Cybersecurity Is Not a Job - Naga Cyber Defense

Cybersecurity is not my job.

Cybersecurity is not my concern.

Cybersecurity is not my responsibility!

How many times have you heard those words from co-workers, bosses, family or friends?

I love the ones that say Cybersecurity is not worth the expense. I’ve seen family fortunes stolen and businesses and universities go bankrupt because of this attitude. I’ve watched people at the cash register as they see credit and debit cards refused one by one, as they call their banks and check the mobile apps to see their balances are now zero.

I’ve had family call me to tell me that hackers have stolen 100s of thousands of USD from their life saving accounts, asking “What do we do now?” Some of these could have been prevented if the right personal security had been applied. In the case of my family, the business holding the funds was responsible because they did not have security done right and they had to repay the money stolen.

Here in Indonesia getting security right is easiest if you are in Jakarta and are a big business with a BIG network. You have more tools to apply that will work in Jakarta because they have better access to the world there. Though would you say Jakarta is really doing it any better than the rest of the nation? Unfortunately not all tools work here in Indonesia, most are VERY CLOUD managed and the time the cloud needs to respond is too long, so the hacker wins the race for control of the server or pc.

For Indonesia our tools must work best when the Internet is GONE, not the INTRANET of Indonesia, but that World Wide Web. As a member of Purple team, I was taught that the first way to take control of any business requires the blocking/managing of outside services. You must take ownership of the outside support services like DNS, VPN and access to all services providers that have any security responsibility such as Cloud EDR/XDR, Active Directory or a Managed Service Provider.

We built a company in Indonesia to make this type of attack nearly impossible and hoped businesses would see the need. What I didn’t take into account was that in Indonesia, just because there have been laws and regulations for Cybersecurity in place for decades, does not mean businesses are aware of them.

We keep getting told that Cybersecurity is not my job, concern or responsibility by Board Directors and Senior Officers across Indonesia. They say that “Cybersecurity is too expensive” even with us cutting costs from 50% to 90% below the best price from the vendors. While at the same time we are providing an adaptive security maturity service based solution covering the full gambit of International Best Practices and Standards as directed by Indonesian Law and Regulations.

This is not OUR RESPONSIBILITY, so this is still too expensive for us to undertake at this time is the reply. PDP is hopefully right around the corner but business avoids worrying or planning for it. Though the KOMINFO regulation #20/2016 for PII has been pushing 70% of PDP for 6 years. Most if not all Government agencies and major businesses do not have PII and Data Lost Prevent (DLP) guidance or protections in place today. If the protections as required by MOCI #20/2016 PII were deployed via Data Lost Protections (DLP) across the nation, the last two years worth of breaches would have been smaller and identified by the impacted parties as they happened as such reducing if not preventing the data losses from happening.

When we can get a business or agency to see the need to up their security game their usual reply very much worries me, “We DON’T have people qualified to support you in protecting us.” We explain our mentoring and support processes to grow their staff but that does not work for them. They want to hire the Indonesian Unicorn, a fully qualified and certified team of Cybersecurity Analysts with years of experience to work with us. Well that sale is postponed for years to come.

BSSN has in the last few years discussed in public presentations and whitepapers about the limited availability of full Cybersecurity training in Indonesia as well as the large gap in availability of staff members to perform these tasks. Even worse, we see a larger gap in the number of non-cyber persons that DON’T understand their Roles and Responsibilities to perform cybersecurity tasks on a daily basis as part of their normal job functions.

Cybersecurity in the 21st Century is as important as Clean Water was to the nation over a 100 years ago and today. Without a clean cyber data stream we are all impacted and poisoned on a daily basis. We almost all drink bottled water because the water around us is not fit to drink. Why do we assume the World Wide Web is clean to play in? We know that we can’t see the human malware in bad water even if it looks clean. Why we don’t understand that we can’t see computer malware either is so hard to remember for folks. We teach our kids not to drink dirty water, but we will let them out to play on the dirty internet everyday without protection.

Personal education on safe Internet usage and the impact of malware on both humans and computers living in the Internet needs to start as soon as we place a phone in our kids’ hands. From the day a business is born and until it is closed every person in the business should be trained on their role in protecting the business from Cyber Crime and the poisons throughout the Internet’s streams. Just like the watering holes of the past would poison a drinker, a watering hole on the internet can do the same to you.

Every PERSON in Indonesia has a Role in cybersecurity for Themselves, their family, their Businesses, and the Nation. Every department in a business has direct Responsibilities and/or Accountable actions / tasks related to cybersecurity to perform on a daily basis. Cybersecurity does not only belong to IT nor does IT have all of the accountability for the protection of the business. As an individual you are responsible for yourself, as a society / nation we are responsible for each other, as the nation and society is responsible to protect us individually and as a whole.

The ability for a business to perform these tasks successfully day in and day out without failure is defined as Security Maturity.

Are ALL your People, Processes and Technology aligned for the best return on investment?

Does Every Organization and Person within your business understand the reasons Why, What, When, Where and How Cybersecurity is to be performed?

Remember the WHO is always “ALL OF THEM’!

It is not a question of will you get a data breach, the question is does your business know how to Respond and if needed Recover from an event. You have 5 minutes to win it, can you?

NOTE: IF you think your last Pen Test defined the Security Maturity of your business. I’m sorry to be the one to inform you but you are incorrect. A Pen Test fits in your DEV/SEC/OPS workflow and should be a daily part of your business’s Constant Monitoring program, but sadly it has a limited impact on the true Maturity of your Cybersecurity program.

If you want the solutions to these problems in a timely manner and with the best Return on your Investment. Please contact us at Sales@nagacybersecurity.com or +628112652249 via WHATSAPP or SIGNAL or just call us directly.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_172707709_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookies Settings