Cybersecurity is becoming an existential issue for the business community and society, not only because the threat landscape has turned more complicated – all the more so lately due to trade wars as well as geopolitical tensions – but also because of the increasing lucrativeness of data to saboteurs or thefts. The issue is more urgent now due to the rapid increase of the data volume uploaded and shared, requiring defensive measures to be enhanced.
Owing to such urgency, forums on cybersecurity have garnered enormous attention from the global cybersecurity community. The APAC Cyber Security CISO Roundtable, which took place last week in Melbourne, Sydney, mirrored such attention and concerns, as the forum drew the incredible participation of some 5,500 professionals.
A takeaway from the massive gathering is that humans are both the problem and the solution to cybersecurity, while Artificial Intelligence (AI) will only result in innovations on both sides of the security war. The forum was convened by Bugcrowd, a U.S.-based company that has developed a far-reaching platform for crowdsourcing security testing.
Cybersecurity challenges
One of the biggest cybersecurity challenges is the huge volume of data being created and uploaded that needs to be protected, at a time when the volume is rising at warp speed.
David Fairman, CIO for APAC for NetSkope and also an advisor to the board for Bugcrowd, called attention to a prediction that “80% of the data that will be out there by 2025 will have been created in the previous three years.”
“So think about the volume and pace at which we are generating data, that data is out there in digital ecosystems, that it’s interconnected. We have 18.2 billion mobile devices or endpoints anticipated to be connected to the digital ecosystem by 2025. That attack surface becomes extremely difficult to defend,” said Fairman, who has had nearly 20 years being in charge of security issues at major institutions like National Australia Bank, JPMorgan Chase, Royal Bank of Canada and Royal Bank of Scotland.
Dave Gerry, CEO of Bugcrowd, noted that the average spend on remedying a cybersecurity breach is expected to reach US$4.35 million, and quoting IDC, he told the chief information security officers (CISO) participating in the event that “there’s going to be US$219 billion spent on cybersecurity in 2023, going up about 12% year-on-year, yet, we still see more security breaches than we’ve ever seen.”
The threat landscape is more critical in the Asia-Pacific region as hybrid working has reached 60% in the aftermath of the pandemic, meaning the majority of workers are beyond the security perimeters of enterprises.
Apart from finance-banking and telecom industries that are more prone to attacks, most other sectors and verticals can be vulnerable to adversaries if strong defensive measures are not taken, especially during the time of AI and Internet of Things.
Ryan La Roche, CISO at St John of God, Australia’s biggest not-for-profit healthcare provider operating 17 hospitals across Australia, raised the point: “Once upon a time, biomedical devices were just there plugged into the wall and doing their thing. But, you know, we’ve moved into this modern digitization age where everything is interconnected, talking to one another exchanging data.
“That creates incredible benefits for a healthcare outcome, but it creates some very interesting risk and can make a healthcare organization a really serious target,” he said. “Organized crime is a big thing. It’s become highly monetized and in the healthcare setting the kind of data that we have about our patients is incredibly lucrative.”
Dan Maslin, group CISO at Australia’s largest university, Monash University, pointed to the growing sophistication of hackers. “We’re seeing zero days (i.e network vulnerabilities) being discovered and exploited within 24 hours. I think that’s going to get worse.”
He also warned that security perimeters were becoming more porous as organizations became networks of digital partners.
“It doesn’t matter how hard you make the shell of the organization, you’ve got hundreds or even thousands of third parties connected in. They could become the Achilles heel for many organizations for the rest of the decade,” he warned.
Seconding this point, Luke Barker, group owner for security at Telstra, said the group has hundreds of third party partners that connect into the Telstra network. “So, we need to constantly ensure that we’re protecting not only solutions we take to market and protecting our own organization, but also protecting our vulnerable third party and fourth party chain,” he said.
The heart of hacking
Despite multiple challenges, speakers at the Roundtable agreed that there are great opportunities and solutions to cope with threat actors, given the vast community of white-hat hackers always willing to contribute to the community.
Dave Gerry, CEO of Bugcrowd, stressed that despite an evolving threat landscape, “our view is that the [white-hat] hacker community possesses an entirely new approach to security, it allows our customers to tap into this ingenuity that exists in the crowd, and be able to very quickly start to defend and ultimately take some control back.”
This crowdsourcing approach, offering bug bounties, is also the business model that Bugcrowd has employed to protect its customers – numbering nearly 1,000 – since the company’s inception in San Francisco 11 years ago.
“We were founded to help empower our customers, disrupt the adversary. We’re here to help customers to be able to defend against what they’re seeing on a daily basis. And we’ve accelerated the platform development since then, to be able to assist our customers, again, to tap into this collective creativity that exists in the community today,” he added.
Bugcrowd employs a talented workforce of some 260 professionals, but Dave Gerry said the company has hundreds of thousands of white-hat hackers working on its platform to do good to the community and society.
It is lucky that almost all hackers are willing to make contributions, and their efforts to look for system vulnerabilities are simply a hobby rather than for financial gains.
Sajeeb Lohani, head of security at Bugcrowd, referred to what he termed the heart of hacking to explain the huge resources available to tap from the community to fight adversaries.
“I’m going to talk to you about major points, which is basically what we like to call the heart of hacking… Of the 1,000 people that we surveyed, 87% of them believe it is more important to go and provide the company or the organization with the critical vulnerabilities, instead of waiting for some kind of financial gain,” he said.
Most hackers care more about the social good, care more about the community effects, instead of trying to gain something financially, according to Sajeeb Lohani, who added that “89% believe that companies are viewing hackers in a more favorable light… It basically means that nowadays, companies are going hand in hand with hackers.”
It is interesting that “basically people don’t only hack for money, we hack to be able to tell a nice story, or we hack to go and help with social good.”
Sajeeb Lohani explained that Bugcrowd uses the bounty program “because even though we have a very talented team internally, … there’s still so many other talented individuals in the crowd.”
Nick McKenzie, CISO at Bugcrowd, illustrated that there are north of 650,000 hackers working on the company’s platform, enabling it to respond to the huge, diverse demand of customers.
And, Bugcrowd’s CEO Dave Gerry added that customers are finding immense value in tapping into the creativity of the hacker community.
“Hackers are no longer viewed as people that are sitting in a basement with a hoodie, typing away on their computer; they come from all walks of life. One of the stats that for me was the coolest as I read through the findings in our report was our under 18 cohort. So kids on the platform doubled year over year,” the CEO said.
Despite encouraging the approach of tapping the ingenuity of the crowd, Dave Gerry urged organizations to promote internal security measures, saying security is everybody’s responsibility. “This is not a security team’s responsibility. This is not a CISO’s responsibility. It is incumbent on every member of the organization in the business, to ultimately play a role in the security of protecting customer data and critical IP of the organization,” he said.
Asked by The Saigon Times for further explanation on the need for all members in an organization to heighten their responsibility for security, Dave Gerry gave the answer from Bugcrowd’s perspective, saying that whenever looking at what is the potential risk that goes with a decision, this is ultimately the responsibility of all members of the executive team.
“It’s not just (Bugcrowd’s CISO) Nick McKenzie that’s responsible for security for Bugcrowd. Ultimately, it’s every single member of the leadership team that takes an ownership stake in what is the risk to the business,” he explained.
As there are vast opportunities to develop the cybersecurity industry by tapping the resources of the crowd, Bugcrowd established its own university for white-hat hackers nine months ago named Bugcrowd University, and has seen a strong response.
“They’re coming in, and they’re learning how to find security vulnerabilities. And again, it’s not about Bugcrowd. It’s not about us growing our business. It’s about how we continue to kind of drive the industry forward,” he said.
The issue of AI and how it affects cybersecurity was also discussed at the forum, though only taking a back foot.
According to Sajeeb Lohani, AI is a useful tool for hackers but not a threat to the survival of the species. According to Inside the Mind of a Hacker research published by Bugcrowd, 94% of hackers either already use AI or plan to start using it soon for ethical hacking. Up to 72% do not believe AI will ever replicate human creativity.
Bugcrowd’s Dave Gerry agreed, saying “AI is going to help make this entire industry more efficient, we’re going to become more productive, [but] it’s going to introduce a lot of new risks.”
“No matter how many tools are deployed, no matter how many new solutions and services and vendors are brought on board, this ultimately still comes down to the human being, and how we make sure that we’re securing our teams or securing our infrastructure, but we’re doing this from a human first approach,” the CEO concluded on the company’s human-centric approach.
“Cyber Security 2023 and 2024” is a program launched by the Saigon Times Foundation to raise awareness on cybersecurity for IT students, CISOs, organizations and enterprises. The program has special backing from the U.S.-based Bugcrowd and Zonic Group from the UK.
Vietnam vulnerable to cyber attacks Reports delivered at a conference on protecting State secrets and cybersecurity convened by the Ministry of Science and Technology on September 8, 2023 showed that Vietnam is one of the three APAC countries most vulnerable to cyber attacks. In the first half of this year, competent agencies reported nearly 17 million signs of cyber threats, rising 240% year-on-year. As many as 208 websites or networks of State agencies came under attack for thefts of information, data and State secrets.It was highly alarming that there were waves of attacks conducted by foreign hackers, using 15 variants of dangerous malware that can penetrated systems for theft.Facing the urgent need to step up the cybersecurity industry, the Government on August 10, 2022 issued Decision 964/QD-TTg to set the target to establish two to three R&D centers between now and 2030 to develop services and solutions on cybersecurity. The key aims include turning Vietnam into a leading player in Asia in terms of cybersecurity, and accelerate the market for cybersecurity with an annual growth rate of 10% to 20%.