Are We Battle-Ready?

by Lili Li
Photo by Vernon Wong
03 Sep 2018

Fighting cyber crime requires concerted efforts within and beyond organizations

Cybersecurity in the ASEAN region has undergone four seismic changes over the past five years, according to Mr. Nilesh Jain, Vice President of SEA and India at leading cyber security and defense company Trend Micro. “Firstly, the number of people connected to the Internet has grown significantly worldwide.” By end 2017, 4.1 billion people has access to the Internet, out of the 7.2 billion global population. ASEAN, with its rapidly growing economy, is expected to have 480 million Internet users – 75 per cent of its population – by 2020. “While the Internet becomes increasingly democratized,” Mr. Jain continues, “it also introduces an ever-enlarging attack surface for cybercrime activities.”

A 2017 report by global management consulting firm A.T. Kearney reveals ASEAN countries have been used as launch pads for cyberattacks, with Malaysia, Indonesia and Vietnam among the global hotspots for the launch of malware attacks. “There had been a strong correlation between a rise in cyberattacks and the increase in Internet users,” Mr. Jain points out.

Secondly, cyberattacks are becoming highly sophisticated. Cybercriminals no longer engage heavily in ‘spray-and-pray’ – indiscriminate attacks that did not require high technical sophistication. A Trend Micro cybersecurity roundup report has shown a marked growth in targeted and strategic attacks that focused on financial gains. “This can be observed in the increasing variety of ransomware families, highly personalized phishing attacks, and leveraging new technologies, including IoT devices or connected industrial human-machine interface, for attacks.”

Thirdly, attacks are becoming multifaceted. “With more businesses moving operations to the cloud, and more connected devices used in the enterprise environment, cybercriminals are now able to launch attacks via multiple channels, such as endpoints – PCs, smartphones, and tablets using the corporate network, servers, and the network.

Lastly, changes in cyber sphere have called for changes in cybersecurity strategy in the region. “In the past, an organization might have a variety of security products in place that protected different parts of business – endpoint, servers, and the network – and these technologies did not talk to each other, creating an inevitable blind spot.”

Today, companies understand the need for a 360-degree visibility by making different technologies talk to each other and share information. Mr. Jain calls the strategy connected threat defense.


ASEAN Preparedness?

According to the same A. T. Kearney report, digital economy will add one trillion dollars to the ASEAN region’s GDP in the next 10 years, but the same digitalization will also expose the region to cyberattacks that will potentially cost US$750 million dollars.

How is ASEAN preparing? In 2017, Singapore spent 0.22 per cent of its GDP on cybersecurity, the third biggest spender in the world after Israel and the UK, Mr. Jain notes. Meanwhile, ASEAN as a whole invested 0.06 per cent of its GDP on average into cybersecurity, significantly lower than the global average of 0.13 per cent, “a sign that the region is underinvesting in cybersecurity”.

He cites Singapore and Malaysia as the ASEAN leaders in devising and implementing a national strategy for cybersecurity, adding that Thailand and the Philippines have also laid out their own cybersecurity agenda. Meanwhile the rest of the ASEAN countries have either just started working on a masterplan or have none at all.

“What is heartening is that a few countries have set up national agencies that oversee cybersecurity efforts, including Singapore, Malaysia, Philippines, Indonesia, and Thailand,” Mr. Jain notes.

While Singapore, Malaysia, Thailand, and Vietnam have put in place cybersecurity bills as of 2017, limited progress has been made in the rest of ASEAN, according to Mr. Jain. Cybercrime laws have been passed in Singapore, Malaysia, Thailand, the Philippines, and Brunei. Data protection or privacy laws have been enacted in Singapore, Malaysia, Indonesia, Thailand, and the Philippines.


Integrating the Systems

With an ever-changing threat landscape and the industrialization of hacking, organizations face more persistent, complex, and innovative cyberattacks.

“Research shows that more than 25 per cent of companies surveyed use more than 10 cybersecurity vendors at once, and more than 36 per cent deploy more than 10 cybersecurity solutions,” Mr. Jain shares. “More often than not, security products from different vendors do not work well together; counterintuitively, this can lengthen the time needed to identify and contain a breach.”

Ponemon Institute data reveals that it takes 184 days on average for ASEAN countries to identify a data breach, and another 65 days to contain it. Cyber dwell time – the number of days a threat remains undetected – is reported to be 65 per cent higher in APAC than in the Americas. Such delay can result in significant impact on the financial damages of a breach, Mr. Jain says.

“It is always a best practice to deploy products that are simple, open, automated, and integrable with the other products. This is usually done by adopting technologies from the same vendor. Having integrated security solution allows an efficient way to protect, detect, and respond to all threats that are targeting the business networks at the same time. It can also improve visibility and control across the organization.”


A Sea Change

“Cybersecurity can really go two ways, resulting in two very different worlds,” Mr. Jain affirms.

“In the more optimistic version, when done right, cybersecurity will become the backbone of the Internet and all digital services in the future. This requires that governments enact policies and laws and work with law enforcement agencies to improve cyber capabilities to investigate and apprehend cybercriminals. These must be done simultaneously as there is little use in having comprehensive laws in place but not sufficient capability to enforce them.”

From a company’s perspective, he continues, it’s increasingly important to invest in the appropriate cybersecurity technology and hire dedicated cybersecurity professionals. “(Companies) should have a clear communications plan that allows clients and users know how they are taking steps to strengthen protection of the systems and user information.”

Only when all these are in order can consumers develop faith and confidence in digital services, leading to more use of such services. This can form a ‘virtuous cycle’ for the society at large.

“On the flip side,” Mr. Jain cautions, “if cybersecurity technologies, policies, and laws are insufficient to rein in the cybercriminal activities, it can erode consumers’ confidence and make them hesitant to switch to digital services, stunting digital transformation on large scale.”