Efforts in ensuring cybersecurity appear to be incommensurate with the prevalence of digital transformation and the benefits it offers enterprises in ASEAN today.
Among ASEAN enterprises, “build(ing) security and privacy into all devices, applications and algorithms” was one of the lowest priority in digital transformation, selected by only 21.9% of respondents, of which more than a third were enterprises from the Philippines, in the 2019 AIBP ASEAN Survey. More importantly, despite being a major manufacturing hub, ASEAN enterprises in the industrial segment were least concerned with cybersecurity among other industry segments.
Digital Transformation and Cybersecurity in ASEAN
Digital transformation is a key driving force for ASEAN’s economy. The digital economy is set to increase ASEAN’s GDP by $1 trillion by 2025 according to the World Economic Forum (WEF). Local governments have introduced initiatives for Industry 4.0, and the ASEAN Study on MSME’s Participation in the Digital Economy found that 74% of ASEAN MSMEs plan on continuing with digitalization.
With digital transformation, enterprises seek to:
- Provide better, more personalized customer service and experience to address changing customer behavior and demands
- Build connectivity to maximize collaboration internally and externally, drive innovation, and increase market reach in view of the increasing rate of internet penetration among the ASEAN population
- Increase operational efficiency
- Remain competitive and sustainable
Digital transformation among enterprises has also been accelerated by the COVID-19 pandemic.
However, the cost-effectiveness and increased productivity that digitalization offers to enterprises is a double-edged sword. Increased digitalization is always accompanied by increased cybersecurity risks, and 65.8% of ASEAN SMEs cited “cybersecurity threats” as a top operational challenge in an Ernst & Young report.
ASEAN enterprises have become more aware of the importance of cybersecurity in recent years and are keen on improving their security capabilities. However, security spending and product offerings in ASEAN are inadequate.
The responsibility to ensure a sustainable, cyber secure environment where enterprises can thrive and propel ASEAN’s economy in the age of digital transformation falls upon multiple players – ASEAN, national governments, and, most importantly, enterprises themselves.
Nascent Cybersecurity Regulations in ASEAN
Regional efforts set the stage for cybersecurity best practices among ASEAN countries and enterprises. Creating a cyber secure environment is necessary for digital transformation to bolster sustainable economic growth in the region.
The ASEAN Digital Integration Framework Action Plan (DIFAP) 2019-2025 encourages ASEAN members to adopt cybersecurity norms and enhance cybersecurity regulations in the region. ASEAN Cyber Capacity Programmes and the ASEAN Ministerial Conference on Cybersecurity (AMCC) have also affirmed the need for closer cooperation and coordination in cybersecurity policy development and capacity-building among member states.
Despite so, robustness of national cybersecurity policies vary across ASEAN countries, resulting in a fragmented cyber secure environment. ASEAN has a long way to go in creating a secure and resilient cyberspace for businesses to thrive in the region.
Cybersecurity is Important for Enterprises: Losses from Security Breaches
Globally, cyber incidents are among the most serious business risks (Allianz Risk Barometer 2020) and according to a Marsh & McLennan report for the Asia-Pacific Risk Center, organizations in Asia are 80% more likely to suffer cyber attacks.
Here in ASEAN, the average cost of a business data breach was $2.62 million in 2019, and the longer it takes for an organization to respond to a security breach, the more losses are incurred. In addition to financial losses, enterprises may face legal liabilities and put their reputation at stake. ASEAN enterprises should thus be prioritizing cybersecurity to protect themselves and avoid incurring unnecessary, avoidable losses arising from cyber attacks.
The following types of cybersecurity and their respective examples illustrate possible security breaches and their impacts.
Critical Infrastructure Security
Critical infrastructure are assets vital to the functioning of the society and economy, such as telecommunications, healthcare, transport, food and agriculture, and energy. The nature of critical infrastructure services means that breaches have far-reaching implications on enterprises and the public. As ASEAN countries look toward creating smart cities, critical infrastructure security will be essential.
In the connected world today, telecommunication is essential to daily life. A major data leak in 2018 compromised identification and passport numbers of 45,000 customers of True Corp, one of the biggest mobile operators in Thailand. Considering the sheer number of users telcos serve, they are prime targets of cyber attacks.
Government-linked organizations are targets of cyber attacks as well, and attacks often affect large parts of the population.
The 2018 SingHealth data breach affected 1.5 million patients whose records were accessed and copied. This “most serious breach of personal data” in Singapore history was deliberate and highly sophisticated.
In 2016, the two biggest airports in Vietnam had to shut down their announcement systems and check passengers in manually following a hack to their announcement systems, resulting in extended waiting times and flight delays. Disrupted domestic and international air transport caused much inconvenience to passengers and staff.
The responsibility to prepare and respond to critical infrastructure security threats and breaches often fall upon governments. Even so, enterprises must also take ownership of cybersecurity responsibilities and develop contingency plans in the event of critical infrastructure threats to ensure that their operations will not be disrupted.
Business networks are vulnerable to unauthorized access, modification, destruction, and other security threats. Attacks on network security may include data breaches, installation of viruses and ransomware attacks.
In 2017, AXA Insurance Singapore suffered a data breach of their online health portal which compromised customer contact details and personal information. This attack was a blow to AXA’s reputation since the company had previously introduced an online risk insurance service in 2014.
Network security breaches are not uncommon, and can disrupt or paralyze systems and operations. Even as Singapore’s cybersecurity regulations are one of the most robust in ASEAN, the increasing sophistication of cyber attacks means that achieving a cyber secure space will require continuous effort and improvement.
Enterprises may consider utilizing end-to-end encryption and multi-factor authentication to prevent unauthorized access to their networks while keeping network security systems up-to-date to allow for swift detection of cyber threats.
Cloud computing is a powerful tool for enterprises to increase operational cost efficiency. However, the sheer amount of information and databases stored on the cloud are also subject to greater cyber risks. Cloud security is usually compromised due to weak data encryption.
As more ASEAN enterprises move onto the cloud, concerns for the risks involved will arise.
In 2018, Cathay Pacific suffered a data hack which compromised 9.4 million customer records. The hack was speculated to be due to weak encryption following the airline’s data migration to cloud systems. Cathay Pacific share prices fell, and the airline received an enforcement notice from Hong Kong’s Privacy Commissioner and was fined by the UK’s Information Commissioner’s Office.
In another incident, Instagram business partner Chtrbox’s AWS database was exposed as a result of lax security measures. Almost 50 million user records linked to private data were exposed. Access to user information on the database grew continuously until Chtrbox pulled the database offline.
To maximize the benefits of cloud computing, information stored on cloud-based infrastructure must be kept secure and encrypted. Cloud solution providers may also offer businesses customized and centralized cloud security according to their needs.
Application security involves securing applications vulnerable to external threats during development and post-deployment. Verizon’s 2020 Data Breach Investigations Report revealed that 43% of data breaches were linked to web application vulnerabilities.
In 2018, Facebook discovered a web-app bug that allowed hackers to steal user access tokens. An estimated 30 million accounts were compromised. This is an example of how weak application security may jeopardize sensitive data and end-user information.
Application security solutions to protect data include security testing and application shielding using encryption, authentication and authorization, firewalls and antivirus softwares.
IoT adoption is set to surge in ASEAN due to reasons such as lower cost of devices and supportive government policies. However, as devices become more connected, ASEAN enterprises must address the security threats involved in IoT adoption.
Targeted attacks can intercept connections and compromise data and privacy. End-to-end encryption and security patching to address vulnerabilities in real-time will safeguard connected devices and their operations.
Cybersecurity is an Ongoing Challenge
In the age of digitalization, a cyber secure environment will ensure sound operations and sustainable growth. As numerous examples have shown, compromised cybersecurity has extensive impacts on the public and businesses themselves.
As digital adoption in ASEAN increases and cyber attacks become more rampant and complex, enterprises will have to step up their efforts to anticipate and address vulnerabilities and evolving cyber threats. Along with robust regulatory frameworks, individual enterprise efforts can create a safe and sustainable digital economy towards greater growth for ASEAN.
Do you have any thoughts on cybersecurity for ASEAN enterprises? Drop us a note in the comment section or [email protected].
20 August 2020