This article first appeared in The Edge Financial Daily, on December 7, 2015.
KUALA LUMPUR: In the eyes of Sanjay Bavisi, the man who trained Pentagon’s cyber defence team, Malaysian companies are vulnerable to hacking, with the smallest company incurring a minimum cost of US$50,000 (RM209,500) to recover from a single cyber attack, while larger ones can face up to millions of dollars.
Sanjay, president and co-founder of the International Council of Electronic Commerce Consultants (EC Council), said the reason behind Malaysian companies’ vulnerability is the lack of “information security leadership”.
“We have been in Malaysia for the past few months [meeting] more than 50 companies that are listed on the stock exchange. There are people designated with [handling] security, but even they are unclear [about whether they are in charge of] security.
“They are quite confused. Normally, the chief information technology officer or chief technology officer would assume the role. But it’s not a specific job role. The term ‘chief information security officer’ isn’t a common term here. Now, if you don’t have a general, how are you going to fight a war?” questioned Sanjay, who regards the World Wide Web as the Wild, Wild West where cyber security experts are the sheriffs in town.
The EC Council is primarily a professional certification body and its best known certification is the Certified Ethical Hacker certificate. It has been contracted by the Pentagon since 2010 to train their information defence experts.
Globally, the EC Council noted the trend of cyber attacks have increased by 35% to 45% over the last five years, and rising yearly. In response, many companies, especially multinationals, have increased their annual information security budget by 15% to 28%.
“[But] we have a very ‘bandage’ solution to [information] security. When something is broken, you fix it, but there’s no holistic solution. That’s where the chief information security officer comes in — someone to look at security from a holistic point of view instead of a bandage approach.
“Even though you may have a security department — and I accept that Malaysia has many talented security officers — the problem is the leadership gets blurred. So, they report to the chief technology officer who reports to the chief executive officer but the result is the same: security gets lost in translation,” said Sanjay.
He cited a recent case of a Singaporean client whose data was held ransom by a Russian hacker group. It cost the client around US$500,000 in terms of losses, despite the EC Council’s success in recovering the lost data.
“People don’t realise that when you’re hacked and your data is held at ransom, you will lose around one month’s worth of productivity. When you contact us to rescue you, it will take around 21 days of engagement.
“You have to pay us, you also need to stop work. You have just lost customer confidence, you are unable to grow your business further, and your brand is completely affected; you just gave your competitors the opportunity to ride on your misery.
“It’s sad that these are the same guys who say they don’t have the budget for information security — until they are hacked. Then out comes the cheque book and it’s going to cost you more,” said Sanjay.
According to statistics from Cyber Security Malaysia’s (CSM) emergency response team and Malaysian Computer Emergency Response Team (MyCert), there has been an increase in cyber attacks on Malaysian websites since 2012. That year saw 9,986 reports of cyber attacks, 10,636 cases (2013), and 11,918 cases (2014). Up to August this year, MyCert recorded 7,399 cases.
Among the types of attacks listed by MyCert are content-related, cyber harassment, denial of service or disruption denial of service, fraud, intrusion, intrusion attempt, malicious codes, and spam.
Sanjay also believes the Malaysian government should house its cyber enforcement team under one roof, instead of the three agencies running it currently.
“The police reports to the Home Ministry, with a dotted line for the Malaysia Communication and Multimedia Commission which champions cyber security. CSM, meanwhile, is under the Science, Technology and Innovation Ministry. What the public needs is just a single agency that will be the go-to point for all cyber issues,” said Sanjay.
US-based Akamai Technologies Inc Customer Security Incident Response Team director Michael Smith pointed out a trend he noticed that is unique to Asean nations: the use of old smartphones.
“Unlike in New York, where people change phones every six months, people in Asean tend to keep their phones for longer periods of time. The problem with this is the longer the device’s lifespan, the more vulnerable it is to being hacked due to wear and tear or entropy.
“Another problem with old phones is, after a while, it runs out of support. Security protocols always progress. The cryptography becomes stronger with every new generation of smartphones. And in Asean, a lot of users use their devices for mobile transactions,” said Smith.
Smith said this presents a dilemma to financial services companies in the region, where the need to protect themselves against hacking must be balanced with retaining and growing their customer base. Do they lose revenue and customers at the price of security, or leave themselves vulnerable while retaining and growing their revenue and customer base?