- Imesh Liyanage on the importance of cybersecurity in Sri Lanka in the digital age
Cybersecurity is essentially making sure you’re safe online, and with businesses, this means making sure your company is safe online – this includes your data, and that of your stakeholders, from your customers to your employees. Brunch chatted with TekSek Cyber Security Director Imesh Liyanage for a little more insight on cybersecurity and how it relates to the new normal. TekSek was the cybersecurity company that introduced risk-based vulnerability management to Sri Lanka, and helps companies proactively protect themselves against threats to their cybersecurity.
TekSek was born when Liyanage and a friend of his were approached by Cyber Security Works (CSW), a cybersecurity firm founded in India which recently moved to the US, looking to expand its reach to Sri Lanka and other countries in the region. A fintech founder with a life-long love of tech, Liyanage had worked with many tech start-ups where he had his ear to the ground with regard to security and had noticed the many issues facing e-commerce businesses and especially payment providers operating in Sri Lanka when it comes to keeping data safe as well as the unnecessary cost and complications in getting security certifications.
How TekSek revolutionises cybersecurity
Sharing a bit about how hackers work and how TekSek and CSW identify the different threats to a company’s cybersecurity, Liyanage explained that there are two kinds of hackers – white-hat hackers and black-hat hackers. White-hat hackers are the “good guys”, hackers that look for gaps and security weaknesses in software and then report this information back to software developers for them to fix in later versions or updates. Simulating attacks on yourself is a basic security practice, and is called penetration testing.
Then there are black-hat hackers, the malicious ones, who find issues, but keep the knowledge to themselves in order to use it themselves or to sell these “zero-days” to the highest bidder on the dark web. The people who buy this information then use bots to scan for devices that are vulnerable and then hack those people, taking control of their data, leaking it, or simply locking data and holding it for ransom.
Most cybersecurity companies conclude their services at providing penetration testing reports, but TekSek and CSW take things further by delivering their results through the industry leader in risk-based vulnerability management, RiskSense. “In an organisation of 1,000 employees, you will find about 10,000 vulnerabilities. Most cybersecurity companies will give you back a spreadsheet of these 10,000 vulnerabilities for the company’s IT team to resolve.
What TekSek does is help manage the fixing of these issues. We calculate a vulnerability score, and it works like a credit score basically,” Liyanage explained. “We bring in threat intelligence and business context. By understanding which vulnerabilities are ‘trending’ among attackers, we are able to define how much priority a threat should be given, taking into account which systems are critical for an organisation. This objective score makes it easier for IT teams, security teams, auditors, insurance adjusters, and the boards of these large companies to communicate because boards don’t need to understand the technicalities of the threat itself, just the impact it has on the risk score and understand which issues need to be fixed and what resources they need to fix them.”
Through a risk dashboard that is designed to be easy to understand from a non-technical perspective, companies can see how their vulnerability score fares over time and learn more about what has caused it to fluctuate. The system also allows threats to be assigned to IT personnel directly so that there is full visibility and transparency (also, so that the company at large can see how quickly and effectively security issues are being handled).
“RiskSense enables easy and automated prioritisation of issues,” Liyanage shared. “For example, a critical vulnerability that attackers haven’t used in years in a non-critical device will be ranked lower than an issue with medium severity in a business-critical system which was exploited by attackers, say, last week. IT teams can now concentrate their limited resources on issues that actually matter and fix lower priority issues later. However, this does not mean that low priority issues should be ignored forever; if threat actors start exploiting these issues again, your score will be updated in real time and those vulnerabilities will automatically increase in priority.”
SL’s cybersecurity market and the need for increased cybersecurity in the new normal
Sri Lanka’s cybersecurity market is still small and still growing, and one of its main challenges, Liyanage shared, is the lack of laws and regulations around data protection. This is being remedied with the drafting of the Data Protection Bill, though this is still about three years away from being enacted.
There is, however, a big lack of understanding when it comes to cybersecurity. “The majority of companies are still family-run and lack proper governance structures,” Liyanage said. “They may not always have the technical knowledge and since there is little outsider input in decision-making, security is not prioritised till after an issue occurs, that is, if they even detect that a breach has occurred.”
The lack of regulations and understanding limits the size of the market because only companies that are heavily regulated, like banks, take cybersecurity seriously since they are legally liable. “All other companies are not liable for losing customer data, so why would they spend money to protect it? Sadly, the only time you see most companies caring about customer data is if a competitor tries to steal their client list, not because they are worried about customers’ privacy.”
The impending Data Protection Act, as well as the proposed Cybersecurity Act, are likely to help improve this, but for Sri Lanka’s cybersecurity market to grow and become an exporter of security products and services, there is a lot of work that needs to be done to build a reputation as a country that takes security seriously. Not just at large companies, but the Government and SMEs as well need to commit to cybersecurity and preserving the integrity of the data that they are given or have access to.
Talent is also a huge part of being able to grow the Sri Lankan cybersecurity industry. Liyanage explained that not just locally, but globally, there is a huge gap when it comes to cybersecurity talent. Locally, it is expected that there will be 10,000 roles related to cybersecurity in the Sri Lankan job market over the next five years that need to be filled, but only a few hundred cybersecurity graduates are entering the profession each year. Working towards making Sri Lanka a cybersecurity hub of sorts, organisations like the Sri Lanka Association for Software Services Companies (SLASSCOM) are working to heavily push cybersecurity companies to export their services, but again, the lack of regulations and laws proves a challenge, because it’s hard to instil trust in customers abroad when they have no way of holding the Sri Lankan security provider accountable should their data be compromised. “There is potential for export to other developing countries and markets,” Liyanage explained. “Because, like Sri Lanka, they too don’t have data protection laws and regulations, but these markets are not very lucrative. The lucrative markets have strong privacy laws and, as such, are unwilling to work with countries that don’t have the same baseline of responsibility.”
The pandemic has transformed all aspects of our lives and has taken all Sri Lankans kicking and screaming into the digital age. This is especially true for businesses. With the entirety of some businesses taking place online now, the need for protecting it is even greater, from many perspectives.
Customer data and privacy, an area that we spoke about earlier in the article, in the context of the shift to working from home, is also a cause for added cybersecurity. “More and more people are working from their personal devices which IT departments have little control over. Based on the access these employees have, they can provide an easy way into a company for hackers, especially when most personal devices in Sri Lanka have some sort of pirated software or games installed and updates aren’t installed on time (not to mention being used to visit questionable streaming sites, etc.)”
The rise of cryptocurrency and the anonymity it provides has caused an almost parallel increase in ransomware attacks, with Liyanage sharing that many Sri Lankan companies, both large and small, have suffered from ransomware attacks, multiple times in many cases, highlighting the very real nature of the threat.
Becoming truly future-ready
While apologising for going on about the lack of security, Liyanage spoke about where Sri Lanka is improving. “The silver lining in all this doom and gloom is that newer companies can improve their security faster than incumbents since they don’t have to worry about old systems that were not designed with security in mind. Highlighting a good security posture is a strong competitive advantage when attracting customers in countries with strong privacy laws and is a great opportunity for start-ups to outshine older competitors. Once start-ups begin to leverage this, we will see more organisations following so they don’t lose business.
“We are already seeing the result of this international market pressure to improve security. More and more companies are setting up dedicated departments to handle cybersecurity outside IT, risk committees are dedicating time to understand their cyber risk, and procurement departments are starting to look at the cybersecurity of suppliers – so we are seeing the signs of improvement.”
Speaking about how Sri Lanka can become more cyber-secure, Liyanage shared that in many cases, cyberattacks are not reported. There is no requirement for attacks to be publicly reported, and companies, especially reputed companies in industries like finance, can lose face if they were to disclose cyberattacks to the press. We need to consider the collective benefit of disclosure over the reputational concerns of a single organisation for two reasons; the intelligence that can be gained from one attack can be used to prevent the next, and data stolen from one attack can be used to target your customers so they need to be aware to protect themselves.