As mobile services become more app-centric, we need to rethink traditional security architectures to address the areas of greatest vulnerability: apps (including APIs) and users.
In 2009, technology columnist David Pogue said that newer smartphones could be nicknamed “app phones”, as mass distribution of apps was made possible through market places like Google Play and Apple’s App Store. It has revolutionized our world in ways we could not expect, including the herald of an applications-driven ecosystem. This revolution coupled with the ubiquity of mobile devices has dramatically changed the way applications are designed, delivered and managed. ‘Mobile first’ is now the norm for interaction-centric applications.
Today, apps are at the heart of every engagement and innovation. For many organizations, apps have become the primary means for delivering services and products, and in some cases apps are the products. As Asia continues to be the leader of global growth, we dominate the apps world, with the average smartphone user using at least six apps daily. Apps are undoubtedly transforming business models, operations, and engagements. Speed, UX design intelligence, and security are keys to shaping the user experience and in many cases the ultimate digital experience of an organization offered to its clients and employees, a critical success factor nowadays for any organizations.
Apps also exemplify ‘immediate gratification’, a popular phrase associated with the digital economy.
The evolving user experience has conditioned us to expect what we want, in the moment we want it. Research has shown that 29% of smartphone users will immediately switch to another site or app if it does not satisfy their needs (that is, they cannot find information or it is too slow or it is seen as unsecure).
This evolution of apps has therefore created a new set of challenges as businesses rely on an ever-increasing number of apps across complex infrastructures to meet rising customer expectations. This also provides malicious actors with a source of new vectors to mount attacks.
In 2018, the smartest companies will operate in an app-centric way and build services with the balance of speed and security at the heart of their customers’ experience. Businesses will need to think about where to deploy their apps, who needs access, what they want to do with them, and how they are going to deliver (and secure) them.
Apps increase surface area for cyber attacks
Apps today are exploding in use and quantity, crossing boundaries between personal and professional, mobile and desktop, the data center and cloud—a small mistake can be extremely costly. Just recently, a simple coding error resulted in 180 million smartphone owners being at risk of having their private data stolen.
Today, the cybersecurity challenge is daunting: organizations face a decrease in visibility, context and control, and an increase in surface area for cyber criminals to mount attacks. In fact, the Asia Pacific region still faces strong cyber concerns surrounding the likelihood and impact of technological threats, with cyber-attacks ranked among the top five risks of doing business in the region [PDF]. Australia, Japan, Malaysia, New Zealand and Singapore have also ranked cyber-attacks as a top three risk of highest concern.
The main culprit: lack of transparency in the region. Not unlike other places in the world, when a data breach happens, most companies in the region will try to contain the situation internally and there are no legal requirements in, for example, Hong Kong to report the incident to the authorities, which weakens cyber regulation enforcements as well as lowers cyber security situational awareness. Research has also shown that Asian firms take 1.7 times longer than the global median to discover a breach.
That said, with so many high profile cyber security incidents reported in the news that costed organizations dearly in terms of reputation and financial lost, cyber security is on almost all major enterprises’ C-suite agenda. It has transformed from an IT problem to a strategic business issue. Unfortunately, the lack of security expertise in many of these organizations makes it difficult to develop an effective battle plan against cyber attacks, including the required security culture and practices. For example, the bulk of the current security investment made by most organizations is still network centric and network has not the greatest vulnerability.
It is time to rethink traditional security architectures to begin addressing the areas of greatest vulnerability: apps (including related technologies such as APIs) and users. Defending the perimeter of the network is no longer sufficient as computing and innovations are growing at the edge, and businesses have to shift towards a proactive approach of prediction, detection, and response. Besides that, there should be a return internally to “Security Rule Zero: Thou Shalt Not Trust User Input”.
While many of us know that the biggest cybersecurity threats lie within one’s organization, they are not the typical ways one would expect. According to a worldwide survey by Information Security Forum (ISF) members, the vast majority of network openings that allow cyber attackers in are accidentally created by employees – those with no intentions of harming their employer. Business email compromise scams are growing rapidly and have resulted in a cumulative loss of $3.1 billion since January 2015, with reports indicating that a majority of the fraudulent transfers goes to Asian banks in China and Hong Kong. It is now more crucial than ever for cultivating the required security culture within organizations.
Educating employees on cybersecurity do’s and don’ts – whether it is working on confidential documents on a secured network or checking on the validity of an email from someone outside the organization – can go a long way to creating a security-first culture and ultimately, protecting the organization from financial and reputational losses.
This is especially important as governments in the region are increasingly recognizing the importance of having guidelines around a safe cybersecurity system in the fight against cyber risk. As Asia-Pacific continues to evolve apps, governments across the region are piling new compliance laws onto existing ones – from Singapore’s planned Cybersecurity Bill to Hong Kong’s Cybersecurity Fortification Initiative and EU’s enforcement of General Data Protection Regulation in May this year.
Everyone has a role
Cyber resilience involves all employees and it is important that they understand the importance of data protection and the role they play in their organization’s cybersecurity strategy.
This brings us to the need for education.
As companies in Asia continue to innovate and evolve to stay relevant and engaged in this competitive landscape, security skill sets remain scarce. According to F5’s State of Application Delivery (SOAD) 2017 report, 77% of Asia-Pacific respondents felt that their organization’s security posture was negatively impacted by a shortage of skilled and/or qualified apps developers.
Furthermore, a 2016 study by Robert Half found that more than 82% of Hong Kong CIOs anticipated more cybersecurity threats in the next five years due to a shortage of skilled IT security professionals. This exceeds the average of 78% globally, and can be attributed to the fact that the industry will require adaptive skills as cybersecurity evolves in areas such as data classes and data governance.
There is no crystal ball to peer into, but it is clear that Asia’s advancement in application delivery is here to stay. As we head into 2018, it is not just about having the right technology to elevate and secure the end-user experience, but also about building the right culture in organizations – to go faster, safer, and smarter.