been given the priority it deserves, neither has it been backed by the right budget allocations by organizations, which are in hurry to adopt new digital technologies. Nearly 81 percent of CISOs have been dealingwith this, with the main issue being insufficient budgets, regulatory complexity, and non-streamlined relationship with the C-Suite.
It is a generally known fact that over the last two years, threat actors have adopted new complex tactics, techniques, and processes as indicators of compromise (IOCs), whether by targeting businesses with phishing campaigns containing malicious software or by embedding backdoor code through smishing (texting) or qrishing (QR code scanning).
An attack is now only a matter of ‘if than when it happens.’ Widespread remote working and increased online interactions are now the ‘New Normal’ and businesses are obligated to rethink their business models. A company’s ability to adjust and strengthen its cyber resiliency through the crisis dynamics will position it for a more secure future. The CISOs need to assist in technology role out, training of employees across the organisations and deal with higher churn in people, in the increasingly dynamic environment.
If CISOs can support digital transformation from the design and planning stage, to assist CEOs and CIOs in major data and technology investment, they will become strategic enablers of growth. They have to increasingly adopt a more active role in transformation; otherwise, security threats will only accelerate.
Perspectives from the Cyber Security Experts:
Sudeep Das, Pre Sales Manager, Tenable India & SAARC
Tenable has always had a remote work arrangement so this transition during the pandemic did not come as a surprise to us. However, we recognize that the sudden shift to a remote-work model overnight means that employees now have to merge personal technology with work devices, contributing to an expanded attack surface.
We quickly identified which are the critical resources that had to be exposed and would need VPN level access and which would be okay to be secured using strong access control over https based web channels - this way we were able to reduce the exposure to VPN based vulnerabilities as well as utilize the power of SaaS driven security controls. We also ensured that vulnerabilities of remote laptops and desktops were promptly identified and patched even though they are not on the corporate network - this gave us greater control on the attack surface that suddenly increased during the pandemic. Additionally, we ensured that identification of vulnerabilities and patching of vulnerabilities were using different channels so as to have an accurate picture of the risks as vulnerability cycles and patching cycles are different and hence cannot be made dependent on each other but they should be integrated for the most optimal operations.
As attack surface increases so would the cyber-attacks and the pandemic just accelerated the process. Also, the lack of awareness amongst new remote workers has aggravated the situation. We adopted the best practices with a view that this remote working as well as the trend of moving towards a wider attack surface is addressed with a long term view.
- Regular scanning of the ever-increasing attack surface: We widened the search of vulnerabilities across a much wider scope - we started covering remote desktops, Applications and compute on the cloud, Building management systems and OT systems etc. We also dug deeper into our network and applied security controls on our AD system, networking systems and adopted a "shift left" approach towards security
- Run IT operations like a service: Simplify, streamline and standardize the working experience for global employees, or what devices they are using. Eliminate any technical barriers that get in the way of people doing their jobs.
- Prioritize SaaS solutions: Cloud-based services aren’t just a cost-saving measure, allowing organizations to focus more resources on core business competencies. These solutions also support greater agility and scale where traditional connections (e.g., wide-area network [WAN]) quickly become a bottleneck when large groups begin to work remotely.
- Limit access to virtual private networks: VPNs can be a bottleneck for distributed workforces because they are limited by the same local network bandwidths. Wherever possible, restrict direct access to a corporate network to only the most critical functions and double-down on SaaS protocols. Single sign-on (SSO) identity management facilitates ease of use and ongoing maintenance, while multifactor authentication provides a much-needed layer of additional security.
- Encourage adoption of collaborative systems: Distributed workforces require new tools that foster collaboration in lieu of the social interactions that typically occur within a physical workplace. Organizations can consider SaaS collaboration solutions such as Google Docs, Slack and more.
- Partner with internal and external peers: Every department relies on an organization’s technical infrastructure, so IT leaders must maintain a direct line to all areas of the business. CIOs need to continually ask if there’s a better way to do things, and that requires ongoing communication with all relevant stakeholders and the industry at large.
Sumit Srivastava, Head – Solutioning and Presales, India & SAARC, CyberArk
CyberArk believes that providing secure remote access requires regular, proactive auditing of access privileges, which are likely to change substantially on a daily basis, particularly, for the third parties. These requirements render conventional identity management schemes based on user IDs and passwords fairly impractical, as they do not cater for constantly changing credentials and access rights.
A major proportion of breaches that happened last year were due to the compromise of identities and abuse of privileged credentials. Most attacks often start with credential theft via phishing and other common hacking techniques. Within this context, it is important to recognise that identity is the new perimeter. Businesses must consider privileged access security, which provides greater visibility of, and control over, remote access to enterprise networks, as more and more employees work remotely.
Privileged access management employs biometrics, zero trust and just-in-time provisioning to reliably authenticate remote vendor access to the most sensitive parts of the corporate network. In the current environment, where endpoint devices have disparate levels of security and the office environment can be a café, car or home office, cyber security needs to match the flexibility of modern working to best ensure business continuity.
Perspectives from CIOs/CISOs/Technology Leaders from Bangladesh:
Md. Tareq Hasan, PMP, Head of IT, Aristopharma Ltd.
The major digital transformation atAristopharma Ltd. started in 2017 with the implementation of SAPS/4 HANA as an ERP system with significant migration of secure core network infrastructure to ensure seamless transactions from local and remote locations. Employees could access the system from home for their day-to-day transactions during the pandemic. Aristopharma Ltd. is the first company in the history of Bangladesh to implement SAP Analytics CloudIntegration with SAP BW HANA during the COVID-19 period that helped a lot to increase analytical capabilities to drive strategic business decisions. By using VMware Horizon (VDI) and VMware Workspace ONE, Aristopharma could deliver personalized virtual desktops tailored to specific policies for each user, enabling employees to work seamlessly from anywhere, on any device during COVID-19. Around 3000 employees of the salesforce of Aristopharmahave been using our own mobile application which is integrated with SAP S/4 HANA to ensure the supply of products at all levels in the market which has been effective inmanaging the on time product deliveries during the pandemic.
Aristopharma Ltd. has deployed various digital platforms considering major aspects of cyber security. By using CISCO high end firewalls and email security system along with end point protection has reduced most of the external and internal security threats. By deploying VMware Horizon (VDI) and VMware Workspace ONE, end users have to go through a certain level of policy and there are restrictions for unauthorized access. With this, we are managing the security for all our company-owned devices through a single console.
Akramul Haque, Chief Services Officer - IT Division, Bangladesh Export Import Company Ltd.
BEXIMCO management had a clear understanding of what could happen during the pandemic, fortunately. Hence, we started work from home on a trial basis before the lockdown started. As a part of that, we prepared an IT policy for remote office and Work from Home guidelines. These were well-conducted throughout the organization. We had also conducted sessions for all the employees so that they could keep themselves safe and secured during the pandemic. We have reviewed IT tools, resources & capacity. Based on review of feedback, we have taken proper initiatives for the readiness of work from home with security and success.
For logging into the corporate network, VPN was mandatory. The source IP addresses were whitelisted in the firewall. Whereas all other IP addresses we denied. For sensitive users, we provided a dedicated broadband connection to maximize the control over the network security. For all users, we also provided endpoint security solutions. Employees were highly encouraged to dedicate their devices only for official work. This helped us to ensure a lesser attack surface and to minimize the maintenance hassle.
We adopted the Zero-Trust philosophy for our IT resources. We enforced 2FA for our email and other resources. We also made sure of firewalls with extended ACLs and WAF before all the resources respectively. VAPT tools like Nessus for the IT resources are being used regularly to find out any security loophole. Moreover, a dedicated security team is in place to be vigilant. As a regular activity, they take care of updating the respective software versions and patches. CVEs are addressed timely by them.
For our sensitive employees, we provided dedicated broadband connectivity through BEXIMCO owned ISP. DDOS mitigation platforms were in place as well. For the employees, we prepared an IT Policy where the protection against cyber threats was covered in detail and thoroughly. We believe Cyber security is not an IT job anymore. It has become every employee’s concern these days. Moreover, we are conducting cyber security awareness training at regular intervals to ensure that the IT Policy is in practice.
Sarzil Sarwar, Head of Information Digital Technology, BAT Bangladesh
At the onset, COVID-19 further accelerated our digital transformation journey which had the building blocks in place, but not utilized to the fullest extent. We enabled secured and remote working by partnering up with connectivity and solution providers ensuring a solid environment. Aside, there was a continued cyber security awareness campaign and training. Further, we put our early learnings into action and fast-tracked certain projects like ZTNA within the environment.
As a leading FMCG and a listed company, we always stay ahead of the curve by continuously monitoring, assessing, and plugging any gaps in the internal environment, process or policies to ensure a robust network. We not only safeguarded internal stakeholders but also had to ensure that all channel partners and relevant stakeholders are also in sync with best practices.
Md. Ahasan Ali Rajmul, Assistant General Manager - IT, Bata Shoe Company Bangladesh Ltd.
At Bata Shoe Company Bangladesh, we have used M2M Modem and Data connectivity for accessing critical resources and to remain protected from cyber-attacks.
We have also implemented Kaspersky Endpoint Security Cloud Plus and Office 365 to avoid cyber-attacks.
