By Rob Sloan, cybersecurity research director, WSJ Pro
Geopolitical tension and a lack of digital preparedness are among the leading cyberrisks for international companies operating in Asia.
Suspected Chinese government-sponsored hackers and other groups have carried out attacks against multinational organizations based in Asia and in the West, said security experts who gathered this week at the Cyber Connect 360 conference in Singapore this week. Singapore is working to improve its own security hygiene by disconnecting some 100,000 government employees’ computers from the internet as a preventative measure. But that’s only one step toward mitigating the ongoing cyberthreats that vary depending on the type of organization targeted.
“The threat posed by determined, well-resourced government groups will likely prevail against the typical organization, and so it’s important firms have a plan in place to respond to the inevitable breach,” said Rob van der Ende, vice president of Asia, Pacific and Japan region at the cybersecurity vendor FireEyeInc.
“We also track China-based teams that appear focused on various parts of the wider region and we see heightened activity when geopolitical tensions flare up, particularly around the South China Sea territorial disputes,” he said.
Increased threat activity around political events is proof organizations should take extra care to consider how global new could affect them.
However, geopolitical issues may not be the only motivation behind nation state and criminal hacking of Asian companies.
“I am concerned that Asian firms are being targeted because of a perceived lack of cyberpreparedness” said Bryan Tan, a partner at the Singapore office of Pinsent Masons, LLP. Mr. Tan said the mere perception of vulnerability is a risk in itself as it may encourage attackers to target Asian companies over those in other parts of the world.
A July 2017 survey by managed security services provider Quann Singapore Ltd. reinforces this perception. Ninety-one percent of Singaporean companies consider themselves in the early stages of security preparedness, and more than half do not have a security operations center to coordinate their network monitoring activities.
The perception of vulnerability is especially relevant to western organizations operating in Asia. Threat actors may seek to target Asian divisions of multinational companies as they may represent a weak link and an easier route into the company’s core network.
Technical architecture mitigations, such as segmenting the network, can limit an attacker’s ability to move freely around an organization’s network to exploit geographical disparities.
Mr. van der Ende called the curtailment of internet access across government departments “a good example of risk management practices.” He added: “It’s good for boards to know that, yes, sometimes security is inconvenient.”
A Push from Regulators
But international governments aren’t waiting for the private sector to improve security on their own time.
Mr. Tan said Singapore has signaled it will drive up standards by end of 2017, and potentially introduce mandatory breach notification laws after a public consultation period.
Proposed changes to the country’s Personal Data Protection Act will require organizations to notify both affected individuals and the Personal Data Privacy Commission, the country’s privacy watchdog, when a compromise of data is likely to result in harm to those whose data has been exposed, or when a breach affects over 500 individuals.
The updates to the legislation will bring Singapore into line with breach notification laws in the U.S. and the European Union’s General Data Protection Regulation, which goes into effect next year. The update will provide a clearer picture around the extent of cyber attacks across Singapore. It will mark an important development because, as a finance and technology hub for Asia, Singapore cannot afford to allow cybersecurity standards to lag behind other economic centers.
“The government is proactively trying to build a skilled workforce in the cyber domain and support public-private partnerships to address the cybersecurity challenges,” said Tam Huynh, senior director of the cybersecurity and investigations practice at the risk consultancy firm Kroll Inc. “Multiple initiatives are underway to build a robust and resilient national critical infrastructure to deal with attacks.”
(Rob Sloan is cybersecurity research director at WSJ Pro. Previously, Rob has worked as response director for a specialist IT security consultancy in London and built a team focused on detecting, investigating and protecting against cyber intrusions and responding to incidents, especially state-sponsored attacks. Rob started his career working for the U.K. government, looking at some of the earliest cyberattacks against the critical national infrastructure. Rob’s main interest is the requirements, motivations and technical capabilities of threat actors.)