STILL reeling from the telco user data breach last year, Malaysians began 2018 with news of another massive data leak of organ donors last month.
Such cyberattacks are a growing global risk and could cost a total of US$90 trillion globally by 2030, according to the Accenture Security Index released in February 2017.
Most of the 2,000 respondents surveyed recognise the gravity of the issue, with 70% saying it is a board-level concern. But many do not know where to start addressing the risk, with only 34% of respondents saying they have plans in place.
Companies typically struggle with identifying the core assets to protect and who takes responsibility for those assets, says Joshua Kennedy-White, Accenture Security’s managing director for Asia-Pacific, the Middle East, Africa and Turkey.
“A lot of organisations struggle with the fundamental question of what are the crown jewels, what are we protecting?” he tells The Edge. “Until you get that, it’s really hard to say you’re in good shape for protecting those things.”
It is a critical question to answer — and the clock is ticking.
Indications are that cyber criminals are stepping up attacks and using technology such as artificial intelligence to scale up and lower costs, says Kennedy-White.
For companies, that means the attack volume will only increase. Adding to the urgency is the fact that the attack surface for cyber attackers to hit has increased drastically in recent years.
In a nutshell, companies now have to worry about a vastly greater number of potential attack points in their networks.
Put simply, every single connected device in the network, from personal smartphones and laptops to IP-enabled television sets and webcams, could be compromised and used by hostile parties to breach the network.
This means it is unrealistic for corporates to try and protect themselves against every possibility, says Kennedy-White, as it is “a game of 10ft fences and 12ft ladders — it is always moving up”.
Instead, companies would do better by identifying their crown jewels and beefing up defences around them to act as a deterrent.
“If your objective is to try and protect every single thing from every single possibility, that’s a complete black hole [financially].
“Total security is totally impossible. The trick is knowing what to protect and then focusing your assets on that,” he says.
In practice, that requires getting inside the minds of potential cyber attackers and preparing accordingly. For example, attackers would likely prefer targets that require less effort and carry less risk for themselves.
“So another way for boards and CEOs to think about it is having enough protection where you’re not an easy target,” he adds. “It’s terrible to say it, but you need to make sure that it’s harder for them to rob you than someone else.”
Everyone’s at risk
Older companies may view cybersecurity as a distant issue that is not likely to affect them, which then leads to inaction or lack of concern on the management’s part as they do not feel the risk is worth investing against.
This is especially true for businesses that deal mainly with physical economic activities instead of electronic data, such as construction and plantation firms.
But that does not mean they are not at risk, says Kennedy-White. He says the risk of a successful hostile attack is not only about potential data theft, but also denial of services and even intellectual property theft.
He notes an example of a clothing designer firm whose designs kept appearing in another country before it was signed off internally.
Using basic security software, the firm eventually traced the issue to remote connections accessing its network via a third-party contractor.
For as little as several hundred dollars, hostile parties such as activists can source for denial-of-service attacks against corporates from the dark web, he says.
“Again, it has to come back to understanding the risk of an organisation. The hacktivist risk is obviously higher for some industries than others,” he adds.
For individual industries, the objective of a hostile attacker may differ greatly depending on his motivation. Hence, the role of a chief risk officer will gain increasing importance moving forward, says Kennedy-White.
And for many companies, the starting steps to better security could be low cost and simple to implement, he adds.
Drawing on some examples of cyber breaches in Australia, he says things such as requiring stronger passwords, having basic firewall protection and reviewing security processes don’t require massive investment upfront and can be progressively built upon.
Once the basics are there, the next step would be assessing potential economic losses based on the risk profile of an individual company, says Kennedy-White.
From there, companies could gauge the appropriate investment level to mitigate those potential losses. Having mitigations in place also helps in managing insurance premiums against cybersecurity losses, he adds.
Pockets of excellence
For Malaysian corporates, in particular, the current stage of economic development presents both a potential issue and a great opportunity in the cyber environment, notes Kennedy-White.
On the one hand, corporates may not yet place enough emphasis on managing their cybersecurity risks as awareness takes time to grow.
“At the same time, because Malaysia is a rapidly growing economy, they can adopt the best practices now, rather than be stuck with the legacy environment that might be holding them back in some ways,” he says.
There are pockets of excellence, however.
According to Kennedy-White, Accenture recently delivered a world-leading security solution to a Malaysian client that it declined to name, and similar applications will be rolled out globally moving forward.
“We’ve come up with a truly unique measurement which we’re calling the seven-domain assessment model,” he says. “We invented that entire methodology around the specific thing the client was looking at.”
He adds that the model evaluates security not just from the electronic devices and network access perspective but also more mundane risk points.
“Adversaries are smart and they’ll target the area where your responsibility ends and mine starts — are you responsible for locking the door or am I? Are you responsible for the safety of the computer or am I?” he says.
One example is that a hostile individual may attempt to bypass physical security into a secured premise by posing as an employee and tailgating other staff walking in. The attacker could then access the network from an internal device, bypassing firewall protection.
Addressing that sort of scenario requires assessing the overall infrastructure of a company, not just electronically but its physical spaces, security clearance and even how papers are stored in the office, says Kennedy-White.
“So it’s really about thinking like the adversary,” he adds. “This is the big difference between doing the bare minimum as part of regulation compliance and actually doing risk assessment.