While 42% of business executives in the Asia Pacific region consider cybersecurity a high priority, only 9% have actually hired cybersecurity professionals within their organisations to keep their businesses secure – suggesting that although business leaders, C-level execs and stakeholders are becoming increasingly aware of the cyber risks and threats (or so they claim), few are actually doing anything substantial about it or making the necessary investment to boost security. That is, until they get hit by an attack or a security breach.
Those stats were among the findings of the Cisco 2018 Asia Pacific Security Capabilities Benchmark Study, which offers insights into the security practices and state of cybersecurity readiness in the region, involving over 2,000 respondents across 11 APAC countries including six within Southeast Asia (Singapore, Thailand, Malaysia, Vietnam, Philippines and Indonesia). The study highlights that even though 2017 witnessed an unprecedented number of cyber attacks, in general, ASEAN companies are still taking a reactive approach to cybersecurity instead of making it the cornerstone of their business strategy.
To put it all into perspective, Albert Chai, Managing Director of Cisco Malaysia, mentioned that on average, ASEAN companies investigated less than half (between 37% to 52%) of the potential threat alerts received, with Malaysia ranking the second-lowest in Southeast Asia at 40%. When it comes to remediating legitimate alerts, the numbers aren’t any better. Similarly, less than half of credible threats are acted upon and corrected.
Albert spoke at a media briefing in KL yesterday to present the results of the study and recommend steps that businesses can take to better fortify their operations in a world of increasingly sophisticated cyber attacks. Also on hand to share their insights were Victor Lo, Head of Cybersecurity for Malaysia Digital Economy Corporation (MDEC) and Joshua McCloud, National Cybersecurity Officer for Cisco Systems.
The results of the study clearly highlight the scale of the challenge faced by those surveyed, with 69% of companies in APAC receiving more than 5,000 threats each day and up to 80% having suffered a breach in the past year.
With more than half of legitimate cyber threats left unaddressed, companies therefore need to focus on better integration of the security solutions they have in place in order to reduce the complexity of their cyber defences and reinforce their cyber defence arsenal with more automation which will enhance detection accuracy and lead to swifter remediation. Failing which, defenders would be in danger of cyber fatigue as relentless malicious attackers continue intensify their assault on businesses.
Nevertheless, having the right technology in place is just part of the solution. It’s also paramount that businesses understand the importance of equipping their personnel with the right cyber defence skills and capabilities. In that sense, Malaysian companies are faring better than their regional counterparts with 59% saying they prioritise personnel training in the aftermath of a cyber security breach. This is higher than organisations in developed markets such as South Korea (54%), Singapore (46%) and Japan (33%).
One finding that was particularly worrying is related to the fact that cyberattacks are beginning to evolve from just targeting the IT infrastructure to attacking operational technology (OT) infrastructure systems (such as lighting, control systems or office HVAC). In Malaysia, for example, 33% of respondents say they have already experienced cyberattacks on their operational infrastructure and 36% expect to face similar attacks over the next 12 months. Unfortunately, respondents were not asked to reveal further details, such as the types of attacks or damages suffered by the companies affected.
OT systems are not typically seen as security risks and provide low barriers of entry, so hackers can easily leverage them to gain access into corporate networks to devastating effect. This ties closely to another divide that Joshua pointed out currently exists between large organisations and SMBs. “Attackers now recognise that large organisations have really upped their game – employing the talent, investing in security technologies and improving their processes. So they [the cyber criminals] are going after the lower hanging fruit, the small and medium businesses that lack the maturity and capacity to be able to defend themselves,” he explained.
However, Joshua believes that it’s important for these smaller businesses to keep up with the modern threat landscape because they could be part of the greater IT ecosystem. He reminded attendees of the media briefing of two high profile OT-related cyber attacks; the hack on Ukraine’s power grid as well as the infamous Target security breach that exposed the financial and personal information of millions of Americans. Knowing that the giant US retailer had the capability to defend itself, attackers instead leveraged the vulnerabilities of a small heating ventilation and cooling organisation that was connected to Target’s infrastructure to gain access.
For companies looking to enhance their security posture, Joshua suggested three key takeaways. “Cybersecurity has to start at the board level, permeate down through the organisation and be about people, process and technology. Cybersecurity also requires what we call a risk-centric approach – not simply going out and implementing technology and processes just because a regulatory standard says you have to. Taking a risk-centric approach means protecting what matters most to you, most.”
The third, he added, sounds mundane, but unfortunately, it’s something that people tend to overlook and get wrong. It’s about doing the simple everyday things, similar to maintaining proper dental hygiene. He said, “Security hygiene is the same way. I would say more than 90% of the attacks, if not greater, start with the fact that the IT department doesn’t patch PCs and software regularly. They don’t manage user accounts. Passwords have to be long enough. Make sure that you can see what’s going on in your network, keep track of it and monitor it. I think if more people “brush their teeth” every day from a security perspective, you will see a lot fewer threats and vulnerabilities out there.
You can get the full report HERE.