A pragmatic approach to cyber security is the most effective method of combating a host of new threats targeting companies’ online systems and data, according to a collection of ethical hackers and professionals from the IT security industry, who shared their views at a recent forum on online security.

This strategy was strongly endorsed by John Keells Executive Vice President and CIO Ramesh Shanmuganathan, the Chief Guest at the 2nd Ethical Hackers Forum organised by CICRA Holdings last Friday at Olympic House.

Shanmuganathan advised the forum’s participants to adhere to sensible and workable policies when drafting security measures against online risks and to avoid over-engineering their threat-response.

“I always start from the point that 100% security is a fallacy. The only way you can enforce security is by being pragmatic and asking yourself ‘what am I trying to defend?’ and ‘against whom?’ It has been shown that 80% of threats originate internally and not from external sources. I can have firewalls everywhere but an employee can bring in his Smartphone and do anything.

“So then the challenge becomes how do we approach this? Our first line of defence is policy and procedure. Our second line of defence is identifying our information assets because we need to know what we are protecting,” Shanmuganathan, who was also a panellist at the event, said during his opening address.

This topic was also carried forward into the panel discussion, which was chaired by Akati Consulting CEO and CICRA Master Trainer Krishna Rajagopal and, in addition to Shanmuganathan, featured CICRA alumni Vikum Thebuwana, Heshantha Fernando and Sandamali Silva.

Rajagopal deepened discussion on the actions corporate entities could adopt to prevent or protect themselves against new cyber threats, by highlighting current UK IT security opinion which rates “cyber threats as the biggest security threats, higher even than terrorism.”

Overall, the panellists echoed Shanmuganathan’s stance on instituting realistic counter-measures. They also emphasised the need to generate proper awareness among the end-users of IT systems such as staff within a particular business establishment and its clients or customers.

Addressing this issue from a financial institution perspective, Silva, who is a Compliance and Security Specialist at Synapsys, a subsidiary of DFCC Bank, stressed that it was important to share information about attacks in the finance sector to guard against fresh attacks.

“Normally we have to be proactive and have a separate team to monitor all online functionality. Every bank has a separate IT security team, so we have to work together. There needs to be several proactive measures in place and they always have to be up to date.

“We also develop a lot of controls within the bank (DFCC). Many foreign customers handle accounts through emails so all bank branches have controls in place. There is definitely room for improvement though, especially by creating awareness and knowledge about cyber threats. Most staff members don’t have proper knowledge about such risks so we always send them emails informing them about certain risks. We also create awareness among our customers,” she said.

Another of the panel’s members, Versata Inc. Network Security Engineer Heshantha Fernando, said there was an urgent need for data centres to do more to ensure that corporate entities remain well-protected.

“We have to put forward a concerted effort to make sure that we are playing a major role in providing security. It’s high time that data centre service providers stepped away from just playing the role of landlord, where they rent out their server space to tenants and then let the tenants play with their hardware. We have to at least construct policy and guidelines that define what they can and cannot do with the rented space,” he asserted.

Tackling the topic of maintaining online security while implementing ISO quality management systems within an organisation, Softlogic Finance Information Security Analyst Vikum Thebuwana explained that it was foolhardy to senselessly adopt such standards merely to match industry competitors without properly understanding the problems and risks associated with doing so.

441

The panellists also fielded questions from the many ethical hackers and IT industry experts within the audience, further enlivening conversation about an adequate response to new and growing technological threats.

Summarising the progress and importance of the Ethical Hackers Forum, CICRA Holdings Director and CEO Boshan Dayaratna said: “The number of people I see here today is a great achievement for all of us at this forum. This is an initiative to provide an interactive space for young ethical hackers to share their knowledge and experience, and we hope that we will ultimately create a secure cyber security domain in Sri Lanka.”