Price of protection

As cyber threats become more global and more costly, consumers and businesses need to improve security to reduce the risk of crippling costs from a breach. By Erich Parpart

Cyber security should be among the top concerns for businesses in Asia Pacific before it becomes too costly to properly address. At the same time, opportunities are emerging for companies that specialise in countering the risk from cyber threats, experts say.

The cost of putting in place protection against cyber attacks continues to surge. Many consumers still do not practise basic "cyber hygiene", and many businesses also don't do enough to keep their systems safe. Corporate executives and directors as well as governments are struggling to find ways to deal with threats without compromising everyone's ability to communicate.

"Increasingly, cyber threats are becoming more of an issue. There are obviously business continuity issues; there are also data protection issues, and social impact on one side," said Brenton Mauriello, president of the Australian-Thai Chamber of Commerce (AustCham).

"The other side is free movement of information and that is important to business because business believes that diversity assists business outcomes, and when you try to restrict the free flow of information, that actually impacts negatively in the longer run."

A new study by Juniper Research forecasts that global IT security revenue is expected to reach nearly US$135 billion in 2022 from an estimated $93 billion in 2017. However, corporate data breaches are expected to cost organisations a cumulative $8 trillion in fines, lost business and associated remediation expenses over the next five years.

"Training people not to open up emails and attachments that we are not sure of and not to use thumb drives from other people, these are very simple but actually have a great impact," Mr Mauriello told Asia Focus.

According to the Norton Internet Security Center, cyber hygiene is about thinking proactively in order to build up immunity to threats and online security issues. It advises businesses to equip themselves with tools such as reputable anti-virus and anti-malware software, a network firewall, and password protection to protect personal data. Regularly clearing out data you don't need is also recommended, along with using software to clean hard drives.

Other recommendations include changing passwords fairly frequently, while monitoring personal cyber security will also help avoid online threats. Organisations and individuals alike should institute a regularly scheduled series of tasks to scan for viruses, update operating systems and check for any available security patches.

For open systems, particularly cloud-based working environments, keeping security up to date is costly but important as the local environment, or local hosting, is becoming obsolete. Cloud service is a hosted service that is accessible over the internet instead of physical servers; in other words, it is a virtual storage for data and software.

"The reality is that the local environment will dissipate and we are seeing it as people go into the cloud, and there is the cost for developing security mechanisms for the cloud," said Mr Mauriello, who is also the chief executive officer of the Bangkok-based architecture and interior design firm dwp (Design Worldwide Partnership).

"So there is a direct cost, both in terms of investment and in terms of potential impact, theft and shutting down," he said, noting that even some Thai banks' ATM networks have been victims of hackers, though not on the scale seen in some other countries.

However, most businesses in Asia Pacific are still ill-prepared for current threats, and IT security needs to be elevated in terms of risk management at the board level. This includes extra precaution in terms of assessment and preparation for potential financial and personnel impacts.

"What businesses here have done so far is not enough. [Security] is high but it should be higher in terms of their strategic risks," Mr Mauriello said.

To some extent, there is a generation gap where cyber security awareness is concerned, he continued.

"One of the issues -- and I say it with tongue in cheek being a little older and [from the era] before computers -- is that most board members might not understand. In fact, they don't understand. That is why we have audit committees for finance because we don't understand finance quite well enough, and here we need to bring in specialists as well."

Board members need to listen more to younger and more cyber-aware people in the organisation about changes in the IT environment because, normally, by the time the news about a new cyber threat gets to the board and directors work out what it might mean, it will already be too late.

"You can get a consultant from outside and that works to a point, but what consultants don't really understand is your business and it will be great to be generating that information inside," said Mr Mauriello.

Some governments in the region are also too slow to react to new threats and still decline to cooperate with one another on cyber threats.

"My thoughts are that, perhaps, some of our institutions such as governments, the courts, are running behind the changes and we need to get in front of the changes," he said.

Antonio DeLorenzo, vice-president of partnerships at Identitii, a Sydney-based payment solutions provider, said the notion of data protectionism was one of the problems behind the lack of collaboration among governments.

"Some countries and even some country groupings around the world have put in place ornate policies to protect data in terms of privacy or localised data," he told a panel discussion held by AustCham.

"This localisation issue is something that keeps popping up around the world and, in different ways, it might be helpful to localise data. But if you tell the world through your policy that all of your data is going to sit on one shore, inside [one set of] borders, you effectively tell all of the people that want to harm you by getting that data that it is sitting in just one place.

"These are issues that are going to keep popping up as we go forward. We have to consider what role a level playing field and international protocols play and what it means for businesses, especially in terms of cyber investigations."

Tobias Feakin, Australia's Ambassador for Cyber Affairs, said there was no perfect recipe doe fighting cybercrime, but through collaboration with Singapore and Japan, Australia has been trying to increase the free flow of information about threats and responses that are collectively useful. Public-private partnerships are also crucial.

"This does not always work perfectly … but it is absolutely about trust building," he said. "It is about us as governments saying, 'You know, that there are some things we know about which are different from what you know about because we study certain threats', and if we can share some of that in a trusted environment, show some faith in private-sector partners, then our perception is that we will get something in return.

"If you can both show value and show that the input over a period of time is worthwhile, then you can built a very healthy relationship."

There is also the need to find a balance between the need to protect the population and the need to maintain a free flow of information when something like a terrorism threat arises, noted Chaichana Mitrpant, deputy executive director of the Electronic Transactions Development Agency of Thailand.

"We are all struggling to find the equilibrium. We don't know if it exists or if it will be the same for different cultures, environments and communities," he said. "We need to talk to all stakeholders … and this is the approach we in Thailand are taking, and hopefully we can find the right point where the balance is.

"We need civil control or else things will be uncontrollable, but at the same time, of course, we have to respect people's rights. But they also have to be concerned and show respect to other people because we cannot all do whatever we like without caring what other people think."

Amid the risks and challenges, however, there are also opportunities. Mr DeLorenzo said that Asean, with 10 different countries, data centres and protocols, presents "a great opportunity" for his company.

"The world is looking at Asean … and being a company that tries to facilitate fighting financial crime, we are helping promote greater cooperation to try and navigate through this world of issues within the cyber realm," he said.

International Data Corporation (IDC), a global market intelligence firm, has forecast that worldwide revenues for security-related hardware, software and services will grow from $73.7 billion in 2016 to $101.6 billion by 2020. This represents a compound annual growth rate of 8.3% which is more than twice the rate of overall IT spending growth over the same period.

Back to top