APAC’s cybersecurity standards catching up to rest of world?

The 22nd Annual EY Global Information Security Survey explores the most important CYBERSECURITY ISSUES that organisations are facing today. The results of the survey revealed a few trends, which implied a few things.

Enterprise IT News, asked some questions which Richard Watson, Risk Advisory Leader for Ernst & Young in APAC, as well as Jason Yuen, Malaysia’s Cybersecurity Leader, responded to.

EITN: From title of pitch you sent, it implies that cybersecurity standards in APAC were behind compared to rest of the world. Why do you think this is this so?

Jason: One important point to note is that APAC is a very diverse region with developed and developing countries as well as organisations with various levels of maturity as far as cybersecurity standards, technology adoption and capabilities.

We see the key constraints in the region would best be summarised around the factors of awareness, budgets and skillsets.

Much of earlier regulations around cybersecurity and data protection started outside of the region.  Also, much of the news of major cyber incidents is traditionally dominated by cases outside of APAC.  As a result, the general awareness as well as perhaps some level of complacency would have set in.

Perhaps as a consequence of the issues around awareness, budgets and resources devoted to managing cybersecurity have been lagging.

 Richard: We typically see a mature cybersecurity capability where we see a strong financial services sector, a strong government intervention in building cyber skills and a strong regulatory approach to cyber.

Countries around APAC in recent times have strengthened their regulatory approach to cyber, including mandatory breach reporting and specific regulation for financial services entities and critical national infrastructure entities.  In EY’s recent Global Information Security Survey (GISS), 52% of respondents felt that organisations in APAC are under the right level of cyber regulations now.

 Jason: Finally, the talent gap and is and continues to be a real issue in the region.  Having the right and sufficient skills to manage cybersecurity as well as having access to external resources including consultants, vendors and solution providers.  We also continue to see a regular flow of people with skills and capabilities move from less developed to more developed economies.

EITN: In your opinion where does majority of cyber-attacks originate from?

Jason: Working with different clients across the region, we have seen attacks originate from different threat actors and across multiple sources and pin-pointing specific sources continues to be a challenge in the digital world.

We’ve worked with clients where we have seen insider attacks masquerade as overseas or external attacks.

Having said that, there is a clear trend towards the globalization of cyber attacks with attackers and groups of attackers targeting organisations in other countries.

We believe that much of this is due to the complexity as well as challenges in cross border regulation and enforcement, and clearly the criminals know this as well.

Richard: Historically the single biggest source of attacks came from organized crime entities, and this is still the case globally, however in APAC, we have seen a significant rise in the number of cyber attacks motivated by social activism.  That is to say the sort of attacks that deface a company’s website, or take down their systems via DDOS or ransomware, all in the name of a cause like climate change, freedom of speech or religious preference.

It is perhaps not a surprise that this is the case in Asia, where we have such a broad range of political approaches, varying religious growth and a vast inequality of wealth between some nations and others.

EITN: What countries, would you say, are highest hit by cyberattacks? Or do you classify frequency and intensity of attacks according to industries?

Jason: Surveys and data have shown that no country and no industry is spared from cyber attacks.  We continue to recommend that organisations stay vigilant and adopt the recommendations put forward in our latest survey which include the need for driving the culture of Security by Design.

Richard: We are seeing the type of attack change however – traditionally we have been worried about data breaches, such as loss of customer data, which has put organisations in the financial services and retail industries at the forefront of the world’s largest attacks, however increasingly we are seeing attacks targeting the operations of systems – often through ransomware.

This means organisations in the critical national infrastructure (utilities, government services, transport, manufacturing) are now equally the target of attacks.  59% of respondents to EY’s GISS said they had seen an increase in the number of destructive attacks over the last 12 months.

EITN: Why is it so difficult for companies in Asia Pacific to obtain cybersecurity budgets?

Jason: We believe that multiple factors contribute to this challenge.  Part of this can be explained by the gap in awareness as well as belief that cybersecurity incidents won’t affect our organization, or that it will only affect someone else or that we are just not big enough for the bad guys to notice.

another factor would be the mismatch or gap in communication that exists between the cybersecurity function and the business.  As we point out in the survey, ensuring that both parties speak a common language is key.

Richard: CISOs in our report said that the hardest part of their job was communicating with the board.  This is because what the board understands most is the financial value of risk, yet only 25% of organisations are able to quantify in financial terms the effectiveness of their cyber spend.

Also, there may be a learning gap at board level.  In EY’s GISS we found that 72% of Boards see cyber risk as ‘significant’, but only 48% of CISOs say that their board and management team have the understanding they need to fully evaluate cyber risk and the measures they are taking to defend the organisation.  In other words, “the board doesn’t yet get it”.

EITN: What can Asia Pacific do, to maintain this standard, or at least surpass the global average, especially since the perception is that it is an Asian country that has the highest number of nation-backed hacker groups, and it is also an Asian country that has one of the most sophisticated and complete broadband infrastructure in the world?

Jason: As you will see in our survey results, we believe that there is a clear opportunity for organisations to position cybersecurity at the heart of business transformation and innovation.  Organisations should focus on five key areas which are to:

  • Establish cybersecurity as a key value enabler in digital transformation
  • Build relationships of trust with every function of the organization
  • Implement governance structures that are fit for purpose
  • Focus on board engagement
  • Evaluate the effectiveness of the cybersecurity function to equip the CISO with new competencies

EITN: Please describe security by design. How does it address risk and data privacy?

Jason: Security by Design is a new approach that builds cybersecurity into any initiative from the onset, rather than as an afterthought, enabling innovation with confidence. It is a strategic and pragmatic approach that works across all parts of the organization. Security by Design remains in the initiative’s lifecycle to help with the ongoing management and mitigation of security risks.

In essence, Security by Design is ensuring we build cybersecurity upfront and continue to manage it throughout the lifecycle.

Richard: This concept, while beginning to get more widely known, is still not that widely practised.  Only 36% of respondents to our survey involve security at the planning stage of a new business initiative.