When we think of McAfee, the first idea that springs to our minds is its controversial, if not peculiar, founder John McAfee. Asked in 2012 if he used the famous anti-virus that bears his name, he answered that he takes it off as “it’s too annoying”.
But despite the unfortunate words by the company’s father, McAfee is one of the leading cybersecurity and computer security software companies in the world.
Owned by Intel from 2011 to 2017, today McAfee is an independent company with more than six thousands employees and operations all around the world.
In an exclusive interview, Ian Yip, Chief Technology Officer, APAC, of McAfee spoke to CIO Asia about cloud implementation and the cybersecurity risks involved with it.
What can organisations do to manage security risks when using the cloud?
Based on a study conducted by the anti-virus company, 97% of organisations are using some form of cloud service.
However, the same study also found security incidents to be pervasive, with more than 25% of organisations surveyed having experienced data theft, and 1 in 5 having experienced an advanced attack against their public cloud infrastructure.
Although migration to the cloud is helping CIOs and IT executives around the world in their digital transformation journeys, Ian Yip warns of hastily jumping into it without some necessary maturity, which he thinks can be the case for some Southeast Asian countries.
“One of the key risks is going too soon without having the due diligence in place to evaluate the risks that you are exposing yourself to”, he said. “There are lots of benefits of using the cloud but there’s a huge danger from a cybersecurity standpoint and the cyber risks standpoint of going too early.”
With data breaches and cyberattacks becoming more frequent and sophisticated, organisations need to be particularly careful when using the cloud.
To be able to manage security risks involved when using it, Yip says that first, you need to understand what kind of data you are storing in it.
“Without understanding what data you are going to hold in the cloud, you make it very difficult to prioritise your cyber defences because ultimately, cyber risk should be driven by what are you trying to protect from a data standpoint and from an asset standpoint”, he continued. “In the cloud the most important asset you are protecting is sensitive information”.
Once the risk profile is understood, he explained, you should focus on your cyber defences as the impact in the case of an attack will be different depending on the information you have in the cloud.
However, Yip has a realistic approach to the cyberattacks threat and thinks that rather than aiming at avoiding data breaches at all costs, organisations should focus on reducing the risk and the impact.
“In an ideal world we would avoid all data breaches and all cybersecurity incidents", Yip told us. "I think the pragmatic view of it is organisations should primarily aim to reduce the impact of a cybersecurity incident. It’s a very dangerous thing to say we can avoid all cybersecurity incidents - in reality, you are deluded."
He also added: "If the cybercriminals and attackers want to get in, by large they have very good chances of getting in. But the better your cyber defences are, the better you are reducing the risk and the impact if and when something happens."
What to do in the event of a cyberattack?
Asked about what advice would he give to fellow colleagues and IT directors when things go really wrong and hackers succeed in their criminal activities, Yip advocates transparency and communication.
“The top thing to be aware of, or to stick to, is to be transparent", he thinks. "If you look at it historically, the best ways to handle incidents is the more transparent you are the more you are able to maintain a level of trust. Obviously, every time there’s an incident, trust in your organisation goes down. But the most transparent and communicative organisations tend to reduce the financial impact of that incident.”
Yip thinks that initiatives like the European Union's General Data Protection Regulation (GDPR) or privacy laws in Singapore and Australia are positive government moves and force organisations to behave responsibly and the right thing for citizens and consumers.
“I think legislation is important because as much as we like to say security is vital, in reality, businesses are dealing with a lot of priorities and they only have a certain amount of budget to spend on some set of things that they would ideally not have to spend on", Yip said.
"Obviously legislation alone is not enough but it’s definitely a good starting point to bring the level of visibility and importance for cybersecurity, for cyber risk, for privacy up to the right levels of the organisation so that they spend accordingly to address those risks", he added.
Is emerging tech impacting cybersecurity?
Emerging technologies are influencing the way businesses work, affecting their workforce and disrupting operational models.
There’s a lot of buzz coming out from that field but rather than going on with the trend, CIOs and other technology leaders should ask themselves how the implementation of emerging tech can benefit their work.
For Yip, unless there’s a good reason to use disruptive tech, organisations should play that card with caution. As an example, he uses blockchain, where he sees a downside in performance and efficiency. In conversations with clients, Yip and his team challenge their clients to consider if blockchain is the best technology to solve their problems or if there are more efficient ways to do so.
“I think blockchain holds a lot of promise for technology as a whole but it’s still very early in the blockchain journey, particularly when we are talking about cybersecurity,” he said. “The very first question people should ask when trying to apply blockchain in cybersecurity is ‘do you really need blockchain?’. There are other ways of solving cybersecurity problems that don’t require blockchain, like encryption, databases and public key infrastructure (PKI) type solutions, identity and access.”
When it comes to cybersecurity, emerging tech is a double-edged sword as it can help both defenders and attackers. That’s the case of artificial intelligence (AI) and machine learning, both technologies used by McAfee and on which they are heavily investing money on research and development.
“AI, machine learning and deep learning can help both the attackers and defenders through the ways it can be applied to detect, alert and respond to cyber incidents,” Yip explained. “It’s a bit of cyclical arms race if you like, to be able to use AI for both good and bad purposes.”
According to the CTO, there are two key factors to remember about AI and machine in this "arms race". First is that all the algorithms are important. Second is to have huge amounts of data that can train algorithms on.
Yip explained that McAfee has vast amounts of data that are used on an ongoing basis in their technology to make sure that the security software company is in the best place to detect and respond to the ongoing threat.
Should companies hire hackers to test their cybersecurity defences?
Yip is clear in his answer: yes. But he is not referring to the dark-web lurking hackers-for-hire but the so-called ‘white hat’ or ‘ethical hackers’.
“I think it’s a good idea to hire white hat hackers, not the bad guys!”, he told us. “I would stay clear of using the bad guys to help to defend your company. But there are a lot of white hat hackers who are in it - the main difference is ethics and the goals they are trying to achieve. White hat hackers are just as clever as the bad guys but they are in it for the good of society and the good of businesses.”
Not only that, but he also thinks that hiring white hat hackers should be done regularly to find any vulnerabilities that systems have.
In fact, that’s standard practice in McAfee, where they employ white hat hackers to make that their environment is secure and also to help some of their customers to find and fix vulnerabilities in their environment.