Companies across the Association of Southeast Asian Nations (ASEAN) bloc face growing risk of cyberattacks, which could expose the region’s top listed firms to a US$750 billion (RM3 trillion) erosion in current market capitalization, according to new research commissioned by Cisco.
The research, conducted by global management consulting firm A.T. Kearney, stresses that ASEAN’s growing strategic relevance, driven by economic expansion and ongoing digital adoption, make it a prime target for cyberattacks.
A combination of nascent policy preparedness, absence of a unifying regional governance framework, shortage of skilled talent, underestimation of risk and lack of adequate investment are among the factors that are contributing to the heightened risk.
Albert Chai, Managing Director at Cisco Malaysia said: “While the International Telecommunications Union (ITU) has recognised our nation’s commitment to cybersecurity, this research finding shows that organisations still needed to amplify efforts in improving their digital hygiene. Like the rest of the world, Malaysian organisations were also affected by the slew of high profile cyberthreats such as WannaCry and Nyetya last year.”
“This, coupled with the massive data breach exposing over 46 million mobile number subscribers means that businesses that come short of deploying a robust security framework risk losing not just ringgits and sens, but more importantly trust and credibility of their customers.”
The research report, titled Cybersecurity in ASEAN: An Urgent Call to Action, emphasises that cybersecurity risk across the bloc will continue to escalate as the bloc gets more digitally interconnected. For instance, CyberSecurity Malaysia (CSM) has detected an increase of cyberthreats in recent years. CSM’s Computer Emergency Response Team (MyCERT) reported that malware incidences rose from 1.1 million (2016) to 1.3 million (2017).
In addition, diverging National priorities across ASEAN countries and varying paces of digital evolution will foster a pattern of sustained underinvestment.
ASEAN countries are underspending on cybersecurity. The region currently spends an average of 0.07 percent of its collective GDP on cybersecurity annually. It would need to increase the spending to between 0.35 and 0.61 percent of GDP between 2017 and 2025, to be in line with the best in class benchmark (based on spend levels as percentage of GDP for Israel). The research estimates that this translates to US$171 billion in collective spend needed across ASEAN countries during the period. Limited sharing of threat intelligence, often because of mistrust and a lack of transparency, will lead to even more porous cyber defence mechanisms.
Naveen Menon, President ASEAN at Cisco said: “Digital innovation and adoption are central pillars of economic growth for ASEAN. Its success hinges in large part on the bloc’s ability to combat the cyber threats. Cybersecurity needs to be an integral part of policy discussions at the semi-annual ASEAN Summit, with the aim of developing a unified policy framework for the region. The corporate sector also needs to start treating cybersecurity as a business-wide issue that can only be tackled by adopting a risk-centric approach to building resilience, rather than just an IT problem.”
The cybersecurity threat landscape is evolving rapidly due to the following additional factors:
Emergence of new technologies such as the Internet of Things (IoT)
• The end points in an IoT network often tend to be unsophisticated devices such as household gadgets, making it easier for attackers to hack the network. IoT attacks are already prevalent in Asia.
• In 2016, 60 percent of all IoT-based attacks originated from Asia, most likely because of the historically vulnerable profile of products in Asian markets.
A global trend of shortage of skilled and qualified cybersecurity professionals
• This is mirrored across ASEAN. Malaysia, for instance, currently has 6,000 cybersecurity professionals but requires 10,000 by 2020.
• Specific skill sets like behavioral analytics and digital forensics are in acute short supply.
• There is also inadequate expertise in cybersecurity support sectors, such as cyber insurance, where effective frameworks and knowledge are needed to accurately assess the value at risk.
Nikolai Dobberstein, Partner at A.T. Kearney and lead author of the report, said: “As our technological landscape changes and new threats emerge, it’s never been more important for countries, governments, and the public and private sectors to come together and collaborate to share best practices. Cybersecurity is something that impacts us all, and particularly in ASEAN, where countries have strong ties to one another. We can only be as strong as our weakest link.”
The study was delivered through a combination of interviews across a wide spectrum of policy makers and corporate decision makers, expert discussions and analyst reports.