Cyber security is top of mind for most IT executives today. But are enterprises ready for emerging threats? Don Liew, security director of AT&T Asia Pacific, is in Hong Kong to address the 2016 AT&T Asia Pacific Cyber Security Conference. We asked him how corporations can help protect themselves as threats escalate.

AT&T: Don, how are the threats to multinationals changing?

Don: Constant cyber attacks are the new normal.

Internet of Things (IoT) deployments are spiking. More companies are using Software-as-a-Service (SaaS) apps that let employees access business tools in the cloud via their own mobile phones and tablets.

Each IoT deployment adds another end-point. Each SaaS device is another potential vulnerability. This amplifies the number of access points hackers can exploit to attack critical business apps and services.

AT&T has seen a 62% increase in distributed denial of service (DDoS) attacks across our global network over the past 2 years. And we’ve seen a 458% increase in IoT vulnerability scans.

AT&T: Do you mean that attacks are now almost inevitable?

Don:  Yes. Every business today has experienced an attack or will in the future.

These attacks are not only pervasive, but also evolving. We’re seeing more malware, more ransomware and more frequent targeted attacks against corporate sites. Every business, large and small, in every industry faces tremendous security challenges.

If you’re in business, expect to be attacked.

The only sensible course of action is to prepare for this eventuality. Be ready to help detect and respond to breaches when they occur.

AT&T: What strategy do you recommend?

Don: A traditional perimeter approach to security is no longer enough. We can’t just rely on passwords to safeguard access to business-critical infrastructure and services.

Strong security happens on 3 fronts – the user, the app and the cloud. 

  1. Authorize users through 2-factor authentication (2FA). This demands 2 means of identification from users. This can be a physical token, such as a one-off device-specific code, plus a password and username. 2FA helps guard against weak passwords, stolen devices and even brute force attacks. It can now be rapidly deployed as a service in the cloud.
  2. Protect critical web apps via a web application firewall. This allows “virtual patching” to help protect against known threats without shutting down the servers. You’ll also need a separate anti-DDoS solution to help detect and re-route malicious DDoS traffic to let legitimate traffic to reach your network.
  3. Boost cloud security. To help protect cloud infrastructure, you need multiple layers of security across devices, apps, networks and platforms. Make sure every link to cloud storage is over a highly secure and managed network. Many companies now use a VPN to achieve this, since it is a way to get cloud traffic off the public Internet and help  reduce exposure to security risks.

AT&T: What’s the one thing you tell people they must do first, before anything else?

Don: It’s vital that companies take security seriously.

Make security a C-suite issue. Compel your executives to always consider it and mobilize resources accordingly. Educate everyone in the organization so they know security is their responsibility.

Think of it this way. Every employee and executive is part of the security team.