Cyber Risk Challenges in the Middle of Pandemic Recovery in Indonesia
2020 was indeed a turning point in internet use for users all around the world. In Indonesia, there was an increase in the number of users reaching 73.7% of the population (APJII data per Q2-2020). The pandemic forces people to make more use of the internet in various aspects of life: socialization, shopping, earning a living, studying, and so on. On the other hand, cyberattacks are also increasing. The biggest case was the leakage of 91 million users of one giant online shopping site in Indonesia.
The 2020 Annual Cybersecurity Monitoring Report issued by BSSN this month uncovers a frightening fact: compared to 2019, there was an almost twofold increase in traffic anomalies that could be identified as cyber-attack attempts. This means that there are even greater cyber risks to be faced in 2021 to be managed properly.
Starting a risk management process with the identification of risks based on SNI ISO/IEC 27005. From the BSSN document, the increasing risk of cyber was identified as incidents that cause malfunction of electronic systems, loss of data, and damage to reputation, plus a new risk context with the Personal Data Protection Law waiting to be passed soon.
The document states that the anomalies with the highest number are Trojans, malware designed to enter the system undetected to then carry out data theft activities and even remotely control system damage. Not only were personal computers attacked, servers and even SCADA, industrial control systems, were also targeted.
The web defacement incident is also still a trend. Nearly 10 thousand cases occurred, with one-fifth of them occurring in the private sector. This incident, in a technical sense, did not damage the system much, but the reputation was at stake. We remember how a giant mobile operator that was hit by this incident in 2017, was a Public Relations Disaster for them.
Another form of attack is social engineering attacks in the form of phishing emails. This attack is very dangerous because it is easy and cheap to do, has a lot of targets for attacks and has a high success rate. Phishingbox.com data says three-quarters of organizations in the US failed to face this attack and nearly all incidents and data breaches, involving phishing methods. This attack peaked in March-April 2020 when the public was actively looking for Covid-19 information, which could happen again this year in connection with vaccinations.
The business risk from cyber incidents will be doubled when the PDP Law is passed. There are quite a lot of new risks identified: the risk of changes in business processes and organizational structure, additional legal and cybersecurity human resources, cybersecurity investment, legal risk, risk of fines, risk of jails, and so on. Not to mention that because of the very serious risk, it can become a weapon for competitors to bring down the company or even conduct a hostile take-over through cyber-attacks. The analysis and evaluation of all these risks will be unique depending on the conditions of each company.
Four risk treatment options can be taken: modification, acceptance, avoidance, and risk-sharing. The last option is quite attractive because it involves growing cyber insurance, however, the risk modification option is a lot of choices because it is more feasible to implement by increasing security capabilities.
In system security, the earliest thing to have is the ability to visibility against attacks. System monitoring and detection are very important, but the ability to analyze and correlate log information, alarms, and other notifications are critical in determining an incident. The proper incident handling process is the next critical point to ensure that the damage does not spread and can be controlled and returned to normal conditions. This process is carried out by the SOC unit, the Security Operations Centre.
The topic of SOC talents is so hot right now. The EC Council has launched a new CSA (Certificate SOC Analyst) certification that specifically prepares HR SOC levels 1, 2, and IRT (Incident Response Team) which complement other certifications: ECIH, CTIA, and CHFI. ECIH is for incident handlers and first responders, CTIA is for threat hunters that proactively find attacks before they become incidents, and CHFI is for investigators to find digital evidence needed for justice.
The SKKNI SOC is a national competency standard for SOC talents that are prepared by BSSN, other government agents, industry, academics, and the community has also been endorsed by the Minister of Manpower as a benchmark for making teaching materials tested in LSP under BNSP. SKKNI SOC is prepared based on the activity flow of Incident Management from SNI ISO/IEC 27035, divided into 20 competency units from strategy and planning, preparation of procedures and teams, operational monitoring, detection, analysis, to incident handling and recommendations for improvement. Each competency unit is equipped with a description, competency elements, performance criteria, variable limits, and assessment guidelines based on the KSA concept (knowledge, skill, attitude).
In many companies, the SOC is a critical unit to have against the growing trend of cyber-attacks. Some have even more advanced teams with Threat Hunting, Malware Analyst, and Digital Forensic capabilities. Setting up human resources for cybersecurity is time-consuming and expensive, but it is imperative in current conditions to mitigate cyber risk.
Satriyo Wibowo, S.T., MBA, M.H., IPM, CERG, CCISO, CBP, CSA is the secretary of the Indonesia Cyber Security Forum, the board of the Indonesian Digital Forensic Association, acting as an advisor for risk management and cybersecurity in several Ministries / Agencies and business organizations. His multi-disciplinary academic background ranging from engineering, business administration, and law with professional certifications in engineering, risk management, and information security governance, helps him understand a wide range of industries, particularly in the ICT, internet, and power sectors, from the perspective of wider. Also recorded as a member of the Committee and Formulating Team for the Cybersecurity Occupational Map and SKKNI SOC at BSSN. In 2019 it was invited by the US Government through the International Visitor Leadership Program to discuss the development and implementation of cybersecurity policies with 27 agency representatives in 13 cities in 7 States.