Reply To:
Name - Reply Comment
The Innovation and Technology Committee of The Sri Lanka Institute of Directors (SLID) organized a timely webinar titled ‘Cyber security: What Company Boards Should Know’ for its members recently to enhance their knowledge on cyber security, a threat that is targeting businesses in an increasingly online world.
Nuwan Perera – Chairman of the SLID Committee for Innovation and Technology introduced the keynote speaker Madu Ratnayake – Chairman & Co-Founder of Scybers, a global cyber security consulting and managed services company, Board member of SLCert, formerly at Virtusa, Independent Director of HNB, and former Chairman of SLASSCOM as a top professional with deep expertise in digital transformation, cyber security and building high performing global teams in high tech and financial services companies.
In his keynote, Madu Ratnayake said that digital adoption is accelerating due to COVID and that there is a significant number of digital services in the market since most companies are taking their companies digital which are accessed by more and more people.
“If one looks at the threat landscape in the data breach space, there is a significant increase in cyberattacks. It is not unique to a few companies it is happening across the board in various forms.
Cybercriminals are getting more advanced using tools such as AI to carry out their attacks, and hacking has become an industry or business by itself with companies providing various attack services including Ransomware-as-a-Service with increasing rewards.
Add to this a severe shortage of skills in cybersecurity and technology estimated at 1.8 m vacancies, it’s a perfect storm into which you are launching in a paper boat. It is in this context that you as a Board member and business leader should look at this situation and make sure you navigate the storm and safeguard your business with what is available”.
He said “It takes on average 287 days to identify and contain a data breach with almost 90 percent of the attacks happening due to lapses in basic cyber hygiene and companies become victims of ‘keeping their backdoor open’ by not patching their infrastructure, fixing vulnerabilities etc.
In relation to targeted attacks, which can be organized crime or nation-state, nothing much can be done to defend. In such a situation, your strategy should be to limit the impact. A data breach or attack will occur at some point in time”.
Providing a framework to drive the conversation at the Board level, hesaid that cybersecurity is the protection of confidentiality, integrity, and availability of data, and the safest way to look at cybersecurity as a Board member is to treat it as a risk no different from any other business, technological or financial risk.
To reduce the likelihood of a cyberattack, you need to avoid being a target of an opportunity by understanding what you need to protect, implementing good cyber hygiene, and adopting the right security architecture comprising of people, principals, and platforms.
To reduce impact, you need to assume a breach and build resilience such as encrypting your data, and data backups thatneed to be tested often. To reduce exposure, the blast radius needs to be reduced by building capabilities to detect and act fast and consider insurance.
“The conversation should also consider balancing the investments in the defense and resilience and needs to be addressed in the discussions with your CISO and security team. In today’s context of WFH, cloud infrastructure, use of SaaS systems, modern cyber protection methodologies such as zero-trust, 2FA architectures are preferred against the older castle-and-moat security implementations which are no longer a working model,” he added.