Picture this: A family builds a new house and fills it with their most precious possessions and memories. Break-ins around the neighbourhood are on the rise, so they install a state-of-the-art alarm system. It costs a fortune. But it’s worth it, right?
Of course, it is – except they forget to lock the front door.
Let’s apply this parable to the corporate sector in the digital age. Instead of a house, it’s a company. Instead of an alarm system, it’s firewalls and antivirus technologies on an in-house server. And the unlocked door? Well, it’s the bad habits and lack of safety procedures that allow cyber criminals to breach a system with little effort, even if a company has invested heavily in security technology.
Here is a sobering statistic: An estimated 85% of a typical company’s internal data breaches are not from pro-active malicious attacks from criminals. Instead, they stem from carelessness, a lack of attentiveness, or simply ignorance of the dangers out there. Often someone in an organization does something that leaves “the door unlocked” to easily avoidable threats, like responding to phishing or online identity theft scams. Data breaches might also occur as a result of the reckless sharing of passwords, using an infected thumb drive, being lax with admin privileges, accessing suspect websites, or not updating the systems on the network as new security patches are released. All of these can make an organization a “low hanging fruit” target for cyber criminals.
So, when I am asked what is the biggest cyber threat to businesses in Asia, I have to say: complacency.
Microsoft’s most recent Security Intelligence Report (SIR) lists many emerging economies in Asia as among the world’s most vulnerable to malware and similar cyber threats. Bangladesh and Pakistan top the global at-risk list, followed by Cambodia and Indonesia with Myanmar, Nepal, Thailand, and Vietnam all close behind. The findings are disturbing. These countries are trying hard to develop their economies and create new jobs and industries through digital transformation. But this sort of widespread cyber vulnerability puts all that at risk. Individual businesses also have a lot to lose. Experience shows that many companies that suffer major breaches often don’t recover, either from losing customer trust or from the sheer financial cost of an attack.
There are also genuine concerns for regional economies with stronger security records – Japan, Australia, Hong Kong, New Zealand, and Singapore – as they invest and build commercial and trade partnerships with their more exposed neighbours.
When I talk with many business leaders, cyber security is often top of mind. So it is frustrating to know that the vast majority of security breaches can be easily blocked with some basic precautions. A glaring case in point is the proliferation of pirated software. Many individuals, and even companies, simply ignore the dangers and use counterfeit software containing known vulnerabilities. And, they do so more often here in Asia than anywhere else on the planet.
A new study by the National University of Singapore says non-genuine software – either downloaded from discs or from the internet – is likely to be thoroughly infused with dangerous malware: trojans, worms, viruses, ransomware, backdoors, spyware, droppers, injectors, adware and so on. The study, sponsored by Microsoft, found that many new computers have non-genuine software pre-loaded – often as a “sweetener” thrown in by retailers wanting to make a sale.
Once a corporate network has been infected, the breach can be challenging to find, let alone root out. In Asia, it takes an average of 520 days to detect a system compromise, compared with 100 days in the United States. Imagine what damage can be inflicted in that time without you even knowing.
So what can be done? Just like our metaphorical house with the alarm system, it is up to everyone in an organization to make sure the front door stays locked. As a leader in your company, you need to encourage and enforce good security behavior across all operations by all of your people, all the time. Training is key, but executives also need to take security seriously and lead by example.
A smart way to set the tone is to look at the structure of your leadership team. Many corporate boards may still be clinging to outmoded ways of managing IT. This leaves them ill-informed and unprepared for mounting cyber security challenges. To stay on top of the risks, organisations should consider “embedding” their chief information officer (CIO) in the boardroom to keep it up-to-date and proactive as the security landscape changes.
Also, moving from a potentially vulnerable in-house IT environment to the ever-evolving protection of the cloud can be a huge step forward. Ensuring the security of your data and your customers’ data is integral to your digital transformation journey.
An increasing number of companies understand that success as a digital business depends on the security umbrella afforded by the cloud. SmarTone, a wireless communications provider in Hong Kong and Macau, accumulates millions of pieces of personal data from its growing consumer base. To keep expanding, it has chosen a cloud-based IT solution, supported by robust security protection. As its chief technology officer puts it, an attack can come from anywhere and just “one breach can cost millions”.
Protecting data is also paramount in the public sector. The Australian Capital Territory government – which administers the city of Canberra – sees the cloud as not only providing scale and efficiencies to boost its frontline services, such as health, but also as a way to guarantee the privacy and trust of its 400,000 citizens.
The experts tell us that cyber criminals are no longer lone-wolf mischief makers, but are now highly-educated, organized, adaptive and well-funded organisations. They are constantly inventing new ways to profit from the damage they cause, such as unleashing ransomware across the globe. That is why Microsoft invests more than a USD1 billion a year researching and developing cutting-edge cyber resilience technology in the cloud where millions of pieces of data a day are analyzed – not just to block existing attacks, but also to predict where threats are likely to arise in the future.
But let’s not forget that, more than anything else, cyber criminals are opportunistic. Therefore, all the effort and all the money spent on ever-increasingly sophisticated anti-threat technologies can mean little unless everyone takes responsibility for cybersecurity.
So, by all means, install that expensive alarm system; but please remember to keep the door locked as well.