Deric Karunesudas is a cybersecurity leader with over 16 years of experience in the cyber domain, including Cloud Security, Managed Security Services, Cyber Fraud Assessments, GRC, Information Risk Consulting and Data Privacy. He has worked with renowned companies like Deloitte, Splunk, RSA, NTT and British Telecom and is currently based in Singapore, managing the APAC region.
Having worked in geographies like the US, Europe, APAC and the Middle East, Deric understands the varied nature of cybersecurity economies and how it impacts cultures differently.
A start-up mentor and an angel investor to many early-stage start-ups, Deric’s mentorship and investment thesis revolves around accelerating tech-driven start-ups with a scalability factor and believes in engaging at an early stage.
In an exclusive interview with The Cyber Express, Deric discussed the acceleration of technology post Covid, how AI in cybersecurity can enhance cyber attack prediction, the recent buzz around ChatGPT and how people continue to remain the weakest link.
IoT security has become even more relevant post the pandemic. There is a lack of visibility and an increase in shadow IT. Could you shed some light on your proposal on IoT, which was selected for the ISF Copenhagen World Congress in November 2014 and Atlanta World Congress 2015, and its relevance in today’s scenario?
We need to build people-friendly cities in a data-rich world!
My Proposal at the ISF Paris World Congress in 2014 was related to the various chaos in IoT security standardization as there was no single IoT framework used very similar to, say, English as a global communication language or IPV6 as a TCP protocol.
IoT devices are vulnerable to various network attacks such as DDOS, phishing, data leakage, spoofing etc. This will ultimately lead to risks like ransomware attacks, which cost a lot of money (nowadays in the form of Bitcoin payback). Recent hospital ransomware attacks worldwide, especially towards the end of the 2022 calendar, are significant.
Two years after my ISF IoT proposal, the Mirai Botnet attack of 2016 showcased the impact an IoT malware can have at scale, affecting billions of devices globally. One of the ways to be one step ahead of the hackers is to encrypt all IoT communication traffic and, if possible, build a second layer of authentication like a 2FA.
Several experts suggest that critical infra organizations must upgrade security to avoid AIIMS-like attacks. Do you feel that there is a sense of lack of urgency when it comes to adopting cybersecurity initiatives in organizations that are within the realm of critical infrastructure in India?
Defending cyber attacks all the time is never easy, especially when the attacker has to be right just once. You can build the best of the technology, but it’s a people’s game at the end of the day. If the employees or the stakeholders don’t have a security mindset to build securely or act security proactively, then the defence is a pipe dream.
Not only in India, like the AIIMS ransomware attack, but the recent attack on CommonSpirit Health in the US is another example. Many more sophisticated attacks in Australia and Europe have also affected the CII system.
The top executives need to be accountable, and the responsibilities need to be fixed to be more proactive. Too many variables in the system could complicate the approval process for a single procurement of the system, which could delay the deployment; hence a threat entering the network is highly likely.
Talking about urgency, most of the customers and enterprises during covid wanted a pain killer and were not willing to pay for vitamins. This short-term defence view would hurt the long-term cybersecurity strategy and hence would affect most enterprises’ brand image. Security by design should be the enterprise mindset always!
Covid has only accelerated the technology adoption in most economies. We could see the urgency in many continents and countries, including the privacy act being passed, which is one of the first steps towards a safer world.
The world needs a product which can genuinely predict a cyber attack. That would be a game-changer. AI ML models, edge computing and quantum computing could help in it for sure.
Precautions could be as simple as patching the latest version in all the application infrastructures, but most organizations miss this.
There are only two reasons why customers will spend on security – not to get breached and to protect the brand once breached. Hence, customers worldwide keep the balance of making an investment v/s not making a cybersecurity investment to get the desired ROI. No one will spend 100 dollars to solve a 10- problem.
The geopolitical situation will start the targeted cyber attacks on specific countries soon.
AI in the cybersecurity market to be worth $60.6 billion by 2028. With the advancements in AI and several industries understanding the ease of using AI, credit to GPT3 and even the recent ChatGPT, do you there is a better acceptance for AI in the IT circuit? And what about AI in cybersecurity? Do you think there is going to be a better adoption?
The debate of Human Beings v/s AI Beings will warm up in 2023 for sure.
AI will work wonders if people learn how to leverage it to bring efficiency, else it will end up being a Swiss knife used only to cut with limited utility.
We are being trained by the tools but are not training the tools enough. We need to fix things at a fundamental level. First principles thinking would only solve most problems, including AI and Automation.
The question to ask is, are we controlling AI or is AI controlling us? The threat posed by AI should worry us more for sure in future. The framework to analyze all data models could be “what’s the worst-case scenario”, and there could be multiple scenarios.
Today AI in cybersecurity is a 10 billion industry growing at a significant CAGR of 30%, which is great news for the industry as a whole from an adoption perspective.
ChatGPT has disrupted the AI space, including Google and other search engines. But it still has a long way to go, including legal compliances that need to be sorted. Elon Musk has definitely given the first step to creating a more human-like platform. Exciting times are ahead.
Do you feel employee-targeted digital risks are the next frontier of enterprise cybersecurity?
Any enterprise could outsource cybersecurity, but the risks always lie within the enterprise, which could be insider fraud, identity-based compromise, or data exfiltration by trusted employees during exit or termination. Hence people will continue to remain the weakest link.
Email phishing targeting employees could rise as hackers hack people, not technology. A Zero Trust Framework or identity-based solution could be a preventive solution to lower the risks.
2022 has been a rough and tumble year across the world when it comes to cybersecurity. It kicked off with Russia’s cyber-attacks on Ukraine and escalated into a full-on kinetic war between the two countries. Do you feel an escalation in cyber warfare in 2023 as well? How can countries be better prepared?
A simple solution to defend your perimeter all the time is to be totally offline, which is impossible if you want to do business.
The next war will be in cyberspace as the world becomes more physical to digital. The number of global cybersecurity start-ups trying to disrupt the established giants is also evidence that this industry is bound to grow exponentially. The VC firms are also taking considerable bets in this theatre.
I believe digital currencies will drive most of the power play in emerging economies. The dollar will dominate; however, establishments having their digital currencies could mean more citizen transaction tracking. The global crypto market has already crossed 1 trillion USD, which is just 1% of the world GDP, which is approx. 104 trillion USD as of Dec 2022.
Ensure enterprises guard all four layers – endpoint, application, infrastructure and operations. Keep monitoring your data proactively using your own or outsourced SOC; compliance and regulation control needs to be audited regularly.
Every year has always been challenging, and not just 2022. There will always be attacks on enterprises and individuals; how you respond matters. Identity-based attacks for sure will be on the rise.