Malaysian companies are unprepared for cyber attacks, a survey by Quann reveals
- Almost all (96%) of the surveyed Malaysian companies are in the early stages of security preparedness
- More than half (52 percent) of the Malaysian respondents do not have a Security Operations Centre to monitor their networks and security devices for suspicious traffic
- Almost half (48 percent) of them have not conducted any form of IT security awareness exercise
While a majority of the surveyed Malaysian companies believe that cyber security is important and seek guidance from IT security experts, almost all (96 percent) of them are in the early stages of security preparedness, according to a survey jointly conducted by Quann, a leading Managed Security Services Provider in Asia Pacific, and research firm IDC. The survey identified significant gaps in security device deployment, cyber awareness, resources and preparedness for attacks, making these companies vulnerable to cyber attacks.
The inaugural Quann IT Security End User Study 2017, covering 150 senior IT professionals from medium-to-large companies based in Singapore, Hong Kong and Malaysia, aims to understand the cyber security strategies of these organisations as well as their preparedness and vulnerability to cyber attacks.
Mr. Foo Siang-tse, Managing Director, Quann, said: The findings are worrying but they dont come as a surprise. Many companies are simply not investing enough in IT security, despite the obvious threats. The lack of investment in security infrastructure, professional services and employee training makes them extremely vulnerable. The recent WannaCry and Petya ransomware incidents are just the tip of the iceberg. Companies need to recognise that having a comprehensive security plan, comprising detection systems, robust processes and equipped individuals are critical in enabling them to detect threats early and mitigate their impact.
Lack of adequate security features to monitor and detect cyber attacks
While basic IT security features such as firewall and antivirus are widely deployed by the Malaysian companies surveyed, almost half (46 percent) of them do not have Security Intelligence and Event Management Systems to correlate and raise alerts for any anomalies.
Also, 52 percent of the Malaysian respondents do not have a Security Operations Center (SOC) or a dedicated team to proactively monitor, analyse and respond to cyber security incidents that are flagged by the systems.
The lack of proper monitoring systems and processes means that anomalies picked up by security devices may go unattended and malware may reside and cause damage within corporate networks for long periods.
“Companies may consider working with an experienced cyber security partner to design, build and manage a 24/7 on premise Security Operations Center that can quickly detect threats. Another option is to engage a Managed Security Services Provider (MSSP) that can provide a comprehensive suite of services, including 24/7 monitoring, regular vulnerability assessment and penetration testing and incident response and forensics, Mr. Foo added.
Ill-prepared in the event of cyber attacks
The survey also finds that 38 percent of Malaysian respondents either do not have any incident response plans to protect the companies networks and critical data in the event of a cyber attack or only react when a breach occurs. Only one third (33 percent) of them practise their incident response plans.
Cyber criminals usually target non-IT employees who are seen as the weakest link in cyber security. However, only 31 percent of the Malaysian companies require all members of the organisation from the CEO downto take part in IT security awareness training.
Absence of dedicated security manpower
Many Malaysian respondents (71 percent) do not have a dedicated IT security budget and planning process. Most Malaysian respondents have a security lead but he/she is not a dedicated resource and has other responsibilities at the same time. They also do not have round-the-clock security support, with 40 percent having security support only during work hours, and 21 percent only during the work week.
With cyber attacks evolving at an unprecedented speed, there is a need for organisations to invest in security resources, increase the frequency and expand the audience of IT security training to keep pace with the cyber threats.
Cyber security not on the Boards agenda
The survey also reveals a low level of engagement from senior leadership in formulating IT security strategies which is critical. A majority (86 percent) of Malaysian respondents consult security executives, but only 17 percent of them will invite the executives to board meetings and involve them in risk assessment.
Mr. Simon Piff, Vice President of IDC Asia/Pacifics IT Security Practice, said: Not all C-Suites in Asia are fully conversant with the fundamentals required to develop a robust cyber-security strategy, with the appropriate cyber security investments. Cyber security investments are akin to military spending we do it in the hope that we would never have to use the tools. They need to understand that this is not a business ROI with immediate, visible returns. However, the consequences of not taking a proactive approach now could lead to legal disputes, customer dissatisfaction, and even loss of jobs and careers at all levels in the organisation.
IDC and Quann assessed the surveyed companies level of preparedness to cyber attacks and categorised them into four stages, with Basic Defence being the least mature. The stages of the index are based on IDCs understanding of the range of organisational maturity globally, and is ranked against a globally established methodology.
For each stage, the IDC IT Security Index addresses how capabilities across the five lenses risk and governance, cyber security awareness, technology and architecture, resourcing, incident response and remediation should change to foster the security maturity needed to compete in the new era of digital transformation.
Stage 1 Basic Defence
IT security is perceived as an ancillary function and investments are restricted to the bare minimum. Compliance and governance distract from the day-to-day running of the business. There is limited capability to defend from anything but the most basic form of attack. No crisis response planning has been put in place.
Stage 2 Tactical Knowledge
There is a minimal strategy for IT security and key technological solutions put in place. Whilst IT security is something that the IT team considers as important, the rest of the business consider it an issue only for the IT department. Senior management is lacking in engagement and understanding of critical systems and data.
Stage 3 Strategic Intent
IT security is understood to be a concern for both the business as well as IT, with a dedicated lead. There is a clear delineation of security roles, and a Governance, Risk and Compliance (GRC) framework in place. While outsourcing is a consideration, it is kept minimal, and most technology and architecture are done in-house.
Stage 4 Advanced Execution
A CISO is designated in the organisation, with clearly defined reporting lines to CEO. There are internal and external applications of IT security policies, and a well-informed workforce that understands the issues. A clear response strategy is in place and fully documented.