Transparency and focus key to driving back cyberthreat in Asia-Pacific

22 June 2017 Consultancy.uk

Cybercrime in the Asia-Pacific region continues to plague business, individuals and governments alike, with a new report from Marsh & McLennan Companies’ Asia Pacific Risk Center (APRC) stating transparency and focus are key to businesses' salvation.

Asia-Pacific is set to see increased digital activity, however, poor transparency and a lack of strong legislation in various countries is hampering efforts to create cyber-resilience in the region. Compelling organisations to improve security and improve transparency, from governments to individuals is central to future prosperity.

Cybercrime is becoming increasingly problematic for businesses, consumers and governments. The digitalisation and concentration of a wide range of processes and private and sensitive information, without a means or incentive to secure that (valuable) information, has created a situation in which huge troves of information regularly find themselves on the street or collated by those with nefarious intent.

Aside from the nightmare of dealing with identify theft, the absolute cost of cybercrime to the global economy was recently estimated at more than $400 billion. For businesses, the costs come in at up to $280 billion, while a severe breach has also been found to have a noticeable impact on the share price of public companies.

The APRC recently released a study into the cyber risks across the Asian-Pacific region. The report, titled ‘Cyber Risk in Asia-Pacific’, considers the current cybercrime climate in the region, from costs to business and consumers to various means of mitigating and protecting sensitive information.

Cyber risk - Asia-Pacific in numbers

By the numbers, businesses in the Asia-Pacific region lose around $81 billion in business revenues lost to cybercrime. Asian-Pacific businesses were also found to be considerably more likely to be attacked by hackers, making cybercrime the fifth biggest risk for the region.

Particularly Asian firms are also finding it difficult to deal with cybercrime. The report finds that Asian organisations take 1.7 times longer than the global median to discover a breach. This in part reflects investment levels, which are found to be 47% lower than the amount spent by North American firms. Internet users in the region too are found to be lacking in some respects, with 78% said to have not received any education on cybersecurity.

Firms face a range of challenges, some governance related and some related to talent scarcity. 70% of firms, for instance, are said to lack a firm understanding of their cybersecurity posture, while 74% say that they have ‘difficult-to-extremely-difficult to recruit cyber talent’. Insurers in the region too are weary, with few willing to cover incidents at more than $100 million in damages.

A higher threat potential

One of the reasons for the region seeing higher levels of threat, is related to the speed of digital transformation in the region. The global online population is set to grow by around 500 million between 2016 and 2020, with the APAC region leading the growth in people online (60%). The number of connected devices too is set to grow steeply, again, predominantly in the APAC region (60%), with 4G mobile connections up from 1 billion in 2015 to 4.2 billion by 2020.

The region also has a high level of projected growth in IoT devices, with the number of connected devices – according to the firm – in the APAC region hitting 8.6 billion by 2020. While there too have been increases in FinTech propositions, including the transfer of e-money, which in Indonesia along have grown from $54.7 million in 2009 to $409 million in 2015.

Cyberattacks in APAC - Tip of the iceberg

Attacks in the region have not been without note, whether on the consumers or on businesses in the region. The firm notes a number of incidents that have had considerable impact, including, among others, the compromise of 3.2 million debit cards in India, the theft of $81 million from the central bank of Bangladesh, the personal details of 7.9 million individuals stolen from Japan’s largest travel agency, and the world’s fifth largest bitcoin exchange seeing $65 million bitcoins lost from its servers.

The report notes that these attacks are likely to be the tip of the iceberg, with the largest share of attacks going unreported. Estimates place around 90% of large companies in the region as under some form of cyberattack last year; and, with no requirements to report incidents in many countries in the region (japan and Australia and New Zealand as exceptions), much of the damage from such attacks remains concealed.

Stakeholder roles in strong defence

Dealing with the threat in a way that systematically makes the region more robust against attacks – which are likely to increase and become more severe as digitalisation continues – will, according to the firm, require involvement from multiple stakeholders.

Governments are called on to change organisational behaviour by compelling organisations to develop and adopt behaviours that make their organisations cyber-resilient. Creates a cross-organisation framework for cybersecurity skills that leverages lessons learned to create best-practices for industries. Other measures include creating influential national institutions focused on cyber-resilience, and compelling company to government transparency, with comprehensive and enforceable data breach notification regulations.

Organisations remain key targets for cyberattacks, as they contain troves of valuable data. They too are able to create strong lines of defence for that data. Organisations play a key role in defending data, from internal transparency efforts to being transparent about attacks with the various stakeholders involved.

Individuals remain a key link in the cybersecurity chain, with errors implicated in 95% of breaches according to an 2014 IBM study. They too are able to exert considerable pressure on organisations and governments to prevent beaches and regulate information, whether as shareholders or as the public.

Board involvement in enterprise wide cybersecurity

The research also cites the board of directors as a key source of direction for cybersecurity efforts within organisations. Making cybersecurity a board level agenda item improves the overall strategy setting of organisations, which, with strong governance, creates the conditions for top-down control of cyber risk and security throughout an enterprise.

Further benefits to the organisation’s cybersecurity resilience can be won through regular audits to insure compliance and performance to each of the lines of defence in an organisation. Implementing a range of strong best-practice cybersecurity processes, including training of personnel, deploying relevant technologies, and designing infrastructure in a way that allows for relatively simple surveillance and crisis management.

News

More news on