The New Frontier of Trust and Cybersecurity Challenges
While the traditional concept of trust had revolved around a trusted authority, the world is now shifting towards a default of not trusting anyone, notes Prof Lam Kwok-Yan, Associate Vice President (Strategy and Partnerships), Nanyang Technological University.
Prof Lam made this observation as the moderator of a discussion at the invite only CXO Plenary at the annual GovWare 2023. “When we no longer have a trusted third party, then how do we establish trust? How do we trust someone that we have never met before?” he asked.
Trust was a recurrent topic at this year’s conference with the theme of "Fostering Trust Through Collaboration in the New Digital Reality”. A record 12,000 global cybersecurity practitioners, policymakers, and organisational leaders from some 80 countries came and engaged in three days of meetings, mutual discussions, and learning.
At the CXO Plenary, a panel discussion on "Transformation, Technology, and the Age of Trust: Unraveling the Gordian Knot to a Shared Digital Future", (From the left to right) Prof Lam Kwok-Yan of Nanyang Technological University, Goh Wei Boon of Government Technology Agency of Singapore, Jonathan Chow of the Centre for Strategic Infocomm Technologies (CSIT), Dr Alexander Schellong of Schwarz Group and Stanley Tsang of Cyber Security Agency of Singapore.
Trust and the evolving digital reality
For Jonathan Chow, Group Director (Information Security) at the Centre for Strategic Infocomm Technologies (CSIT), trust is something that must be established through validation.
“We trained our engineers as specialists to go deep into the tech, peel down the layers of code, and pull up the messages sent to the network,” he said. “From there, we try to understand the underlying technology. When we understand what powers the technology, the software it runs, and know what we are exposing ourselves to, then only can we build on that trust.”
Building trust takes effort, but abusing it is frightfully easy. Citing the surge of smartphone malware-related scams happening in Singapore, a member of the audience noted that scammers are effectively compromising processes and abusing the misplaced trust of their victims, as opposed to foiling the technology outright. Perhaps a rethink of business logic is in order?
In response, Chow noted that scammers are exploiting victims through social engineering and “two, sometimes three, very specific steps” must be taken before victims are compromised. So how might it be addressed? Chow said: “It could be through educating the user. In the case of standards, it's very much about hardening your network, your systems, having defences in them and [implementing] all the other principles of cybersecurity.”
Of course, the constantly evolving digital reality don’t help to make trust easier to resolve. Prof Lam cited the Internet of Things (IoT) as an example: “When you use IoT devices deployed in public, the traditional notion of perimeter doesn't exist anymore. And the concept of a trusted network within the parameter doesn't exist. So that's one thing that has shaken our traditional way of designing security.”
(From left to right) Ian Monteiro of Image Engine, Paul Lek of MSD, Leonard Ong of Synapxe, Clar Rosso of ISC2, and Yong Yih Ming of Mount Elizabeth Hospital on a keynote panel titled "Balance and Realities in Forging Digital Trust for Critical Infrastructure" at GovWare 2023.
Finding the right balance
From a viewpoint of a critical infrastructure – a hospital, Yong Yih Ming, Chief Executive Officer of Mount Elizabeth Hospital noted that computers were not even part of hospital operations a couple of decades. Speaking at a keynote panel discussion titled: “Balance and Realities in Forging Digital Trust for Critical Infrastructure”, Yong acknowledged how indispensable computers are today and the need to address the inherent risks of digital systems.
“Computers add to the risk. And the multiplier effect is there: If you have 100 or 200 doctors – that's 100, 200 points of IT risks, one for every individual accessing patient information. And a hospital that gets into trouble from a cybersecurity point of view today would find itself unable to take care of its patients,” he said.
“We have no choice but to invest in cybersecurity. If we only have 100% of the budget per year, we just have to agree how many per cent of that is now part of the operational implementation that includes cybersecurity.”
– Yong Yih Ming, Chief Executive Officer, Mount Elizabeth Hospital
Leonard Ong, Director, Cyber Defense Group - Policy, Risk Management & Capability Development at Synapxe, shared a question that is often posed to himself and his team: Why do you need cybersecurity in the healthcare sector?
But cybersecurity is not about foisting new systems or processes on everyone in the organisation, says Ong. “You have cybersecurity at the top, but we also need to ensure efficient clinical workflow; we cannot inhibit healthcare workers from doing their work.”
Panellists were unanimous that organisations must find the right balance when it comes to investing in cybersecurity. Ong said: “Healthcare cost is increasing. And all this additional protection to secure the system will further increase the cost. How do we ensure that we deliver the best healthcare while keeping the security in place?”
Not an option but an imperative
While nobody denies the importance of cybersecurity today, Clar Rosso, Chief Executive Officer of ISC2, observed that businesses continue to relegate cybersecurity to the backseat when push comes to shove. She shared the details of a recent ISC2 study to illustrate her point.
“87% of business leaders tell us that during a time of economic uncertainty, the last thing they are going to cut in their budget would be anyone on the cyber team. We do our workforce studies six months later; we are told that 45% of all cyber professionals have experienced cuts in their organisations and that almost 50% are anticipating cuts in the coming year.”
And such decisions have an impact on cyber preparedness, according to Rosso. “79% of healthcare organisations say the threat landscape in cyber is the most challenging they have seen in the past five years. 74% say they don't have enough people to help with this. And 54% say they are not equipped with people or resources for a cyber incident.”
“We say cyber is important, but we don't follow through. We have a good reason, maybe. But with 54% saying they are not prepared to respond, I believe it is an indicator of significant risk and a need for change in the healthcare industry,” she said.
For Yong of Mount Elizabeth Hospital, however, there is no other way but to invest in cybersecurity. “We have no choice but to invest in cybersecurity. If we only have 100% of the budget per year, we just have to agree how many per cent of that is now part of the operational implementation that includes cybersecurity.”
“It’s important to recognise that healthcare is no longer what it was. It now includes cybersecurity, and healthcare operators must make sure that it is included in how we run operations on the ground,” he summed up.