Shooting down misconceptions that lead to cyber security breaches
23 October 2014 (Borneo Bulletin)

CYBER security took centre stage yesterday as the Organisation of Islamic Cooperation – Computer Emergency Response Team (OIC-CERT) held its 2014 annual conference and 6th annual general meeting at the Rizqun International Hotel.

The event was hosted by the Brunei National Computer Emergency Response Team (BruCERT) and co-organised by the Permanent Secretariat of the OIC-CERT, CyberSecurity Malaysia.

Deputy Minister of Home Affairs cum Acting Chairman of the National Security Council Pehin Datu Lailaraja Major General (Rtd) Dato Paduka Seri Haji Awang Halbi bin Haji Mohd Yussof officially opened the event in his capacity as guest of honour.

Carrying the theme ‘Emerging Risks Versus Opportunities,’ the conference was aimed at addressing the latest technologies in cyber security, such as cloud computing and big data.

Kicking off the proceedings, Shamsul Bahri bin Haji Kamis, the CEO of IT Protective Security Services (ITPSS) Sdn Bhd and BruCERT, delivered a welcoming address, in which he said, “In cyber security, there are a few misconceptions or misguidance that can lead to security breaches.”

Deputy Minister of Home Affairs Pehin Datu Lailaraja Major General (Rtd) Dato Paduka Seri Haji Awang Halbi bin Haji Mohd Yussof touring the exhibition. - SIM YH
Deputy Minister of Home Affairs Pehin Datu Lailaraja Major General (Rtd) Dato Paduka Seri Haji Awang Halbi bin Haji Mohd Yussof touring the exhibition. – SIM YH

One such example is the notion that “if I am just a small company or organisation, nobody would be interested in me”.

Refuting this, he said, “If you are part of the supply chains of bigger organisations or if you store users’ data, credentials or financials or sensitive information, then you are also liable to be targeted.”

“Size alone doesn’t determine the probability of breaches. It depends on how the organisation aligns its business processes to its risk management strategy,” he highlighted.

“Another notion is that companies or organisations are only responsible for their own security and would only be affected by the security issues generated by their own people, devices and networks,” he said. “This couldn’t be more wrong.”

“They are part of an ecosystem involving partners, suppliers, clients and, if you are government entities, citizens. If any of these is affected, others would also be affected down the line due to the interconnected nature and the evolving threat landscape they are operating in.”

On his third point, the CEO asserted that “cyber security is not just about technology,” nor is it just about “buying a specific hardware or software.”

“It is about corporate culture, education and awareness. Policies and frameworks must not just be formulated but they must be communicated to employees in a very effective manner,” he said.

“Dictating things that can or can’t be done might no longer be as effective as explaining what the actual risks or problems associated with certain actions are. Thus, very creative awareness or outreach programmes for all stakeholders should be designed and implemented.”

He went on to affirm that, as far as cyber breaches are concerned, an evolutionary process needs to take place in people’s or organisation’s mindsets, from thinking ‘it will never happen to me’ to realising ‘it might or will happen to me’.

Concluding his speech, the CEO highlighted, “It is heartening to see that there will be a lot of opportunities for real and meaningful collaboration beyond just the Memorandums of Understanding (MoUs) or mere intentions with various stakeholders.

“It is my hope that these opportunities can be converted to actual project executions either on a policy or operational level; involving mitigation or preventive work on cyber threats, cyber security or cybercrime,” he added.

The conference brought together more than 200 participants from 23 countries, 19 of which are OIC-CERT members, and saw various presentations from a number of invited speakers, all pertaining to various facets of technology and cyber security. The event also featured an exhibition displaying various cyber security-related technologies, companies and organisations.

A continuous initiative, the annual conference is held by the OIC-CERT to enhance cyber security and raise awareness through international cooperation among members and other information security organisations.

In addition to offering possible partnerships and collaboration pertaining to cyber security to maintain cyber space resiliency, the conference also provides an information sharing platform on cyber security issues, enhancement of members’ effectiveness and efficiency as well as a channel to discuss strategic directions and future challenges.

As Badar Ali-Al-Salehi, Chair of the OIC-CERT and Director-General of the Oman National CERT explained, “Cyber security has tremendous potential for economic development and has a great impact on national security.

“Both the public and private sectors need to comprehend the significance of cyber security, the challenges it brings, the gaps and impacts it has pertaining to political and economic spheres. They need to understand how to mitigate these challenges through government policy initiatives, public-private partnership and legal recourse.”

During a press conference, Shamsul Bahri yesterday spoke once more.

Responding to a question from the Bulletin, the ITPSS and BruCERT CEO said, “Looking at Brunei itself, the most common threat that we have been receiving thus far is identity theft, with regard to accounts being hijacked or being spoofed from social media, like Facebook, Twitter and all that, so we receive a lot of complaints with regard to these aspects.”

Speaking on Brunei’s capability to deal with cyber threats, he said, “Actually, it’s always a catching game for us. We have to always make sure we keep abreast of the developments. That’s number one, in terms of technology. And then number two – what the other side is also doing.

“In this aspect, we have been building up internally within ITPSS; we have been building up our capacity continuously for the last 10 years of our existence.

“We are also hoping that we can actually impart some of our programmes in terms of capacity building to the constituencies that we are currently serving, like the government and private sectors, especially those related to the critical national information infrastructure, like oil and gas, energy and also finance.

“This we will actually be doing in a phased manner within the next few years,” he said.

“And then, on top of that, we are also actively doing our public outreach programmes again to our constituencies and of course, more importantly, citizens, including those vulnerable groups like children and teenagers.”