Asia lagging on cyberthreat front

Phishing emails still present the greatest cybersecurity threat.

Asian countries are lagging behind in responding to cybersecurity threats and should craft legislation focusing on disclosure and defining critical infrastructure, says Siang Tiong, general manager at Kaspersky Lab Southeast Asia, a leading cybersecurity firm.

"I can't speak to Thailand's new cybersecurity law, but countries must define what critical infrastructures are and their standards," he said. "There must be a minimum standard for sectors like telecoms."

Thailand's recently passed cybersecurity law was controversial because part of it allowed the government to access the computer systems of enterprises and individuals that are deemed "critical cybersecurity" without a court order. Critics of the law said the definition of "critical infrastructure" was too vague and susceptible to government abuse.

Mr Siang said the key area government regulation should address is clearly defining what is considered critical infrastructure (such as financial, utilities and telecoms), then establish capabilities to adequately monitor threats through analytics. The regulation should also require companies to disclose data breaches to the public, which is not often done by companies.

"There's a blurred line between governments doing too little and overstepping their bounds," he said. "But for most industries the private sector should take the lead in monitoring threats and assessing risks."

However, some public utilities like water and power plants are increasingly becoming cybersecurity threats from hostile state actors. For instance, Iran's nuclear power plants were allegedly targeted by a malicious computer virus, causing some centrifuges to spin too fast and break down.

"Cybersecurity is not even on the agenda of some public utility operators," said Mr Siang.

Still the most common and effective cybersecurity threat is phishing emails, or emails disguised as routine or official messages that trick government or private sector workers into typing in their password or downloading a malicious file. He said about 90% of phishing emails are non-specific and easily detectable, but some are carefully made to look like an invoice from a client or a request from the human resources department.

Though some employees are aware of this threat, it is not uncommon for people to be duped into downloading a file that compromises networks of major enterprises.

"It's like during the cold season -- you have to continually remind people to wash their hands to keep it from spreading," said Mr Siang.

Cyberbreaches for many companies, however, are all but inevitable these days, he said.

It is important for enterprises to develop a clear public relations strategy to notify their customers or clients.

However, many companies choose not to disclose a breach, even when Kaspersky notifies them about one, sometimes multiple times, said Mr Siang.

When this happens he said Kaspersky is forced to go over the company's head, notifying the public directly and often causing a huge PR embarrassment for the client.

"Many Asian companies try to avoid disclosing and wait until it is too late to let the public know," said Mr Siang.


Back to top