The Voice of Cyber®

KBKAST
Episode 306 Deep Dive: Reuben Koh | How to Defend Against Cyberattacks on Networks and Systems
First Aired: May 07, 2025

In this episode, we sit down with Reuben Koh, Director of Security Strategy APJ at Akamai, as he explores the rapidly evolving landscape of cyber threats and strategies for defense. Reuben sheds light on the significant rise in sophisticated ransomware attacks, the increased targeting of industries like healthcare and finance, and the shifting tactics of threat actors, including data theft and extortion without encryption. He also highlights the surge of hacktivism linked to geopolitical events, the growing role of AI both as a weapon for attackers and a tool for defenders, and the challenges organizations face in balancing fast-paced innovation with cybersecurity preparedness.

Reuben Koh is a Director of Security Technology & Strategy at Akamai Technologies where he provides deep thought leadership and advisory in helping clients align security strategies with their core business initiatives and digital transformation processes.

He also works with Fortune 1000 enterprises and business partners across Asia Pacific & Japan in providing cybersecurity guidance and expertise, especially in domains such as Web Security, Zero Trust, SASE, XDR, network security and Security Operations.

With close to 20 years of experience in cyber security, Reuben previously held prominent leadership roles with industry leaders such as Symantec, CA Technologies, VMware and Cisco Systems. Reuben also holds various industry certifications such as CISSP, CISA, CISM and
ITIL.

Help Us Improve

Please take two minutes to write a quick and honest review on your perception of KBKast, and what value it brings to you professionally. The button below will open a new tab, and allow you to add your thoughts to either (or both!) of the two podcast review aggregators, Apple Podcasts or Podchaser.

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

Reuben Koh [00:00:00]:
So the question here is, can you contain a bridge and keep it to a minimum that you can recover from it quickly? And that’s the whole ideology behind resilience. So once we shift the mentality to one that drives cyber resilience, naturally, the fear of not being able to hit or get the % prevention benchmark is gonna fade away.

KB [00:00:36]:
Joining me today is Reuben Koh, director security strategy APJ from Akamai. And today, we’re discussing how to defend against cyber attacks on networks and systems. So Reuben, thanks for joining and welcome.

Reuben Koh [00:00:53]:
Thank you for having me, Karissa. Very nice to be here and very excited to share as well.

KB [00:00:59]:
So, Reuben, in your words, give us a little bit of a lay of the land. How do you sort of how do you see it when it comes to, you know, defending against cyberattacks on networks and systems?

Reuben Koh [00:01:10]:
Yeah. That’s a that’s a very common yet interesting question at the same time. So if we look at what happened in the past year in 2024, we saw that the cybersecurity landscape had been incredibly dynamic with attackers constantly evolving their tactics, with law enforcement stepping up their efforts to contain and control cybercrime activities, and also an increase in victims and, you know, more sophisticated attacks like ransomware. And all those have been just part and parcel of a very, very fast moving or fast changing landscape in cybersecurity. So for example, what we observed last year was ransomware basically escalated throughout the year. And I know Australia had quite a few companies that were hit hard last year with regards to ransomware. And we believe that ransomware continues to remain a threat, a very big threat in 2025 this year as well because we’re we’re basically looking at a shift in both techniques as well as players as in the ransomware groups. Even after multiple law enforcement takedowns, as well as improvements in data recovery mode or rather data recovery made by traditional ransomware less effective, We’re still seeing victims falling to that and even paying the ransoms.

Reuben Koh [00:02:29]:
And that’s really happening even right now. The real issue for that is because ransomware techniques has kind of shifted a little bit. So in the, in the past, we, you know, as a ransomware attack, we know that it’s gonna find our data, lock it up, and then basically ask us to pay amount, a certain amount of money before they unlock it or so they say. But what we’re looking at right now is because of all these efforts by law enforcements and organizations becoming more savvy on dealing with data back on the recovery, We’re seeing players moving into different technique where they only act to trade or they only steal data. They don’t exactly encrypt it anymore because there’s really no point. And when these attacks occur, it really hurt certain industries like health care and finance because data exposure for these two industries is, you know, the cost is phenomenal because you you’ve got electric medical records that’s, you know, going on a dark web for sale. You’ve got customer financial information being exposed, attracting fines, regulatory violations, and so on. And more importantly for the victims, it’s really hard to ascertain if data has been stolen.

Reuben Koh [00:03:31]:
It’s easier to know if data has been encrypted because, well, you can’t access it anymore. But if it is stolen or copied out, it’s harder to tell. And we’ve also seen attackers ransomware attackers publishing old or partial data claiming that they have successfully stolen everything. So some of those might be true, but most of them are false. They just you know, we realize that most of these are just trying to take an easy way out. And more importantly, ransomware attackers has also been threatening victims with DDoS attacks or denial of service attacks or data leakage if they don’t pay by a certain date. So we call these are commonly known as, you know, triple ransomware or double ransomware attacks on top of the initial encryption threat. So that’s on the, you know, the fast evolving advanced attack, which is ransomware.

Reuben Koh [00:04:22]:
Another observation that we had was we saw hacktivism in 2024 actually rose by quite a fair bit. So hacktivism in the past were usually associated with small little unknown groups that were really trying out or rather coming out and trying to make a point and make themselves kind of noticed by the world. But in ’24, that kinda shifted a little bit because we started to see hacktivist groups that are now associated with nation states or a political cause before launching attacks against victims that had been, I don’t know, probably handpicked or selected, because of certain things they said or certain things they have done or certain statements they’ve made. And that has been quite a few that’s going on, especially in Asia Pacific. So because of that, we’re seeing the intensity and the targets of these hacktivist attacks starting to shift as well because they’re no longer random. They’re kind of, you know, carefully pruned. And most of the time, they’re actually related to specific geopolitical events happening either across the region or across the world. And I’ll leave with the very last bit in terms of our observation.

Reuben Koh [00:05:34]:
And and I think this is something that everyone is thinking and talking about, which is AI attacks or AI powered attacks. So I think social engineering like phishing attempts remain highly a highly effective vector for the bad guys because it still works. The only thing that is different right now is people are no longer falling victims to phishing emails, asking you to transfer money to a Nigerian prince, something like that. Those are not happening anymore. But instead we’re looking at AI infused phishing attempts where, you know, voice synthesis or synthesized voice has been used in voice phishing. We’re seeing facial synthesis has been used in deep fake videos or AI generated contents to really make those phishing attempts a lot more convincing as well as sophisticated. Conversely, at the same time, AI is also actively being incorporated at breakneck speed by multiple industries into security technologies that are usually used to enhance tech detection, find anomalies, automate incident response with the ultimate goal of making security teams more effective as well as more efficient because they’re actually staring down a relentless barrage of, you know, attacks, whether it’s conventional or AI powered, or for activist groups that can just appear at random. You know? So they have a lot to deal with.

Reuben Koh [00:06:55]:
And basically, they are rushing to embrace AI to help them out, hoping that it will actually alleviate some of these symptoms. So hopefully, that that’s able to answer the question, Karissa.

KB [00:07:07]:
No. That’s awesome. That’s a lot and a lot going on as well. And you’re right in terms of, reduction in the Nigerian prince, but how, you know, AI infused attacks are sort of coming into the coal face now that we’re seeing. And, you know, part of the other people I’ve interviewed as well are saying that’s obviously a a massive focus. So in saying that, I wanna go back for a moment on ransomware. And I know it’s can be hard, and people are always gonna say you don’t pay the ransom. But speaking of people on the show historically, they’ve just said sometimes people just like, as in security people have actually advised them to pay it because they had no backup or it’s too hard.

KB [00:07:46]:
They need to get up and running because they’re a manufacturing company. The more downtime that you have, it really impacts them from a financial perspective and risk to their to their business as well in terms of, like, media and PR damage and all that type of stuff. So where does that sort of sit with you with your experience?

Reuben Koh [00:08:02]:
Right. That’s that’s always a constant debate going around whether should we pay or should we not pay the ransom. So I think it it really comes from different you know, it depends on where you’re looking at at this this issue. So for example, if, you know, I’ve come across large enterprises that, you know, they are more financially stable, financially capable. They usually have a higher threshold of risk tolerance. So in other words, they are I would I would’ve used the word willing, but they are, you know, more able to write off a certain amount of, I guess, money related to a cyber security incident because they have a bigger risk appetite that’s able to absorb that. And at the same time, usually large enterprises, they have and can can afford pretty comprehensive cyber insurance as well, which, you know, kind of provides them with some kind of remuneration, I guess. And, you know, there are end large enterprises I’ve come across that are, you know, they’re willing to pay the ransom because they did, I guess, they did some kind of calculation in terms of how much is it gonna cost us if we, you know, pay the regulatory fine versus recovering our data versus rebuilding the network versus all the, you know, all the fallout that we’re gonna clean up compared to paying the ransom.

Reuben Koh [00:09:22]:
So I’ve seen enterprises that are pretty hefty actually paying that because they did some math in the background, I guess, that actually gave them the impression that, well, if we pay the ransom and this problem goes away, it actually makes more sense financially and operationally. So there are enterprises that are still paying ransom, unfortunately, even though that, you know, the best package is not to do so. And that’s for large enterprises. When we flip the coin to the other side, when we look at smaller or medium sized enterprises, they have a even bigger problem because they don’t have that large financial capacity as compared to a big enterprise. They usually can’t afford a very comprehensive cyber insurance. And more importantly, they can’t afford downtime because, you know, a lot of these small organizations, their entire livelihood of the business depends on them being online and being operational at all times. So I think this this kind of comes to a to a juncture where to some of those small business owners or medium sized business owners, they just pay, the ransom and, you know, get it done with so that they can move on. And, you know, because of these, we’re seeing quite, large difference between industries, between size of companies, between the verticals they’re in, between what is considered as core critical to their business, it really varies.

Reuben Koh [00:10:42]:
But at the same time, right, even though that is the reality, what we’ve also found out, you know, from working with law enforcement agencies, for example, I’ll give you a very good example is when when the lock bit ransomware group was taken down by a global coordinated asset sometime last year. One of the most interesting things they found as in the law enforcement agencies was that for those victims that actually paid LockBit to decrypt and delete the data that they’ve stolen, they actually didn’t. So what they actually found was that all the data that LockBit has promised or had promised to delete away after the the ransom was paid wasn’t. So it was still kind of stored somewhere, stashed away in some vault. We’re not really sure for what reason could be reused again maybe on some other days. But what we’re seeing is that, you know, it’s it’s one thing to pay the ransom, but you’re also trusting the crook to keep his or her promise that they have delivered to you. And it’s, you know, it’s kind of a risky position. So this is basically two sides of the fence we’re looking at.

Reuben Koh [00:11:51]:
So one side, we’re seeing enterprises try to keep the faith that by paying, you know, the ransomware groups are gonna keep the promise and they will get the data back or the data deleted and business can go on. And on the other side of the fence, we’re seeing ransomware groups, you know, doing the complete opposite, even selling the data to other cyber criminals for them to, you know, reexport the same victim over and over again. So, again, from an industry perspective, I think it it kinda varies quite a bit. That is the kind of reality that we’re seeing at right now.

KB [00:12:21]:
So I wanna shift gears now slightly, and I’m aware that Akamai has developed a defender’s guide for 2025. So maybe tell us a little bit more what’s in the guide because I don’t wanna sort of ask you a few a few more follow on questions.

Reuben Koh [00:12:36]:
Yeah. So we’ve recently published actually, just this month, published a defender’s guide as part of our state of the Internet security research report, which we release on a cadence every two to three months every year. So what is different from this one is we’re basically taking a break from our traditional security research reports that were more data and insights driven. This time, rather than just providing abstract security trends, the report actually consolidates cutting edge security panel product analysis from Akamai’s security research teams with actionable recommendations that are tailored for first line defenders, like a SOC analyst, for example, enabling them to allocate resources and time more effectively against emerging trends. So some of the highlights from the report include a risk scoring model, a brand new risk scoring model that quantifies vulnerabilities. We also look at specific attack techniques that’s been used by sophisticated threat active groups across the world, including how VPN systems are exploited, as well as how containers in the cloud are being exploited to the emergence of very evasive malware, that continuously adapt to the defenses that’s trying to stop them. So this research comes with recommended mitigations, which is really what makes this research so compelling because we’re not just telling people what we found out. We’re also telling them that how it could hurt you and more importantly, what they need to do right now.

KB [00:14:14]:
And would you say so you you you’re starting this new report. As you mentioned, you’re moving away from your traditional reporting. Do you say, like, if you were to do this again the end of the year or the start of next year, there’s gonna be a significant shift in terms of what we’re seeing because of how quickly things are evolving, as we know, with AI. Like, you’ve mentioned before previously, AI infused attacks in terms of, you know, voice, etcetera. Will we start to see the needle move significantly in terms of these attacks, or do you have any sort of insight on that front?

Reuben Koh [00:14:44]:
Yeah. I certainly think so. I certainly think that the the needle is gonna move a little bit this year because of rapid or accelerated adoption of AI into multiple industries and at the same time, increasing the inherent risk that AI brings into organizations as well. And because cyber criminals, they are opportunistic. Right? They look for weaknesses in, you know, defenses anywhere they can find and then try to exploit them. And because we’re just, in my opinion, I think we’re kind of still scratching at a surface of what AI can actually bring to the table. We know what gen AI can do. And I think right now we are bringing that to the next level, by venturing into things like agent AI in terms of delivering real world outcomes that are powered by artificial intelligence.

Reuben Koh [00:15:32]:
But by doing so, it’s actually connecting AI models, which were previously in gen AI, for example, reserved for content generation into the real world where it’s actually going to plug into different applications, different services, and different systems everywhere. So when that happens, you’re gonna have a massive mesh of interconnected systems that are powered by artificial intelligence in the back end. And, you know, when you look at it from the lens of a cyber criminal, that is actually very, very alluring and very compelling for them to take a good hard look in terms of where can I exploit this? Because when everything is interconnected together, we’re gonna see a massive flow of data moving from, you know, not only point a to point b, but basically everywhere at the same time because of the capability of AI doing things in parallel. So because of that, I believe that this year, at some point where we revisit this report again, things are gonna shift because if you, if we look at how AI is being exploited right now, I think we’re gonna discover more of that. We’re gonna see more AI vulnerabilities become more visible. We’re gonna see some of the shortcomings that organizations will discover when they go full fledged AI adoption. Some of the risk is gonna become more compelling for them to address at some point because regulations are already circling around how AI should be used both ethically as well as securely. So I think at some point this year, when we do this again, we expect to see infusion of AI into the techniques or into the attack techniques as well.

KB [00:17:07]:
Okay. So, Reuben, you mentioned before AI vulnerabilities. So what does this look like? Walk me through it.

Reuben Koh [00:17:14]:
If we look at Gen AI today, for example, we’re seeing, you know, not only is Gen AI well, we know what Gen AI can do, but we’re also discovering the vulnerabilities of Gen AI. Like, you know, you could actually figure out how to jailbreak it by circumventing its guardrails by abusing the AI model to do what it should not be doing. You know, and that’s, that’s a very real risk right now because everyone is trying to see where where the guardrails are and how to break them. And at the same time, we’re also seeing, oh, we know how much AI models like journey. I depend on data, whether it’s training data, whether it’s influencing data and so on and so forth. So there’s a lot of data that’s in place that actually influences the the outcome of AI models. And that’s really an area where if we abuse the data or if we circumvent the data, from a angle of integrity, for example, make it becomes less accurate or make it become completely false, then that will be a problem because the AI will be trained on that completely inaccurate data. And then the output generated would similarly become completely inaccurate or even malicious.

Reuben Koh [00:18:23]:
So these are the things we’re seeing today in terms of criminals trying to experiment how to break into AI and circumvent the integrity of the AI model. But, again, once this AI model starts to connect with external systems like and tools like APIs, for example, they’re actually going out to the real world and talking to real world applications, like, you know, a CRM application, a, you know, a Uber like application or anything that can, basically commit a transaction on behalf of a human. And when this happens, then you’re gonna have data that could be moving from a compromised model into a unsuspecting victim application. So it’s basically opens up new avenues of attack because once again, all these things are interconnected. They’re all in a mesh. So it basically allows the bad guys to gain a an entry or a foothold into those third party and external systems. So this can actually become quite impactful when executed correctly.

KB [00:19:28]:
So, Ruma, everything you sort of discussed here already, obviously, there’s there’s always problems. There’s new things coming out all the time. If you were to zoom out, do we, as in we as an industry vendors, service providers, etcetera, can we solve all of these problems at the moment? I know it’s like, you know, AI, to some degree, is relatively new ish, and people have got, you know, more, like, point solutions to, you know, solve certain problems. But I just there’s just so many things that, you know, we’re saying before, like, you know, in the the API and then, you know, leveraging some of that data, and then there’s another problem, another can of worms open. So I’m just always curious to know, like, we’re moving faster than we ever have before. So what does this then look like now? Because people were struggling before any of this stuff really started happening. Now it’s coming out faster. We don’t necessarily have all the answers.

KB [00:20:23]:
I know that there’s no silver bullet, but I don’t know. Make help me make sense of that because, I mean, I’ve been doing the show for a while. And even in, like, last twelve months, just the sheer volume of, like, attacks and the breaches and everything like that. But it’s just always just curious to know, like, are we even prepared for what’s even out there?

Reuben Koh [00:20:42]:
Yeah. That’s that’s a good one. And to be honest with you, I don’t think we will ever be ever be a % fully prepared because the landscape is just changing so quickly so often. What we, you know, what we thought was sufficient today may not be so tomorrow. So but at the same time, right, we need to understand and we need to be aware of the fact that, you know, innovation, digital innovation in its purest form, whether it’s through AI or through APIs or through a disruptive another disruptive piece of technology is gonna move at a different speed from security or from cybersecurity. Because in the world today, a lot of organizations are led by innovation. They have to reinvent themselves. They’re what they need to disrupt their own marketplace.

Reuben Koh [00:21:27]:
They need to stay ahead. They need to compete. And because of that, innovation usually charges ahead. And there will be situations where, you know, cybersecurity or risk management efforts will need to take a back seat when these things happen. And we’ve seen this movie many times before. Right? Because, for example, ten to twenty years ago, when cloud first came into the scene, it was exactly like that. Because organizations were were lured by the perceived cost savings of moving their stuff to the cloud as compared to owning a data center. Right? But after them doing so, it took a bit of time before they realized that, oh, I need to I need to be safeguarding my stuff in the cloud because they’re exposed to everyone everywhere.

Reuben Koh [00:22:13]:
And I believe that at some point we will reach there from a you know, if we’re looking at AI, we will. But I think right now, people are really looking at how is AI gonna help innovate my my organization? How is this gonna, you know, make me more efficient? How is this gonna stem down my cost and increase my top line? This is, you know, this is similar to what has happened two decades ago when cloud computing burst into the scene. So the good thing is we’ve learned we’ve learned our lessons, which is why we’re seeing the regulatory bodies stepping in, actually expanding, the regulations to incorporate, you know, AI safety and AI ethical use and stuff like that as well. Because of that, the industry is also coming together together with both private and public entities to figure out, you know, if we do this, what are the risks? What do we need to address? A good example would be the OFS LLM top 10. So OFS is a is a nonprofit group that actually list out the top 10 most vulnerable risk that can be exploited, and they actually released one for LLM, which is for GenAI. So we you know, as compared to twenty years ago when when cloud first came on to the scene, we’re now a little bit more aware. We’re now a little bit more on board in terms of, you know, following best practice, following guidelines, establishing regulations, putting in guardrails, and training people, making them more aware. But at the same time, to your point, are we ever gonna be prepared if we do this? I don’t think so, but that doesn’t mean we should stop doing it because as attacks against AI or as attacks powered by AI continue to increase and continue to continue to evolve, we’re actually doing the same thing in stopping attacks.

Reuben Koh [00:24:00]:
We’re embracing AI. We’re infusing AI into cybersecurity operations. We’re trying to advance our security tech partner security tools and technologies with AI as well. So it’s actually happening at both fronts, which is what’s really interesting right now because I had a conversation with a CIO last year, and he was kind of explaining that well in today’s context is funny because AI is a technology I’ve not seen in the longest time where we actually use that same piece of tech to both make our business better, but also make our business more risky. So it’s, you know, that kind of approach that if you adopt a disruptive piece of tech, it will bring the benefits or perceived benefits. But at the same time, as you flip the coin to the other side, it’s also gonna bring a certain level of risk. Some of those that we do not fully understand yet into the organization. So I think from that angle, this is really what we’re looking at right now, but I do believe as time goes by, as the usage or the use cases for AI become more mature, as the attacks themselves become something that we understand more about, and and more importantly, as our capability of AI powered cyber defenses continue to evolve over time as well, I think we’ll come to a juncture where what we’ve done with cloud.

Reuben Koh [00:25:20]:
Right? We’ve basically understood what needs to be protected, where, when, and how, and also keeping an eye out on how that dynamic cybersecurity ecosystem is evolving.

KB [00:25:30]:
Okay. I wanna go into this a little bit more. So when you were talking around, you know, embracing, like, disruptive tech, for example, and, again, like, when you’re introducing that, there is some risk. Would you say with how are things going, like, you’ve just mentioned that things are faster, abs everything we’ve discussed already on this interview, Do you think businesses now are just gonna have to make decisions quicker than they have? I mean, look, look at a traditional enterprise. Like, sometimes things move so slowly. And by the time people make a decision, it’s like, oh, something else has already started anyway. So do you sort of see that from a, like, a operational point of view that, you know, maybe, yes, we can’t do a full blown, like, audit and risk and look at it to the end degree because we just don’t have the time on our side. So I don’t wanna say cut corners, but do you think people will just have to look at how they’re approaching everything that’s happening or else, you know, there is that risk that them taking too long could actually then put them at risk of having other issues.

KB [00:26:33]:
And so you have to sort of balance it with which one’s worse to have. Do you see that happening?

Reuben Koh [00:26:38]:
Yeah. Absolutely. So that’s that’s really the reason why we’ve came up with a new risk scoring model, which is really trying to address that particular conundrum that you have just brought up. Because when we look at, you know, trying to secure or trying to safeguard assets in the enterprise and trying to make decisions in terms of what protection needs to go where by when and how are we gonna protect it, The reality is you can’t do that everywhere, every time to everything. Firstly, it doesn’t make sense. Secondly, it’s gonna take too long. And thirdly, it’s gonna cost a lot of money, but probably infinite amount of money, because you don’t know how it’s gonna cost. What organizations are doing right now or should be doing right now is to really look at, you know, prioritize assets and basically build for lack of better term, a ranking system in terms of which are the most critical assets that is too important to fail.

Reuben Koh [00:27:31]:
Right? Without these, the business will fail. These five of these 10 assets applications or, you know, I didn’t whatever you wanna call it, appliances, hardware, These must never fail. So we’re gonna spend 30 or 40% of our time and money to ensuring all these stay up. And in order to understand what those assets are, we need to look at establishing a risk register, which is basically something that the risk scoring model in the report actually helps in building out. So once you understand which are the prioritized assets, yes, you need to make a decision on those, a quick one, but at the same time, you’re also getting more visibility. In order to make a more informed decision that you’re not protecting something that maybe is, you know, lower down in a pecking order from something as compared to a critical system, for example. So once that is set in place, it also, and I was about to talk about this later, but it also gives rise to the organization building resilience into their operations. Because, you know, if we look at maybe they have got like 50 assets in the organized 50 digital assets, you know, web sites, endpoints, web servers, applications, so on and so forth.

Reuben Koh [00:28:43]:
Fifty of those. So if 40 of those go down, can the business still run? Maybe not as quick as before, maybe not as, you know, not as efficient as before, but the question is, can it still run? So if the answer is yes, then these are your critical systems. You need to protect those at all costs. So by doing so, and also building out your recovery capabilities and also building out, your fallback capabilities. For example, if your digital is gone, you fall back to manual. How long can you hold out? Six days, six weeks. So once you do that, it all goes back into that rescoring model. What are those that we need to protect? And if this fails, what do we do then? So once we have a better idea of what that looks like, it’s actually the first step into increasing the cyber resilience of your entire operations.

KB [00:29:32]:
So do you think as well that people just don’t like making decisions? And I would caveat that with saying because like you said, if it fails, then what? So people don’t necessarily wanna have their name attached to something that fails. So with what you’re saying here, Ruben, would you suspect that now people may be slightly apprehensive? Because, again, like, people don’t like making decisions. They don’t wanna feel like their their potentially, their names are getting something that failed. There’s all those sort of thoughts that come up for people. So where’s your where’s your head at with that? Do you think people are not as receptive initially because, again, everything I’ve just listed before?

Reuben Koh [00:30:10]:
Yeah. I think that’s that’s kind of human nature. I think what you’re referring to is accountability, Carissa. So I think a lot of the situations we’ve encountered is, yes, there is a, there is a human element involved in it that people tend not to want to be accountable when things go sideways. I think that’s part of human nature. But at the same time, it doesn’t allude the fact that somebody needs to own it. Right. Because if nobody owns it, it’s gonna fail.

Reuben Koh [00:30:38]:
It’s just a matter of time. And how is it gonna feel? Which is why if you look, you know, if we look at regulations that are evolving, a lot of that are driving accountability of the organization, to be accountable, to report such a security incidents in a prescribed time window, to be accountable for any loss of data, to be accountable for so on and so forth. So that is from a regulatory perspective down to the organization. So if that happens internally within the organization, they need to drive their own level of accountability within. Because if not, then they’re gonna violate every single clause in that regulation because no one no one owns anything, and therefore nothing gets improved, nothing gets looked at, nothing gets fixed. So I think the core core issue here is not really because people don’t want to own stuff. I think here is really because people fear stuff we feel, which is really going back to, you know, the idea of resilience. And, you you know, I think for the longest time in cybersecurity, and I guess it’s really because of a byproduct of, you know, of major successes from security vendors that the previous concept of cybersecurity was about a % prevention.

Reuben Koh [00:31:52]:
Meaning I need to stop a % of the attacks. I need to prevent a % of data breaches. Therefore I’m buying this firewall. I’m deploying that, that endpoint protection. I’m doing what I’m doing. Right. I’m hiring a bunch of people to look at log files. But the problem with that is if you look at the amount of attacks we’ve been getting so far, if you look at the amount of victims in Australia alone, that’s fallen victims to cyber attacks, you realize that there’s no, there’s, there’s no such thing as a %, right? Even though it’s a holy grail that we all strive to go towards, it is hard.

Reuben Koh [00:32:25]:
So when that happens, the human nature is if I can’t get a % and if I’m accountable and if a breach happens, I don’t want that. Right. I wanna step away from that, that, that situation. But if we kind of change the mindset a little bit and look at the fact that look, you’re gonna get breached anyway. So the, the question here is whether or not you get breached, but rather can you contain a bridge and keep it to a minimum that you can recover from it quickly. And that’s the whole ideology behind resilience. So once we shift the mentality to one that drives cyber resilience, Right. And the, naturally the fear of not being able to hit or get the a % prevention benchmark is going to fade away because when organizations slowly start to embrace the fact that we will get hit, it’s a matter of when it’s really what we do when we get hit.

Reuben Koh [00:33:17]:
That really matters right now. So once that happens, I believe that, you know, the measurement or whatever we use to understand whether or not someone is doing his or her job by preventing attacks and shifting that to helping us to contain the breaches and keeping it to a level that we can manage it. So once that happens, I believe that the situation you’ve mentioned earlier should start to get better.

KB [00:33:43]:
Okay. So you mentioned before, how quickly can we recover? Now I know there’s gonna be maybe slightly hard to answer, but it’s more just understanding your thinking and where your mind goes. Where do you sort of see if you even if you give it, like, an industry or, like, financial services or whatever? Obviously, they they can’t they can’t afford to have downtime or else people start arcing up. You you know, Twitter starts you know, people start losing their mind very quickly. So how quickly do you envision companies, just say something happens, can recover and get back up and running, like, really quickly? We’re gonna start to see a velocity on that in terms of everything that you’re saying because now what is available, knowledge, etcetera, capability, technology, even the thinking and the attitude, will that start to become fast enough to what we’ve seen in the past of people taking days, weeks, some people months to recover? What does that look like?

Reuben Koh [00:34:35]:
So I think the the back end recovery side of the house in technology has certainly improved by leaps and bounds. It has certainly become a lot more advanced as compared in the past. I mean, the good old days, so for those of those of the listeners who are as old as me, we’ll remember LTO tapes, tape libraries, tape drives. Those backup and recovery would take forever. Right? Because back then, we were take talking about RTO and RP recovery time objectives about, I don’t know, five days, six days, meaning we can live without the data in five or six days back then. But today in today’s context, we can’t live without it for five to six minutes because everything is real time. Everybody wants it right now. And here comes the thing with the advancements of recovery technology.

Reuben Koh [00:35:23]:
We’re seeing a huge improvement because now we can recover from the cloud. That’s doing real time backup and streaming that back into our systems if required. I think that has improved a lot in terms of how we recover, but I don’t think that’s really the core issue here. I think the core issue is there’s a finite time window of how much you can recover in the certain amount of time. So let me give you an example. If a ransomware attack was successful and managed to lock up about 90 of your data in the entire enterprise, and you need the data to to fulfill orders in the next sixty minutes, The question to ask is can I recover 90% of my business data in the next hour so that we can continue to flow and not suffer from disruptions? It’s a very big challenge. So instead of trying to, or should I rephrase that? I’ve actually spoken to people who looked at this before and some of them were actually quite confident that it’s okay. If we get hit by ransomware, we’ve got very, very robust backup recovery facilities.

Reuben Koh [00:36:28]:
We’ve got cloud, we’ve got data centers, we’ve got nearline, we’ve got offline, we’ve got online backups, you know, stuff like that. It’s all great. It’s all very sophisticated. But the question is how much of this data can you recover in the shortest time possible? And what is the shortest time we’re looking at? Because when ransomware comes in, they’re not gonna tell you I’m gonna encrypt 30% of your data. I’m gonna steal 40% of the rest. And I’m gonna just destroy the remaining ones. They’re not gonna do that because when a cyber attack or data breach happens, they’re going to come in and their objective is to cause catastrophic damage to your organization from a ransomware perspective, because their objective is to make you pay in order to make you pay. They need to make you feel the pain.

Reuben Koh [00:37:13]:
And when that happens, right, we cannot just fall back to our back on recovery facilities and say, I’m all good. You know, come what may I’ve got back on recovery, which is why we go back to the ideology of being more cyber resilient because on one hand, it’s great if you’ve got super robust backup recovery, but also need very, very efficient and effective incident response, because the more effective you are in containing that attack, right? Maybe instead of encrypting 80% of your organization, you managed to breach two endpoints because of all the security policies and products you have in place when that happens and you flip the other side of the coin to back up recovery. Oh, this is easy peasy. I could re I can recover two endpoints in, like, fifteen minutes. Right? And the business can move on. So the whole idea of resilience is you need to have the both sides of the house in good order. One is to minimize the damage that will be caused, and the other one is to recover whatever that’s been damaged in the quickest time possible. And together, these two would actually make the organization become better in terms of adapting to these kind of attacks.

Reuben Koh [00:38:21]:
Because once again, I just use the example of ransomware. It could be a different attack that doesn’t encrypt data. I talked about data bridges that steals data, and you don’t know. There’s nothing to recover because the data is still there. Right. It just, it is just stolen by the crooks. So when we look at this in terms of resilience, it it opens up a whole new dimension. It’s no longer about recovering data that’s been destroyed or encrypted anymore.

Reuben Koh [00:38:46]:
It’s about incident response that’s trying to contain the amount of data that can be stolen or that can be breached. So when we look at this angle, it’s gonna be a bit different as we, you know, as time goes by because organizations are already starting to become more involved or investing more and more into making themselves more cyber resilient.

KB [00:39:05]:
Yeah. This is interesting. Okay. So in terms of where we’re at today, and then just say you come back in twelve months and we say, like, hey, Reuben. Like, what’s changed? Where do you sort of think and I know you don’t have a crystal ball. It’s just sort of getting some insight. What do you think sort of happens now with where the industry is going? Everything that you said, everything you discussed here already, what’s your sort of predictions for the year and beyond?

Reuben Koh [00:39:28]:
Yeah. So look. I think a lot of the chatter now from a, you know, prediction perspective has always been about AI and, you you know, AI this and AI that agree. AI is gonna be very important. AI is gonna drive a lot of the fundamental changes that we we’re seeing right now. But when we look at the lens of, or rather through the lens of a security practitioner, we’re still gonna see data breaches. A lot of them, it’s not gonna slow down. We’re still gonna see a lot of ransomware.

Reuben Koh [00:39:55]:
It’s not going away. In fact, I deem ransomware as the new normal, it is your new malware, right? So after viruses became malware, nobody better than eyelid, but they just learned to live with it. I I see ransomware going in that direction. It has become the new normal. We need to live with it and we need to be prepared for it. But I think in the future, in those data bridges, what I think I wouldn’t be surprised with is a lot of those data breaches or the cause of those data breaches are still going to be, you know, have the same reason why they were breached because cybersecurity fundamentals were not practiced. You know, there was no multifactor authentication software and hardware were not patched in time. People were basically falling to phishing attacks and not careful with divulging their confidential information and credentials and stuff like that.

Reuben Koh [00:40:44]:
We’re seeing that a lot or rather we’ve seen a lot of that last year, you know, very basic fundamental hygiene that will not practice and resulted in data breaches. And I expect to see those as well this year, because you know, if, if history is a teacher, I think we’ve got some ways to go before we are actually able to overcome this. So I think not only from a prediction perspective, I think organizations really need to take a good hard look into their own cybersecurity hygiene and fundamentals because here’s here’s one example. The same CIO I spoke to last year and, and it was in Australia, by the way, still bring up the topic of the, the essential aid, which is basically a guide, a set of guidelines that were developed by the Australian cybersecurity center or ACSC very long ago. So it is, in my opinion, it is pretty outdated because it’s way overdue for a refresh, but it’s still constantly being brought up in conversations because entities or organizations are still trying to address those very basic fundamental hygiene in the organization. They have to get it right. Because to be honest with you, it doesn’t matter if attacks are gonna come powered by AI or not. Right.

Reuben Koh [00:41:55]:
It it’s, you know, cyber cyber hygiene is still going to be table stakes. We need to get these right because we want, we know what the issues are. We know what needs to be done. We just need to get it done.

KB [00:42:07]:
So Reuben, do you have any sort of closing comments or final thoughts you’d like to leave our audience with today?

Reuben Koh [00:42:12]:
Sure. So I think I spoke a lot about cyber resilience, I talked about risk assessments and stuff like that. I think a big part of being resilient, and this is something that, at least from my observation, is no longer reserved for the critical industries. Every commercial entity is looking at resilience as so should you. I think the important bit about resilience is not, do not forget intelligence. Do not forget collaboration. You can look at technology. You can look at people.

Reuben Koh [00:42:40]:
You can look at your business processes. Do not forget collaborating with your like minded peers in the same industry, collaborating with the public sector. For example, in Australia, the ACSC has what we call the joint cybersecurity centers, JCSC for short, where both private and public entities collaborate on cyber intelligence, make use of those. Because the landscape is always changing and with AI, it’s gonna change even faster and even far more dynamic than we have we initially expected those to be. So look at intelligence, look at collaborating, and, you know, look at the report like the one in defender’s guide from Arkemite. This basically bring the latest and greatest from our research teams to you and make sure that if you believe you’re impacted by what is described in those intelligence reports, learn how to mitigate them quickly. Do not put them away. Do not procrastinate because the crooks do not wait, as we know.

Reuben Koh [00:43:42]:
So basically, all this bit by bit would go towards making the organization more resilient in the end.

Share This