• Imesh Liyanage of TekSek Cyber Security on the importance of corporate cybersecurity

The pandemic has really driven the concept of being “future-ready” and “future-proof”, and with good reason. Almost all businesses have been thrown in a loop with the chaos the pandemic has brought with it. One-and-a-half years later, we’re still trying to muddle our way through the new normal. 

The internet and living in the digital age was a godsend, and while businesses have indeed become future-ready, for the most part, their interpretation of future-ready looked at integrating technology (old and new), reinventing business models, and maintaining happy customers. However, there is another very important thing businesses need to address to be truly future-ready in this digital world: cybersecurity.

Cybersecurity is essentially making sure you’re safe online, and with businesses, this means making sure your company safe online. Brunch chatted with TekSek Cyber Security Director Imesh Liyanage for a little more on businesses and cybersecurity in the new normal. TekSek was the cybersecurity company that introduced risk-based vulnerability management to Sri Lanka, and helps companies proactively protect themselves against threats to their cybersecurity. 

The misconceptions around cybersecurity in Sri Lanka

Cybersecurity is often misinterpreted in Sri Lanka because of a general lack of knowledge on the subject, especially within companies. Imesh explained that this lack of knowledge is compounded by Sri Lanka’s island mentality that Sri Lankan businesses are too small to be targeted by hackers, adding that this is absolutely not the case, with small companies like SMEs often being very easy targets for malicious hackers.

Sharing a bit about how hackers work, Imesh explained that there are two kinds of hackers – white-hat hackers and black-hat hackers. White-hat hackers are the “good guys”, hackers that look for gaps and security weaknesses in software and then report this information back to software developers for them to fix in later versions or updates. Simulating attacks on yourself is a basic security practice. 

Then there are black-hat hackers, the malicious ones, who find issues, but keep the knowledge to themselves in order to use themselves or to sell these “zero-days” to the highest bidder on the dark web. The people who buy this information then use bots to scan for devices that are vulnerable and then hack those people, taking control of their data, leaking it, or simply locking data and holding it for ransom.

“It doesn’t matter where you are, or how big you are. Hackers don’t care. They will attack the easiest target. The biggest misconception is that people think they’re too small to be on a hackers radar,” Imesh said, adding that SMEs running on pirated software and very small teams are particularly vulnerable to being hacked, because their software is out of date and they often don’t have a dedicated IT team to stay on top of cyberthreats.

Another big misconception to do with cybersecurity is that it can be managed as a one-time investment or solution. Imesh shared that cybersecurity is a constantly moving target with frequent, proactive revision of controls needed to prevent data and security from being compromised. This misconception, often coupled with a lack of computer and technological literacy among senior management in many, if not most, companies, often leads to companies being behind the curve when it comes to cybersecurity. 

Imesh shared that many companies in Sri Lanka, including very large and well-respected national and multinational companies, are frequently hacked by exploiting issues that have been known for years, but the updates were never installed. These easily preventable attacks occur due to a lack of “cyber-hygiene”.

Becoming truly cyber-secure

For companies to become truly future-ready, they need to be able to keep themselves secure online, and Imesh shared that the most practical way to do this is through looking at their “cyber-hygiene”. This starts by simply knowing what assets you have and who's responsible for them. Most organisations have old devices riddled with security holes which haven’t been updated in years, only because they forgot they even had it. 

“This first part of the battle is something that many companies haven’t done,” Imesh said. “They don’t know where their data is stored, who has access to it, which systems have known security issues or who is responsible for managing each asset. You can’t protect something if you don’t know it exists.”

Once companies know where their cyber assets are, secure cybersecurity strategies can be developed to protect their data. Imesh shared that one thing companies should never do is use pirated software, especially Microsoft Windows, because complex pieces of software  like this constantly receive updates, and with pirated software this doesn’t happen, leaving lots of holes and vulnerabilities for hackers to find. Updating software is equally important.

An alternative to this issue of software, Imesh shared, especially for SMEs with limited resources, is to move to cloud-based solutions, because the company that is hosting you on the cloud will have inhouse security expertise to constantly monitor and fix issues, and by extension, keep their users safe. “But this is not guaranteed; always check the security practices of your cloud solution provider and get the opinion of an independent cybersecurity professional if you are unsure.”

In staying safe online, large companies especially should adopt a “zero-trust” approach, because oftentimes, especially now with remote work and VPNs, many hackers find ways into company networks through employees’ personal devices. Companies should therefore verify people each time they connect, looking at the time, place of logins and similar to spot any anomalies. Imesh shared that this is hard to do for smaller companies, however, and since the tools used for effectively monitoring and verifying this are still fairly new and therefore expensive.

Imesh also shared that is vital for management, especially at the senior level to become more technologically literate, sharing that frequently, hackers find their way into companies’ data by hacking the devices of someone in senior management, who is not heavily technologically literate but still has access to all that company’s data. 

“It’s a learning and education issue, and it’s hard because it’s cultural as well,” Imesh said, explaining that senior management is typically given full access, no questions asked and that this needs to change for data to be truly secure. Even senior management and directors should be given access only to what they actually need and if more access is required it should be granted only a temporary basis.

Becoming truly future-ready

Speaking about how Sri Lanka can become more cyber-secure as a whole, Imesh shared that in many cases, cyber-attacks are not reported. There is no requirement for attacks to be publically reported, and companies, especially reputed companies in industries like finance, can lose face if they were to disclose cyberattacks to the press. 

This is something Imesh hopes can be addressed with the introduction of the Cyber Security Act, though such an act is at least two or three years away. Such legislation would not only allow for accurate data gathering, but also allow the security industry to share intelligence on attacks and prevent similar attacks. 

Another very important step that needs to be taken for Sri Lankan cybersecurity is the development of Sri Lankan cybersecurity talent. Imesh explained that not just locally, but globally, there is a huge gap when it comes to cybersecurity talent. Locally, there are expected to be 10,000 roles related to cybersecurity in the Sri Lankan job market over the next five years that need to be filled, but only a few hundred cybersecurity graduates entering the profession each year.

Going back to technological and cyber-literacy at the senior management level, Imesh shared that this too needs to be addressed, not just in terms of senior managers and their devices, but in terms of how they make decisions at the board level. 

“There is awareness on cybersecurity issues at the board level, but there is no knowledge, and IT departments don’t know how to communicate cybersecurity issues and threats to the board as well. Cybersecurity is not cheap, but prevention is cheaper than recovery and we need a lot more education on cybersecurity at the board level,” he stated.