2018 Press Releases

July 10, 2018

Businesses Collect More Data Than They Can Handle, Reveals Gemalto

Editors Note:
CSA found the survey from Gemalto to be rather in-depth and encompassing a number of critical criteria such as “two in three companies (65%) are unable to analyse all the data they collect and only half (54%) of companies know where all of their sensitive data is stored.” In today's world of growing connectivity, how we manage our data could mean the success or failure of the business. Speeds at which businesses are run require seamless access to critical data at all times and knowing the location and accessing that data.

A number of other criteria such as companies knowledge on the General Data Protection Regulation laws that are now already in effect, was also interesting to see. Seems many organisations from countries in their research shows there is much to be desired. However, there wasn’t much research shown into ASEAN countries. CSA was curious to see if there are any relevant numbers that would reveal how this region is coping with the changes in data management and GDPR compliance.

We reached out to Gemalto and spoke to Alex Tay, ASEAN Head for Enterprise & Cybersecurity, at Gemalto for his comments.
CSA: It doesn't look like the report covered any South East Asean countries - but if it did can you provide any stats that relate to South East Asia?

Gemalto: Unfortunately the report only surveyed Australia, Japan, and India in Asia Pacific. These countries were selected for their size and specific economic profile that we think can represent the region at large. 
CSA: If you do not have any South East Asia Stats, can you provide any expert viewpoint on whether you feel the findings would be similar locally or would they expect any regional variance?
Gemalto: With a combined population of 630 million and GDP of more than $2.7 trillion, the ASEAN region is the world’s seventh largest market and expected to enter the world’s top five digital economies by 2025. By then, the region’s digital economy could add $1 trillion to its GDP.   

As a result of the rapid digital developments, based on a 2017 research done by the consulting firm A.T. Kearney, the region had emerged as a launchpad for cyberattacks, either as “vulnerable hotbeds of unsecured infrastructure where numerous connected PCs and devices could be infected for large-scale attacks, or as hubs for a single point of attack to gain access into its global connections”.

Cybersecurity investment in the region is polarizing. Singapore invests 0.22% of its GDP into cybersecurity every year, the third largest spender in the world, after Israel and United Kingdom. The rest of the region is on the lower end of the spectrum, spending less than the global average of 0.13% on cybersecurity.

The region also faces the challenge of a shortage of skilled and qualified cybersecurity professionals who can implement the cybersecurity agenda. Across the region, cybersecurity jobs grew at three times the speed compared to other IT jobs. While Singapore announced a new cyber defense vocation aimed at grooming 2,600 cybersecurity professionals, other ASEAN countries still lack a structured and long-term approach to developing their people.  

The heartening news is that the region is actively taking the bull by the horns, dealing with cybersecurity matters in their own ways.  

First of all, regulation on cybersecurity and protection of personal data is consistent across the ASEAN countries, including Singapore (Cybersecurity Bill; Personal Data Protection Act), Malaysia (new cybersecurity law being drafted; Personal Data Protection regulation), Thailand (National Cybersecurity Bill; Personal Data Protection Act), Indonesia (data protection regulation), and the Philippines (Cybercrime Prevention Act; Data Privacy Act), and Vietnam (new cybersecurity law being drafted).  

Most ASEAN countries have also set up government agencies that oversee cybersecurity, such as the Cyber Security Agency of Singapore, Cybersecurity Malaysia, Thailand’s newly proposed National Cybersecurity Committee, and Philippines’ Department of Information and Communications Technology (DICT). Although other countries do not have dedicated agencies, they do have national computer emergency response teams and computer security incident response teams (CSIRTs) that shoulder some of the responsibilities of a cybersecurity agency.

Many ASEAN countries have also developed a national-level cybersecurity strategy. For instance, Singapore (National Cybersecurity Strategy) and Malaysia (National Cybersecurity Policy) have devised a mature, advanced national strategy for dealing with cyberattacks; the Philippines (National Cybersecurity Plan 2022) and Thailand (national cybersecurity strategy drafted) also put in place an established masterplan for cybersecurity.

By the end of the day, it’s important to recognize that nations need to take a long view in order to get cybersecurity and data protection right – even some developed countries are still figuring this out, based on our survey.

While most of these efforts are done on a national level, in April this year, the ASEAN governments vowed to forge a stronger alliance to counteract cyberattacks. We believe that is step one towards more pan-ASEAN, across-region collaborations.

CSA: In terms of the amount of data collected - are devices (in addition to people) creating that data and does this pose similar risks?

Gemalto: Certainly. As more devices – be it devices given to the employees or personal employees - are connected to the corporate network – be it PCs, smartphones, and tablets, more data is created, collected, and stored, in one way or another. A single point of entry by a hacker could give them access to tonnes of data, as seen in many data breaches in 2017. 

Endpoints, as we call them, can become a point of entry for cybercriminals to gain access into the corporate network and data. IoT devices can also be hijacked for distributed denial of service (DDoS) attacks, or spreading ransomware, as seen in the Wannacry and Petya attacks.

At Gemalto, we advocate encryption of all important business data. Encryption renders the data unreadable to attackers. In the case of a data breach, encryption ensures that data remains intact and attackers cannot make use of it.

Based on our 2017 Breach Level Index, only 4% of all data breaches are encrypted – we call these secure breaches, meaning despite the breach, the data is not compromised.

In addition, two-factor authentication (2FA) should also be deployed whenever data needs to be accessed. 2FA adds a layer of security between sensitive data and the users, who may not always be security-savvy.
CSA: Have you seen GDPR have any impact on companies locally in South East Asia?

Gemalto: GDPR definitely has a huge impact on companies, especially those dealing with international customers, such as airline operators. In general, we see more organizations allocate dedicated budget for regulatory compliance and look to appoint a data protection officer, especially in mature countries. 

GDPR is a comprehensive manual of data protection laws. That is why similarities can always be found in these different regulations. For example, Singapore’s PDPA stipulates that relevant government agencies need to be notified of a data breach within a certain period, similar to GDPR’s 72-hour notification window. In the Philippines, appointing a data protection officer is now mandatory; the same thing is required under GPDR. 

This means companies that operate across regions now need to keep themselves abreast of both international and local regulations, in order to manage their data effectively and securely.
Please find the original article below. 

With pressure to ensure consumer data is protected mounting, Gemalto, the world leader in digital security, today released the results of a global study which reveals that two in three companies (65%) are unable to analyze all the data they collect and only half (54%) of companies know where all of their sensitive data is stored. Compounding this uncertainty, more than two thirds of organizations (68%) admit they don’t carry out all the procedures in line with data protection laws such as GDPR.
These are just some of the findings of the fifth-annual Data Security Confidence Index, which surveyed 1,050 IT decision makers and 10,500 consumers worldwide. The research found that business’ ability to analyze the data they collect varies worldwide with India (55%) and Australia (47%) best at using the data they collect. In fact, despite nine in 10 (89%) global organizations agreeing that analyzing data effectively gives them a competitive edge, only one in five Benelux (20%) and British (19%) companies are able to do so.
“If businesses can’t analyze all of the data they collect, they can’t understand the value of it – and that means they won’t know how to apply the appropriate security controls to that data,” says Jason Hart, vice president and CTO for Data Protection at Gemalto. “Whether it’s selling it on the dark web, manipulating it for financial gain or to damage reputations, unsecured data is a goldmine for hackers. You only need to look at the recent hacks on the World Anti-Doping Agency and International Luge Federation to see the damage that can be done. What’s more, data manipulation can take years to discover, and with data informing everything from business strategy to sales and product development, its value and integrity cannot be underestimated.”
Confidence in securing the breach is low
When it comes to how data is being secured, the study found that almost half (48%) of IT professionals say perimeter security is effective at keeping unauthorized users out of their networks. This is despite the majority of IT professionals (68%) believing unauthorized users can access their corporate networks, with Australian companies being the most likely (84%) and the UK the least (46%). However, once the hackers are inside, less than half of companies (43%) are extremely confident that their data would be secure. UK businesses are the most concerned with just 24% prepared to say they’re extremely confident, with Australia the highest (65%).
Even though there is still faith in how they’re securing their networks, one third (27%) of companies reported that their perimeter security had been breached in the past 12 months. Of those that had suffered a breach at some point, only 10% of that compromised data was protected by encryption, leaving the rest exposed.
Consumers say compliance is critical
According to the study, a growing awareness of data breaches and communications around GDPR have led to the majority (90%) of consumers believing that it is important for organizations to comply with data regulations. In fact, over half (54%) are now aware what encryption is, showing an understanding of how their data should be protected.
Hart continues, “It’s time organizations got their houses in order; starting with who oversees their data security. A central figure such as a Data Protection Officer – essential in some circumstances under GDPR – must be appointed to the board to lead data security from the top down. Next is having more insight and analysis on the data collected to ensure that it is both correctly protected and enabling more informed business decision making. Finally, a mindset change. Organizations must realize that it’s no longer a case of if, but when a breach occurs, and protect their most valuable asset – data – through encryption, two-factor authentication and key management, rather than solely focusing on perimeter protection.