Cherie: When you speak to customers today, what are their top security concerns?
Natasha: One of the top challenges is how challenging it is to enforce cybersecurity awareness among their employeescybersecurity awareness among their employees. We have to admit that humans are still one of the main targets for bad actors, which means that they need to be aware of various types of social engineering attacksvarious types of social engineering attacks, like phishing, baiting, tailgating, and scareware. These types of attacks can only be accomplished through human interactions because it leverages psychological manipulation. But here's the thing, enforcing more disciplined behavior means changing a company's culture, which will never be easy.
For some people who are not a part of IT Security or other IT-related departments, it's common for them to think that security is not my responsibility. Talk about how security teams have a hard job now! But knowing that humans are considered to be the most targeted for cyber attacks, this mindset needs to be changed. It is now the responsibility of all employees to protect their work assets and take part in preventing successful cyber attacks.
Another concern I notice is how companies are struggling to adopt a Secure Software Development Lifecycle (SSDLC)adopt a Secure Software Development Lifecycle (SSDLC) and finding a balance between security and innovation. A lot of our customers are tech companies composed of a big developer team. These are people that hold the keys to data security and application security posture. They need to know what they have to do and what controls need to be implemented.
Cherie: It is interesting that you talk about humans being the top security concern, versus any other new attack vector. A recent report that I read from the UK Information Commissioner’s Office (ICO) states that 90% of the cyber data breaches in 2019 were caused by human error. This is very much in line with Gartner's prediction around cloud security data breaches. With cloud security risks getting more spotlightcloud security risks getting more spotlight in recent years, how are your customers adapting to this?
Natasha: Without a doubt, cloud is a very viable attack vector today. We saw it last year with a major data breach where there was a misconfigured Web Application Firewall (WAF) deployed in the Amazon Web Services (AWS) cloud. Also, earlier this year there was another successful data leak of nearly 250 million customer recordssuccessful data leak of nearly 250 million customer records because of server misconfigurations. I think the challenge in cloud security also comes with how regulations and controls are always behind how fast cloud technologies evolve. If you look at things like financial transactions and data privacy around Personally Identifiable Information (PII)data privacy around Personally Identifiable Information (PII), these are common concerns in companies because of regulatory pressures.
On the other hand, a lot of newer companies use the public cloud but they have yet to find effective solutions to manage their risks in the cloud, for instance Distributed Denial-of-Service (DDos)Distributed Denial-of-Service (DDos) attacks and loss of data, which are both compliance issueswhich are both compliance issues.
For the most part, I notice that unless you have personally experienced a DDoS attack on your cloud environment or discovered an intrusion, it is unlikely for smaller organizations to invest in cloud-specific security solutions. What we often do in Indonesia are more holistic assessments of security posture, which includes cloud security risksholistic assessments of security posture, which includes cloud security risks. But I foresee that tailored cloud solutions like Cloud Security Posture Management (CSPM) and Cloud Access Security Broker (CASB) will begin to grow in popularity as organizations recognize how they make more financial sense.
Cherie: Definitely agree with that, having worked with many customers across the region. The trend I notice is that there will be an uptake in the solutions you mentioned. Organizations react based on their understanding of impact probability, to be able to implement the controls to mitigate the associated risks. And very often, regulations are what drive importance and priorities in terms of what gets resolved first. On the topic of regulatory compliance, can you speak to what organizations in Indonesia should take note of in 2020?
Natasha: As of today, there is no specific regulation which provides a comprehensive set of provisions to govern how companies should protect personal data in Indonesia. We know there are some other regulations popular here such as the Protection of Personal Data in Electronic Systems, issued by Indonesian Ministry of Communications and Information Technology and the Government Regulations regarding Implementation of Electronic Systems and Transactions. Some clauses in Financial Service Authority (OJK) Regulation No. 38 also cover the requirements to protect the customer’s personal data. OJK complianceOJK compliance is mandatory for financial service institutions.
However, those regulations only provide the general idea of personal data protection without specific guidelines.
The next big thing on the radar is the Data Protection Law. A draft was signed by the President in January 2020, but it is still in the process of being enacted by the end of 2020. This is the first cybersecurity-specific regulation in Indonesia which will affect all organizations that process the personal data of Indonesian citizens, including e-commerce, banking, and financial institutions.
Based on the publicly available information, the new law will cover:
- Definition of personal data
- Types of personal data (name, nationality, financial information, biometrics, political views etc.)
- Disposal of personal data
- Requirement to notify the data owner, Ministry of Communication and Informatics (MOCI), and regulatory body no later than 3 days after an incident
Perhaps what’s most important about all this is that non-compliance of these regulations. In the draft, it states that any organization found in breach of the Data Protection law may be subject to financial penalties of up to 70 billion rupiah or 7 years imprisonment.
Cherie: That is a very hefty penalty! My hands are sweaty just thinking about it. On a more serious note, there is a prevailing sentiment that compliance equals security, and non-compliance means you aren’t secure. What are your thoughts on that? Do you agree?
Natasha: I hear this all the time! But it is not 100% true. It’s a common misconception: “I must do everything here exactly or I am not secure”. But what being secure means is bringing the organization to a state of acceptable risk. And that differs from one company to another.
Regulatory requirements and guidelines come in many flavorsRegulatory requirements and guidelines come in many flavors, but generally they either try to guide strategy and policy with broad requirements, or they provide specific control guidelines.
Compliance to these requirements is actually a good start as it can bring you to a good baseline for your security standing. However, they are usually prescribed in a one size fits all approach. It is important to understand the context of your organization and your unique security priorities first. From there, you'll be able to address what you need to protect and how to prioritize the controls you need to implement.
This cannot be achieved by compliance alone, because it takes a comprehensive cybersecurity assessment to find the most effective and efficient controls tailored to what your organization needs.
Cherie: With that in mind, what do organizations need to efficiently deal with these compliance challenges? Does it make sense for them to outsource cyber compliance?
Natasha: Organizations need to be crystal clear about their requirements and know what they need and don't need. Like I said above, not every compliance requirement makes sense. Trying to blindly adhere to a certain framework is inefficient. Having said that, we know that some organizations must comply with certain mandatory regulations. For instance, banking and financial institutions need to comply with OJK and Bank Indonesia regulations. To achieve a higher maturity level, we recommend that companies undergo gap and cyber risk assessments, whether internally or with the help of a third party.
It is a common dilemma for organizations to choose between keeping compliance functions in house or outsourcing such tasks. Most organizations outsource their compliance functions because they wish to gain additional assurance on the compliance process, address a lack of in-house compliance skills, and save money. Outsourcing could also help the organization to avoid disruptions caused by relying on several key personnel who could leave anytime.
Cherie: It seems to me like there are many benefits of outsourcing compliance to a third party. If a company were considering that, what are some of the criteria you’d recommend they look out for in a vendor?
Natasha: If I may elaborate, the vendor must be customer-oriented and be familiar with the relevant frameworks and regulations — proven by certifications. It is definitely a plus if the vendor has experience serving other companies in the same sector.
Cherie: I’m suspiciously hearing that you’re saying companies should outsource their compliance program to Horangi...
Natasha: That is the freedom of the audience to interpret! But since you mentioned that, let me add that as part of our strategic services, Horangi helps our customers demonstrate compliance with the most recognized regulations and frameworks according to their industry. I am personally involved with customers that need to comply with OJK regulations, SOC 2, and PCI DSS. We also perform assessments based on NIST and ISO 27001.
We also know that it is challenging to keep up with the continuing regulatory changes, that's why outsourcing compliance may be convenient for organizations.
Having said that, outsourcing compliance does not invalidate the need for in-house staff to be aware of the importance of compliance and the legal requirements for their role and to implement the right controls on a daily basis. Because even though certain activities can be outsourced, the organizations need to retain the skills to manage those activities in-house.
Cherie: I fully agree! I’m going to circle back to your original statement that security needs to be everyone’s responsibility. That is no different with compliance. Everyone plays a part in it. Well I think that wraps up our podcast nicely today. Before we close, do you have any final words for the audience?
Natasha: The fast-moving world of technology brings opportunities to both businesses and attackersbrings opportunities to both businesses and attackers. We need to recognize that the sophistication and variety of cyber attacks will continue to grow rapidly. For a free solution with big impact, organizations and individuals should keep up with the latest trends and effective ways to deal with these attacks.
If governments want to build a good security baseline, data protection regulations such as the General Data Protection Regulation (GDPR) in the EU and now the Data Protection Law in Indonesia are definitely the way forward.
As we get through the COVID-19 pandemic together, I feel that there’s no better time than now to be prepared and improve your cybersecurity posture. Start implementing controls to close any security gaps you are aware of and ensure that your organizations are well-equipped to face cybersecurity challenges and embrace the opportunities to grow.
Cherie: Thank you Natasha! I believe that has been super useful for our audience. I want to thank you again for sharing your insights and unique views on the regulatory compliance landscape in Indonesia!
