A recent survey report which was conducted between 480 cybersecurity decision-makers across the Asia Pacific region by McAfee found that Malaysian respondents were much more likely than companies in any other APAC region to identify safety regulations as affecting their organisations. Malaysia also led all countries in identifying privacy regulations as impacting organisations (85% of respondents). This comes in stark contrast with Singapore, which is the country with the highest estimated costs stemming from cybersecurity incidents in the APAC region over the last twelve months.
Following McAfee’s Cyber Risk and Resilience report for the APAC region, CSA reached out to Jonathan Tan, Managing Director Asia at McAfee to get his views on the report. Jonathan shared how threat actors have evolved and the new challenges they bring to organisations in the region today. Malicious players, he said, are looking to acquire data are constantly on the move, trying to exploit weaknesses in cybersecurity.
According to Jonathan, some of the key cybercrime threats today are more often using the world’s evolving technology against us. Two of the threats that McAfee is tracking at the start of 2020 are deepfakes and ransomware attacks that morph into two-stage extortion campaigns.
He explained that the advances in AI allow threat actors to build very convincing deepfakes without being an expert in technology. They utilise freely available videos or public comments, used to train a machine-learning model that can develop of deepfake video depicting one person’s words coming out of another’s mouth.
Jonathan explained how attackers can now use deepfake to influence the public - have a CEO make what appears to be a compelling statement that a company missed earnings or that there’s a fatal flaw in a product that’s going to require a massive recall. Whereupon being distributed can manipulate a stock price or enable other financial crimes. In this way, AI and machine learning can be combined to create massive chaos.
“We see ransomware groups use pre-infected machines from other malware campaigns or used remote desktop protocol (RDP) as an initial launch point for their campaign. This drives efficient, targeted attacks which increase profitability and cause more economic damage.”
At the same time, McAfee expects to see the targeted penetration of corporate networks continue to grow and ultimately give way to two-stage extortion attacks. In the first stage, cybercriminals will deliver a crippling ransomware attack, extorting victims to get their files back. In the second stage, criminals will target the recovering ransomware victims again with an extortion attack, but this time they will threaten to disclose the sensitive data stolen before the ransomware attack.
Having a solid cybersecurity plan
However, Jonathan pointed out that these are just two. The cybersecurity community will have an interesting task addressing these and other threats that continue to emerge. Using just the McAfee Cyber Resilience Report as a benchmark, Jonathan said McAfee found some of the following trends in Malaysia, Singapore and Indonesia.
Malaysian companies appear to feel most optimistic about their companies’ approaches to cybersecurity. 60% of companies there, among the highest across APAC, said their organisation had a strategic cybersecurity culture. Malaysian respondents were some of the most confident of their cyber maturity, and also the most likely to say they could measure the cost of their data breaches.
For Singaporean companies, they appear to be the most likely to show concern about cybersecurity. Singaporean respondents were among the most likely to see data breaches as a problem, and the most likely to say that breaches have a high financial impact on their business. Singaporeans also expect that data breaches will become more common moving forward.
Meanwhile, Indonesian companies appear to be affected by regional legal requirements that drive additional cybersecurity investment. 98% of businesses in Indonesia are investing more due to their regulatory burden.
Jonathan also highlighted companies forget that employee have been some of the weakest links in a company’s security chain, causing breaches despite comprehensive cybersecurity defences. McAfee’s report on data exfiltration, Grand Theft Data II, found that employee-driven breaches accounted for almost 60% of data loss, more than half of which was accidental.
“When you take into account the threat landscape, and how compromises can often begin with nothing more complicated than a single click, the situation looks dire. Yet, from McAfee’s Cyber Resilience Report, we see that organisations are continuing to try to address the range of threats with money: three of the top five areas for investment over the next two years are technology, with culture, education and awareness ranking as the lowest priority.”
The survey results show a skew towards protection technology over organisational imperatives of policymaking, such as permeating culture of cybersecurity or post-incident review analysis.
Adding to that, the budget was cited by respondents to the report as the biggest challenge to transformation, with 69% of respondents naming it as a barrier. However, Jonathan said if executive leaders and companies continue to try to spend their way to cyber resilience and lean more on purchasing technology to achieve their goals, they may be adding unnecessary barriers to improving their organisational stance.