Get the latest insights


IT Security Matters

Information security ranks consistently as a top priority for business IT professionals around the world. We hear regular news about security breaches at blue chip companies and it often seems that even the biggest firms in the world are in and out of the headlines for being vulnerable to a basket of security threats. That doesn't just mean bad PR, most enterprise firms have important regulatory obligations to keep their customer data safe, and financial data leaks can mean billion dollar losses overnight.

With IT security in mind, we interviewed David Gee, Chief Operational Officer at telkomtelstra, a Managed Solutions provider offering end to end Managed Network Services, Managed Cloud Services and Security Solutions for enterprises in Indonesia.

What does "cyber safety" mean today?

While "cyber safety" is often thought of as how we protect our digital data across various systems within a business from attack, damage or unauthorized access, it actually goes further.

We should not think of cyber security in isolation, rather it must be considered as just one aspect of protecting our data no matter where or how it is stored. One of the easiest ways to gain access to a system is through phishing, the fraudulent practice of sending emails pretending to be from reputable companies, in order to induce individuals to reveal personal information, such as passwords and credit card numbers. Phishing techniques can be as simple as looking in someone's desk drawer to see a list of passwords or sophisticated emails and phone calls, designed to capture information from unsuspecting people. Cyber safety, like all security measures, is only as strong as the weakest link in the chain. Businesses must ensure that they and their people remain ever vigilant to the threat.

Why is security important for your business's operational sustainability?

Information is the lifeblood of any business, and how we use and secure information is vital to sustainable growth and success. For example, if your customer data security is compromised, the reputational damage alone could be quite significant; Yahoo’s share price dropped by almost 4% in the light of 1 billion customer accounts being compromised and numerous customers left the business. It can also be quite costly, with numerous cases of companies having to pay compensation to customers for privacy breeches.

How can businesses conduct a security health check or assessment?

Every company should be conducting regular security health checks but they should not be restricted to just IT systems. To accurately assess risk a business must identify data most valuable to the organization, how they store that data and their associated vulnerabilities. Paper can be the most vulnerable storage medium for data, as it is easily damaged in a flood, picked up and concealed, lost or even just left behind in a taxi.

Most businesses assume that their security risk assessment is the responsibility of the IT manager, and most security risk assessments only look at IT systems in isolation, failing to consider the wider business. Risk and security are the responsibility of the entire management team and should be a regular agenda item on any board meeting.

A comprehensive view of the systems and processes within a business helps determine the value of various types of data and how to prioritise security spend.

What is the risk to customer privacy?

There are a great number of threats to our customer's data, and we need to keep ever-vigilant. For example, do you know whom is entering your building and what they are doing? What documents are your staff printing? Does your company have a policy about what documents can be stored in the cloud or on external drives?

We have seen with the recent iPhone celebrity hacking scandal, the Netflix ransom demands and the recent WannaCry ransom wear attacks, have highlighted how costly inadequate security policies can be and that hackers and other third parties will target any organisation that that has lax security policies.

The business must perform its security risk assessments taking into consideration all of these elements, including non-IT security threats, such as employee’s transferring data to external storage (cloud or USB), printing of confidential customer data and then leaving it in a taxi or hotel room. Even camera phones pose a risk, with employees able to take high resolution photos of screens that can be sold to third parties.

The approach that most companies take, ‘leave it to IT’ actually increases the risk to their business, especially as systems become more complex. Integration and connection with third parties solutions, such as cloud based applications, only increases this complexity. Any business needs to understand the relative significance of all of its systems, applications, data, storage and communication mechanisms.

Given the recent ransomware attack what should businesses be doing to protect customer data?

To protect itself a business must ensure that it has policies relating to frequency of password changes, where documents can be stored, whom is allowed into the website, and how they are escorted etc., as well as application and systems-specific policies relating to application of patches.

The business also needs to ensure that it performs regular and random tests of its security, for example, employing a third party to conduct security penetration testing.

This ensures that customer and other data is protected at all times. While no solution is 100% effective, we can minimise the threat to almost zero through ongoing staff training, keeping software up to date and effective controls on who can access data.

The biggest threat to IT security for a business is often its own staff unknowingly introducing threats or allowing their passwords to be stolen. What are some simple steps a business can take to mitigate this danger?

Ongoing training, sound policy and communication is key to minimising the risk from staff unknowingly introducing threats into the business environment. Businesses cannot rely on one staff training session per year to ensure that they remain vigilant. For example, a policy regarding the regularity of password changes is a key tool but there also needs to be a policy around acceptable passwords. It is amazing how many people use their date of birth or names of family members as their passwords. Ongoing communication and testing is also key. For example, some companies send fake ‘phishing’ emails to staff and monitor the responses. Any staff member whom falls for the fake email is then required to complete further training. As techniques to solicit data from our staff becomes more and more sophisticated, so must our level of vigilance.

What level of certified expertise, experience and access to global threat databases do enterprise corporations need to manage their own security in today's world?

Most organisations employee a handful of people to monitor their network security, apply software patches and perform other security related tasks, but it is never enough.

The sheer volume of systems, data and people involved makes managing any business's security challenging. Additionally, maintaining the skills of the staff, including training and paying for relevant certifications, is placing an increasing burden on IT budgets. As a result, many organisations are now considering if it is actually better for them to outsource their network and security management functions to an organisation that is specialised and dedicated to this field.

Key consideration and benefits of Managed Security Services providers?

Without a comprehensive business strategy that includes security, an organisations put themselves at risk. However, it is almost impossible for an enterprise corporation to tackle this all on their own, and that’s where organisations such as telkomtelstra come in. Our expertise in Network Security, Security Audits and Process Alignment is based on the best of breed capabilities of our parent companies (Telkom Indonesia and Telstra Corp of Australia), as well as our relationships with the likes of Cisco, Microsoft, and Fortinet. Together, we are able to bring the necessary expertise to any of our customers, to ensure that their business is always protected. 

MCS featured solutions

(July 2017)