Going back to non-digital won't protect data

With a rise in cyberespionage cases, security players note that the idea of storing sensitive information in non-digital processes to prevent them from being stolen by hackers is impractical and inconvenient. They believe companies should instead embrace and tackle the challenge of having digital assets.

Budi Rahardjo, founder and chief technology officer of IT security firm Indocisc, was quoted in a news report in April that in the event of cyberespionage, Indonesia would only suffer "minor" impacts because most government agencies were not storing sensitive information in digital form.

He remarked that it was a "blessing in disguise" and that as long there was no sensitive information kept stored on Indonesia's computers, foreign data collectors will not be able to spy on the country through the Internet.

However, John Ong, South Asia regional director of Check Point Software Technologies, pointed out that storing information in non-digital forms is "not a good way" to safeguard against cyberespionage. Non-digital processes are rarely practiced in today's world where time is of essence, and preparing documents through typewriter or handwriting is comparatively less productive than using a computer, Ong noted.

With the accelerating pace of businesses, it will also be "impractical" to share large amounts of information in a non-digital format, as it will cause delays in businesses, increase operational costs and lower the competitiveness of the companies, he added.

Non-digital formats pose the same risks as digital formats when it comes to espionage, according to Ong. Confidential and sensitive information stored in non-digital formats require valuable physical space for storage and require safeguarding using physical security, which makes them vulnerable to theft, he said.

Another security vendor, Guillaume Lovet, senior manager of Fortinet's FortiGuard Labs threat response team, also agreed, likening it to "reverting to the chariot because there are plane accidents". "It seems less terrifying, but it is a lot slower and quite unpractical when a large number of users are involved," he said.

Without digital systems, the speed of processing, calculations, access to information, connectivity to other government and companies, detection and response to any event and convenience to end-user interaction systems will be lost, Phyllis Schneck, vice president and chief technology officer of McAfee's global public sector, surmised.

Rise to the challenge of digital
Rather than retreating from a difficult but beneficial environment, governments and companies should rise to the challenge of digital processing, Schneck advised. They should continue to row innovative new business processes based on electronic communications and processing, she explained.

A risk assessment methodology will put the vulnerability from cyberespionage to the top of the boardroom agenda, she advised. This includes continuous monitoring of a risk-based cybersecurity approach, from cloud to hardware, protecting data in motion and data at rest, will help to detect and deter the cyberespionage, Schneck added.

Innovative, risk-based cybersecurity strategy makes it more difficult for cyberespionage to take place, making detection and attribution easier, Schneck explained.

Singapore's Infocomm Development Authority (IDA) told ZDNet Asia that besides technical measures such as building resilient infrastructure, a key measure against cyberthreats is user awareness and responsibility, and that users and businesses should do their part by being "cybersecurity conscious".

Here are four things governments and companies need to protect their digital assets against cyberespionage, according to Ong:

1. Layered security
This security system should have network segmentation of critical servers and databases. A centralized management and event monitoring system allow the security administrators to easily manage the security systems and identify areas that need attention.

2. Data Loss Prevention (DLP) and Data Encryption
A DLP system must be in place to prevent data leakage. The data should also be encrypted so that only authorized users with encryption keys can decrypt the encrypted digital format.

3. Control document and data security
Companies should control whether the document can be read or written by specific persons, its accessible period, printable and access logs on the protected documents provide an added security on top of document encryption.

4. User Awareness Training
Users are the weakest link in security and regardless of whether the data format is in digital or non-digital format, user awareness training must be in place and test to be conducted to get the results of the training.