Risk Management: The case for cybersecurity

This article first appeared in Enterprise, The Edge Malaysia Weekly, on August 14, 2017 - August 20, 2017.
-A +A

There are hardly any companies today that do not rely on the internet to do business, but network security still does not get the level of attention it deserves.

Despite the importance of cybersecurity, local companies — particularly small and medium enterprises (SMEs) — remain ill-equipped to withstand cyberattacks, with many believing that their business is too small to be a target.

To a certain extent, the lack of regard is understandable as Malaysia experiences less than 1% of the total attacks globally and ranks No 24 on the list of the most targeted nations, according to Germany-based security solutions firm NTT Security.

In Asia-Pacific, Malaysia is the seventh most targeted country, behind Japan and Hong Kong, with China topping the list. From this perspective, Malaysia experiences about 3% of all attacks in the region, significantly trailing China at 46%, says Neville Burdan, general manager of Dimension Data Asia-Pacific Pte Ltd’s security business unit. Dimension Data is an NTT partner company.

Burdan is quick to point out that even though the threat here may not be as high as in other countries, there is a need to be cautious. Malaysia is still being attacked.

As the world enters the Fourth Industrial Revolution (Industry 4.0), the data residing in businesses and professional services is a lucrative target for cybercriminals, he says. “Companies are under constant pressure to maintain continuous business availability through operational technology as well. Otherwise, they will experience a loss of productivity, efficiency and reputation.”

Ted Egan, Asia-Pacific vice-president at ThreatMetrix, a security technology company headquartered in California, agrees. He says businesses today are operating in a digital world, where borders are nonexistent.

“The use of cloud services is key to nations, businesses and financial institutions remaining competitive, especially as there are no borders in the digital world. Unfortunately, businesses and countries that do not adapt will be left behind,” says Egan.

“Everyone we interact with, from suppliers to governments to financial providers, is increasingly connected. So, there is more demand for ‘always on’, immediate response outcomes.”

Cybercriminals are increasingly sophisticated, well connected and, in the underworld or dark web, often better equipped than any sector, he says. “In general, the attacks are due to lax security practices and inadequate investment in security tools. The data is accessible as the attackers know where to go. The data is not encrypted and therefore easily accessible to unauthorised third parties.”

So, the question is not if a company will face a cyberattack, but rather when it will face one and how badly it will disrupt the business. Small businesses are often more vulnerable than larger organisations as a security breach could mean the permanent loss of crucial company data.

For example, NTT Security’s 2017 Global Threat Intelligence Report found that nearly 30% of attacks detected worldwide targeted end-user day-to-day technologies. “The three technologies found on end-user computers that were targeted the most throughout the year were Adobe Flash Player, Microsoft Internet Explorer and Microsoft Silverlight,” says the report.

According to Symantec Corp’s 2017 Internet Security Threat Report, email malware hit businesses of all sizes last year. However, small and medium businesses (with 251 to 500 employees) were the most impacted.

Phishing scams were another form of attack that hit SMEs especially hard. These scams involve attackers creating messages and websites mimicking their legitimate counterparts to trick people into taking some action.

Symantec found that in the first half of last year, more than 400 businesses were targeted by Business Email Compromise (BEC) scams, which rely on spear-phishing emails. The US Federal Bureau of Investigation estimates that more than US$3 billion may have been lost due to BEC scams in the past three years, with more than 22,000 victims worldwide.

The recent WannaCry ransomware attack was another major security breach that will not be forgotten anytime soon. According to a report by Malwarebytes, small companies lost more than US$100,000 on average for every ransomware incident due to downtime.

In its Second Annual State of Ransomware Report — which surveyed 1,054 companies with fewer than 1,000 employees across North America, the UK, France, Germany, Singapore and Australia — the security firm found that 22% of businesses impacted by ransomware had to cease operations immediately while 15% lost revenue.

“Businesses of all sizes are increasingly at risk from ransomware attacks. However, the stakes for a small business are far higher than for a large enterprise,” Malwarebytes CEO Marcin Kleczynski was quoted saying.

For about one in six impacted organisations, a ransomware infection caused 25 or more hours of downtime, with some companies reporting that their systems were down for more than 100 hours. Of the respondents polled, a third said they were using anti-ransomware technologies and a third of the businesses still experienced a ransomware attack — an indication that the companies’ investment in technology might be insufficient.

This shows that cyberattacks are an imminent threat. With SMEs making up 97% of the business establishments in Malaysia — contributing 37% to the gross domestic product (GDP), 65% to employment and 18% to exports — cybersecurity is no longer an option.

Hackers prey on small businesses knowing that their security measures are less stringent. Egan says the problem arises because many of these companies are still using outdated modes of storing data in-house. “Old methods of storing data in-house disconnected from the world will fail.”

Burdan says some companies are already taking stock of the threat and dealing with increased spending to renew their current security portfolio and enhance it with the latest threat intelligence, end point and applications security technologies. “This is being supplemented with cloud-based managed security services (MSS) to give greater detection and awareness of their security posture.”

To ensure that businesses are adequately protected, local companies could move on to the latest equipment and upgrade their security operations centre and/or enhance it with MSS, he says. “With Industry 4.0 and Internet of Things (IoT), they also need the concept of security built in from the start and not a bolt-on to existing technologies. They also need to test it vigorously to ensure that the platform is secure.

“We are seeing a lot of SMEs moving to MSS. As they do not have deep pockets, leveraging managed services from reputable security providers allows them to access a service that they would not be able to afford in normal circumstances.”

Burdan has some basic recommendations to bolster cyberdefences. “Back up your information frequently. Promote user education and awareness to ensure all users understand the risks eventuating from ransomware. It is important to validate end users’ knowledge in the form of employee engagement through anti-phishing services, which will identify users who are most prone to clicking on malicious links or opening nefarious attachments.

“Endpoint protection should also consider leveraging next-generation audio-visual technology, as well as email filtering, to weed out known malicious messages. As a best practice, we recommend never paying the ransom under any circumstances as there is no guarantee you will get your data back.”

Egan says cloud adoption not only improves efficiency but also tends to be more secure with cloud providers establishing a strong security record over the years. “Cloud security practices and methodologies for securing data today tend to be more regulated, secure and robust than rudimentary security tools and methodologies used by typical businesses that keep data on their premises or at local data centres.”

He points out that the data at local centres are vulnerable, which makes them a target for cybercriminals. He stresses that training business leaders and engaging data scientists are also key to ensuring that unauthorised third parties have no access to data without approval.

“It is important to remember that in a digital world, every business needs to invest in training, especially those who are charged with applying the best practices in security, investing in tools and support to ensure that the data is protected in the most robust way,” says Egan.

There are fundamental challenges for governments, businesses and other decision makers in adopting the Industry 4.0 model. Egan says comprehensive guidelines must be put in place to enable businesses, financial institutions and consumers to embrace the Fourth Industrial Revolution.

“Governments and business regulators need to remain flexible and maintain a watchful eye on where the digital economy is going. They must adopt a secure cloud approach,” he says.

Burdan asserts that public-private sector collaboration is crucial to shift the balance of power back to the companies when it comes to cybersecurity. “Threats will always be asymmetric, and only by working with peers, partners and across the industry can we attempt to rebalance this equation. Intelligence-sharing is critical and should be a higher priority.

“The ability to leverage intelligence and share that within your organisation, to your external supply chain and various authorities in an automated fashion allows the security community as a whole to respond more rapidly to imminent threats. A one-to-many sharing model allows participants to benefit from this intelligence exchange, which in turns maximises the effectiveness by enhancing detection and response capabilities within existing security controls.”

Despite cybersecurity issues, the benefits of Industry 4.0 outweigh the concerns. “Industry 4.0 dramatically improves the efficiency of day-to-day business in the banking, finance and business logistics sectors. It automates processes, produces goods and services faster and more accurately and increases service reliability,” says Burdan.

He points out that it is easier to control supply chains when there is data available at every stage of the business process. “This produces more reliable and consistent productivity and output. And the results for many businesses could increase revenue, profit and market share.”

As SMEs become ever more reliant on web-based tools, cybersecurity should be seen as a business enabler instead of a problem, says Burdan.