With the oncoming digital age and new work models coming to play, the concept of BYOD introduced in workplaces today, to allow ease of access to confidential company data for employees on the go, exposes organisations to vulnerable cyber threats. Combating issues such as complex cyber threats cannot be simply addressed by avoiding flexi-work adoption or BYOD deployment.
To combat the scourge of cybercrime more effectively, by beefing up security measures in the region in association with government agencies, we at HR in Asia seek exclusive insights from Benjamin Mah, Co-founder and CEO of V-KeyandTony Chew, CIO of V-Key on how to address the cybersecurity issues and challenges in the rapidly growing digital age.
We need to collaborate with governments and industries to understand their vision for digital identities. This way, we can build an ecosystem of trust that provides a platform for all to have access to transformation digital technologies. Read on…
Is cybersecurity talent shortage in Singapore a growing concern among businesses?
Benjamin Mah: Cybersecurity is still very much a growing, turbulent and evolving area, and getting talents with expertise in software design, security engineering, cryptography, network operations, and Smartphone technology and biometrics is a daunting pursuit.
Additionally, there is low awareness of the cybersecurity profession. Cybersecurity evokes imagery of sleepless nights fighting a losing battle against cybercriminals and malware. It’s a thankless job and it’s not difficult to imagine why most graduates are not thinking about choosing this discipline as a career.
Benjamin Mah, Co-founder and CEO of V-Key
I’m glad that at V-Key we have a very different philosophy and vision regards cybersecurity, and we have a visualization that deeply resonates with seasoned industry professionals and young graduates alike.
For example, in our work with Ngee Ann Polytechnic, we are re-shaping and re-contouring the definition of security in the digital age, one that is more calibrated for the digital environment we are in and the omnipresent mobile devices that go everywhere with us.
We see the core work of our profession as digital security. The key distinction from cybersecurity is that we believe security in digital age should be about building bridges, and not walls.
Our solutions facilitate inclusiveness by providing access to myriad services through mobile devices, securely and conveniently. As an example, this means that people in developing nations with low-cost Android devices can also have the same access to banking services which are enjoyed by a person in a highly connected nation with the latest flagship iOS phone.
With alarming talent crisis, how do you think organisations in Singapore can beef up security measures to fight cybercrime?
Benjamin Mah: The risk here is bringing on talent or solutions that are quick-fixes, which will be insufficient to meet with the realities of the rapidly changing threat environment over the long term. Improving cybersecurity must be an ongoing commitment, best tackled at a national level, involving multiple stakeholders in the industry along with the collaboration and support of relevant government agencies.
For a start, businesses should invest in human capital and capability development to build internal capabilities, or at the very least, initiate the processes to acquire them. This will not solve the security concerns immediately, but it presents a measured approach which is likely to be more sustainable, productive and effective.
Additionally, organizations need to fundamentally review their product or service offerings, and take steps to include security as a core consideration. This may mean nurturing or hiring talent who are able to bring a mix of product knowledge as well as security into design and development.
At the industry level, there could be more private-public collaborations to strengthen the cybersecurity ecosystem. Many solution providers in the security industry have partnered with government agencies and financial institutions to address challenges in digital transformation together. Today, V-key is very active in doing so.
On a personal note, I’ve been actively involved as Co-Chairman at the Tech Skills Accelerator Governing Council, the SiTF Manpower Committee, and the Future Growth Industries and Markets panel for the Singapore government. I’ve been tasked to oversee initiatives to accelerate talent development in public and private spheres, while also leading on discussions to improve the larger IT talent shortage in Singapore.
Tony Chew, Chief Information Officer of V-Key
Do you think new work models, such as flexi-work arrangements, work-from-home and BYOD pose increased threats to critical organisational data?
Tony Chew: Broadly speaking, new work models should not pose insurmountable data security problems for any organisation. We already have proven security technologies and capabilities would provide the security assurance and performance that is required for any office or home environments, and the linkages between them.
However, important emerging considerations, especially here in Asia where high Smartphone penetration is exerting pressure on policies regards BYOD. As technology innovation and connectivity shifts to mobile devices and IoT, enterprises and users are exposed to more complex cyber threats that cannot be simply addressed by avoiding flexi-work adoption or BYOD deployment.
With organisations moving data to the cloud, how can security be ensured on cloud infrastructure?
Tony Chew: Cloud infrastructure technology has made significant progress towards enhancing data protection and access security through two factor authentication, end-to-end encryption and strong cryptographic key management processes.
During my tenure at the Monetary Authority of Singapore (MAS), I led the development of a clear set of guidelines for assessing, managing and monitoring technology risks and security standards in the financial industry.
These guidelines that are periodically updated in a timely fashion cover various aspects of regulatory security expectation and performance pertaining to high levels of reliability, availability, resilience and recoverability of critical IT systems. It also stipulates regulatory requirements for systems and operational controls to protect customer data and systems access.
In moving to the cloud, it is important to have multi-tiered security layers of protection which maintain operational agility and convenient access. At V-Key, we have developed solutions designed and constructed to enable security on the mobile device. This means companies can provide services that are secured end-to-end, through a robust and unbreakable security architecture, which emulates hardware security in a virtualized software environment.
Mobile banking and payment apps running onV-OS secure element are immune to malware intrusion or interference. Our software-based security solution allows us to release updates to stay ahead of emerging cyber threats. Currently the V-Key’s mobile security technology protects more than 30 million users all over the world.
Why is there a need for companies to develop a cybersecurity policy? What are the must-have elements to be included as a part of this policy framework?
Tony Chew:Every day we are witnessing just how disruptive and destructive cyber-attacks have become. Organisations must understand that the impact of cybercrime is as extensive as it is pervasive. Recently cybercriminals infiltrated some of the most well-known and putatively best protected global interbank payment systems, like the SWIFT.
Central banks and commercial banks have had their foreign currency accounts held in the global interbank system looted by cyber intrusions. Global payment card ATM systems that still allow magstripe transaction processing in the Middle East, Europe, America, Japan and various countries in Asia have experienced massive losses running into millions of dollars, due to cyber hacking and malware incursions.
Cybersecurity threats and attacks are a global problem. Domestic and indigenous counter measures have limited effectiveness. We need global intelligence sharing, regulatory guidance and intervention, as well as industry collaboration at country, regional and international levels to combat the scourge of cybercrime more effectively.
In appreciation of recent efforts by the Government to launch Cybersecurity Professional Scheme in July 2017, what are the efforts made at V-key to train personnel on cybersecurity and enhance security measures within the organisation?
Benjamin Mah: Digital security is an ever-evolving field. This means our obligation to learn, adapt, and innovate never ends.
Internally, we continue to emphasise security measures in our work plans. This has been the case from day one of V-Key’s existence, its part of our DNA. We have stringent physical access controls and camera surveillance in accordance with Common Criteria CC EAL 3+, we ensure that our engineering and operations are built on internal standards in ensuring data and operational security.
As part of our digital security research group, we focus on scanning the threat environment, with insights quickly disseminated to the team. We regularly conduct training to bring everyone up to speed, encourage internal sharing and collaborative learning. This is fundamental to the work we do, and keeping our technical and operational edge in the industry.
Should access to certain official data be allowed on mobile devices especially the phones since this is one main challenging question for companies today, especially with the mobile workforce requiring constant access to data on the go?
Benjamin Mah: There is a place for restricting access to data, especially when it comes to national security or defence issues. Would it make sense to enforce these restrictions on all forms of official or sensitive information? That would be a high price to pay to customers of a business, and citizens of a nation.
However, no organisation today can afford to be nonchalant about data protection, especially when lives and livelihoods are tied to data. The solution would be to have a firm grasp of the data types in an organisation, and understanding the risks and trade-offs for making certain data available on specific devices.
Making employees pay the price of a one-size-fits-all data security policy might be effective, but it will also result in frustration and productivity degradation. This is the key for enabling the new workers of the future. With this shift in digital security perspectives, towards new and agile solutions, companies can protect the mobile endpoint without vexing the workers with complex and expensive systems.
What are the security measures that companies should deploy, when granting access to crucial company data to key trusted personnel on their personal/official devices?
Tony Chew: Deploying security solutions is a risk management decision that involves customer convenience and data protection trade-off assessments. Sometimes, the temptation is to jump to costly solutions from a purely technical perspective. Business leaders need to be level-headed and understand the pros and cons of digital security solutions and practices being adopted.
Adopting and complying with good, simple security practices is the obligation of everyone in the organisation. A good starting point is gaining a clear understanding of what data needs to be protected, when and how.
Benjamin Mah: To add to that, I firmly believe that the future of security will rest in the ability of organisations to make security seamless. That’s why a lot of work we do at V-Key is aimed at making security as accessible and convenient as possible. For example, our solutions for authentication dramatically reduce the burden of security on the user, who still needs to be aware of good practices. The users can enjoy strong digital security as easily as downloading an app.
How can security solution providers overcome the challenge of balancing access and user experience with security?
Benjamin Mah: This comes with an intimate understanding of the customer needs, as well as their end-users. In our case at V-key, we work with financial institutions and government agencies all around the world. As a result, we solve a myriad of use cases.
As you can imagine, expectations of digital security can vary widely – such as, citizens of Singapore, banking customers of a Middle-Eastern bank, and an Indonesian eCommerce customer have different perspectives and approaches to implementing digital security on their personal and work devices.
What is common however, is the need by the customer to feel assured, that their sensitive personal data is fully secured. Delivering a trusted solution that also manifests a sense of trust is something, we are passionate about providing.
As an example, take our work with one of the region’s largest banks. To project a sense of security, we collaborated with the bank to implement additional steps in the user sign-in process to indicate to the end-user (the bank’s retail bank customers) that they were entering a secure environment for banking transactions.
After a username and password, a new overlay screen pops up with an animated graphic to demonstrate that a secure channel has been established. Implementing additional steps might sound counter-intuitive, but it is nevertheless crucial to instil trust in the mobile application. Also, this highlights the cultural and psychological sensitivities, which we consider when developing our solution.
In a nutshell, the solution to achieving a balance between high level of security and convenience comes down to customer empathy. It means being sharp in recognising nuances of user expectations, and developing a product that can be built to respond to those nuances.
This is a core challenge of the new digital era, and we believe that this cannot be solved by private industry alone. We need to collaborate with governments and industries to understand their vision for digital identities. This way, we can build an ecosystem of trust that provides a platform for all to have access to transformative digital technologies.
With a booming fintech ecosystem in Singapore, how can start-ups protect their innovative ideas and data from hackers?
Tony Chew: A recent study by Juniper Research found that SMEs are particularly at risk of cyber attacks. Not only do small organisations face resource limitations, they are also more likely to run older systems that that are more vulnerable to cyber attacks.
Being resource-strapped, start-ups feel the most pressure to find innovative and cost-effective alternatives to costly and complex enterprise security solutions. They need to seek professional advice, assistance, and expertise to help them secure their digital assets and systems wherever they are.
They can also get help from government agencies, trade associations and vendors who understand their predicament. Last year, the government launched a cybersecurity strategy which underscored Singapore’s commitment to build a resilient and trusted environment for all.
Going fully-digital, how important is it for organisations to focus on grooming talent to maintain cybersecure systems, practices, policies, and focus on structural development programs to educate staff on the do’s and don’ts to follow when accessing official data on their personal devices?
Benjamin Mah: Security is essential for survivability. I cannot stress enough how important digital security is for all businesses. Today’s rapidly evolving cybercrime threat is reminding us that digital security is fundamental to business prosperity and continuity. In this light, developing an organizational culture of agility and adaptability is extremely crucial to ensure operational resilience.
This is even more relevant as we look ahead to the emerging developments in digital identities, cross-vertical industries, and the expanding mobile-first population across Asia. Organisations will need to invest in instilling security as a mind-set and as an ingredient in their digital transformation strategy.
More than the need to double down on existing cybersecurity measures, this is an opportunity to revamp how things are done. Organisations wanting to succeed,needs people with leadership skills to transform the organisations of the future, which must be built on trust from the inside out.