Building System Security Awareness: Lessons from the PDN Incident

The recent National Data Breach (PDN) incident serves as a reminder of the importance of system security in our ever-evolving digital world. Often, we become too focused on developing functionalities without adequately considering the security aspects of our systems.

Building a system is not just about adding features or functionalities. Sometimes we are too much focus and invest only to this and neglecting the system security aspects. When we connect our systems to the internet, cybersecurity risks must be considered alongside other potential risks.

Whether for small or large companies, the roles of CTOs, CEOs, and CISOs (to focus more on information security) are crucial in fostering awareness, establishing security control processes, and assembling competent cybersecurity teams. Systems, regardless of their size, age, or complexity, often harbor unforeseen vulnerabilities. Assuming that “nothing will happen” is extremely perilous.

While white hat hackers and bounty hunters may identify and report security vulnerabilities, this isn’t always the case. Black hat hackers driven by economic motives or other reasons can easily exploit existing vulnerabilities. Moreover, threats can manifest in the form of autonomous systems like viruses, worms, and various types of malware, opening doors to data theft or widespread system damage.

Building a system involves not only developing features or functionalities but also seriously considering its security aspects. Security awareness should be ingrained at every stage of system development, not added as an afterthought.

Establishing system security covering Confidentiality, Integrity, and Availability should begin from the planning phase (system architecture), during development (system development, secure programming, and configuration), management and operations (SIEM, monitoring identification,SOC), and Control (security testing, penetration testing, and audits), as well as education (building cybersecurity awareness) and culture (agility), policies, and procedures.

Another critical aspect is that a system should not only focus on features and functions. Non-functional aspects such as security, high availability (no single point of failure), reliability (automatic recovery or quick and easy recovery), and scalability (ease of scaling during high loads) must also be considered.

We all have a responsibility to protect the data and infrastructure we manage from the evolving threats in today’s digital world.

Have your systems addressed all these aspects, or do you prefer to assume your system is invulnerable, believing that hackers or malware won’t target it?