“Security is not a technological issue but an organizational one.”

The hacking and data leak incidents that have hit domestic companies one after another since the second half of last year are not the result of being defenseless against cutting-edge artificial intelligence (AI) technologies. Experts broadly agree that they are rather the cost of failing to adhere to basic rules. This is because many domestic companies still lack even fundamental frameworks such as password management, access control, network segregation, log recording, and incident response playbooks.

Park Se-jun, CEO of domestic security startup Theori, known as a “national-class white hat hacker,” likewise states that what determines the success or failure of cybersecurity is not technology. To strengthen security, it is important first to establish fundamental organizational reforms and a shift in mindset—such as CEO commitment and leadership, board-level governance, and building a security-centric organizational culture—before introducing specific technologies or solutions. DBR (Dong-A Business Review) asked Park about the current state of security in Korean companies and what needs to change to fix the basics. The following is a summary of the interview published in the March 1 issue (No. 436) of DBR.

―What is the biggest shortcoming for domestic companies when it comes to security?

“Although it is said that in the AI era hacking attacks have become far more sophisticated and more dangerous due to advanced technologies, when looking at the recent large and small incidents, cases that were actually triggered by AI itself are rare. Up to now, corporate security vulnerabilities have in fact been in the basics. Even simple security principles have not been properly followed, and there has been no playbook as a post-incident response manual. Because convenience has been prioritized, network segregation is often not in place, and there are many instances where invisible links exist. In such cases, once one side is breached, it is commonplace for the entire security system to be compromised in a chain reaction. The Coupang incident also ultimately occurred because access privileges remained even after a person left the company.”

―Why is a “playbook” containing post-incident response strategies necessary?

“For hacking incidents, the question is not ‘whether it will happen or not’ but ‘when it will happen.’ Security solution providers like us seek to continuously delay that timing and raise the cost of attack so that the companies we serve become targets as late as possible. In this game, the key is how quickly, once the attack moment arrives, it is detected, handled, isolated, and recovered. Yet companies still lack plans to enhance resilience, and there is a deep-seated insensitivity to security risks. Security, like emergency incidents, also has a golden time. The window to take action after a breach does not remain open indefinitely, so companies must respond in a swift and coordinated manner within a short period. Without a playbook, agile response is difficult.”

―What is the first thing companies should do to protect their security?

“Recent incidents show that companies have not secured sufficient visibility over their internal assets. The first priority is to identify what the company’s core assets are. Without a grasp of the overall picture—where digital assets, in other words servers, are located, where data resides—it is impossible to build risk scenarios on where and how hackers might infiltrate. In fact, servers are usually deep inside internal systems, so it is not easy for hackers to penetrate directly into the central servers. They typically attack employees on the periphery by sending malicious phishing emails. Employees must be trained not to open emails or click links from untrusted sources, and not to download files from them. Every incident begins with a small act of carelessness.”

―Do hackers not attack the central system on a large scale from the outset?

“Once malware is installed on an individual’s computer, that computer is connected to the company intranet and network, and from that point so-called infection, or lateral movement, begins as the malware moves toward the servers. For example, suppose an individual has written down server access information such as IDs and passwords in a text editor on their computer. They may think it is safe because it is stored on a personal computer, but once a hacker takes control of that computer, the hacker can use that information to launch second- and third-stage attacks on the company intranet. Therefore, if a particular server holds sensitive information, the number of people who can access that server must be very limited, and log records such as who accessed it must be kept transparently. If cybersecurity is described as a ‘chain of links,’ the weakest link determines the overall level of security. No matter how impregnable other parts of the system may be, once the weakest link is broken, everything collapses together.”

―Despite the clear need, why do domestic companies not maintain playbooks?

“Because they still view security purely as a cost and try to invest only the minimum. They do not recognize it as an indispensable ‘insurance.’ Unfortunately, the security team is an organization where ‘no news is good news,’ so if things are quiet and no incidents occur, it can appear as though the team is doing nothing. Since money is being spent but there seem to be no visible results, it is easy for security to be deprioritized compared to development teams, where tangible outputs appear in proportion to the budget. As a result, when companies cut budgets, the first department they streamline is security. Yet when an incident actually occurs, the security team becomes the target of blame and criticism. Because companies do not feel the need to allocate resources for advance preparation, they do not have playbooks. From the corporate perspective, even basic training such as formulating risk scenarios and conducting mock hacking drills, akin to fire drills, can only be seen as a cost. However, it must be remembered that there is a striking difference in incident response capabilities between companies that have conducted such training and those that have not.”

Popular News