Does security scare you? Are you paranoid about security? Is your enterprise secure enough?
These are tough questions, and here are some tough answers: No, security should not scare you; a lack of security should. Yes, you should be paranoid about security. No, your enterprise is never secure enough. That is why security — especially data security and cybersecurity — should be one of your top concerns when it comes to your corporate policy and philosophy.
That is generally true for all enterprises, but it is even more so for Malaysian ones. Why? Because the data on security incidents in the country should wake you up, if not scare you.
Last year, the Malaysian Computer Emergency Response Team (MyCERT) recorded 2.9 million malware hits from botnets; 1.2 million spam email, some of which contained code to infect users; and 8,000 targeted security incidents. In the first half of this year alone, botnet-based hits reached 1.7 million, spam email crossed 754,000 and security incidents rose to 3,200. Targeted security incidents included fraud, intrusions, cyberharassment and Denial of Service (DoS) attacks.
MyCERT has been tracking the country’s cybersecurity levels since it was set up in 1997. It operates the Cyber999 Help Centre and the Cybersecurity Malaysia Malware Research Centre. Such concerted efforts are required because no entity is free from the cancerous claws of cybercriminals.
Not even Bank Negara Malaysia. On March 27, cybercriminals sent fraudulent messages on the SWIFT (Society for Worldwide Interbank Financial Telecommunication) platform to transfer funds in a modus operandi akin to the US$81 million that was fraudulently transferred from Bangladesh Bank. Alert Bank Negara officials foiled the attack, but this was a wake-up call to banks worldwide.
Why the paranoia? Because hackers could infiltrate the supposedly secure SWIFT interbank network, which enables financial institutions to send and receive information on financial transactions in a secure, standardised and reliable environment. However, the network does not hold accounts for its members and does not perform any type of clearing or settlement. Neither does it facilitate fund transfers. It only sends payment orders, which are settled by correspondent banks. SWIFT is headquartered in Belgium and hosts an annual mega-conference called Sibos.
In 2016, hackers penetrated the SWIFT Alliance Access software and surreptitiously transferred US$81 million from the central bank of Bangladesh via its account at the Federal Reserve Bank of New York. It was not the first of such attempts on SWIFT by hackers, nor was it the last. Soon after the heist, another hit was reportedly made on a commercial bank in Vietnam, which was foiled.
How did the hackers pull it off? They were experts and their method was ingenious. After the malware sent the SWIFT messages that stole the funds, it deleted the database record of the transfers. It also took automated steps to prevent confirmation messages from revealing the theft. In the case of Bangladesh Bank, the confirmation messages would have been printed. But the malware altered the paper reports when they were sent to the printer, as well as the soft copy printed on a read-only PDF document.
What has been the biggest banking hack so far? In early 2015, a record £650 million (RM3.5 billion) was stolen from 100 financial institutions worldwide allegedly by a gang of Russia-based hackers, who had spent two years planning the crime. The malware infected the banks’ intranets and clandestinely fed sensitive data, including emails and passwords, to the hackers over several months. While the criminals behind the audacious attack are thought to be based in Russia, the scale of their crime was global, with banks in Japan, China, Europe and the US having been hit.
How was the crime discovered? The hack was too sophisticated for its own good. The criminals could even get infected automated teller machines to dispense cash without an ATM card. That was their undoing. An ATM in Ukraine suddenly spewed out cash without anyone being present. Cops called cybersecurity firm Kaspersky Labs to investigate and it uncovered the scale, depth, extent and audacity of the crime.
Cybersecurity is not just a problem for banks. It is also yours and mine. That is why governments and enterprises are poised to spend up to US$120 billion beefing up cyberdefences by 2021. This is a compound annual growth rate (CAGR) of 9.6% from US$83.5 billion last year, according to International Data Corp (IDC).
“Three overarching trends are driving security spend — a dynamic threat landscape, increasing regulatory pressures and architectural changes spurred by digital transformation initiatives. Organisations are actively searching for product and service efficiencies that maximise spend to fully address such complex challenges,” says Sean Pike, vice-president of IDC’s security products and legal, risk and compliance programmes.
Asia-Pacific ex-Japan will see the fastest growth in security spending between now and 2021, with a CAGR of 19.9%. “Within the region, China and Malaysia will see particularly strong growth, with five-year CAGRs of 25.3% and 20.1% respectively. Latin America is also expected to outperform the overall market during the period,” says IDC.
The US Federal Bureau of Investigation reported that 301,580 consumers lost US$1.4 billion to cyberfraud and malware last year. The top threats were whaling, phishing and ransomware, followed by tech-support fraud, confidence games involving the theme of romance, non-payment scams and straightforward extortion.
What is the difference between whaling and phishing? Whaling attacks target the “whales” or high-ranking, senior or top executives of a company or government agency. Phishing attacks target individuals in any organisation so as to gain access to the corporate intranet. Whaling has become more popular with hackers and accounted for the bulk of the complaints. About 15,690 individuals were impacted last year and accounted for adjusted losses of more than US$675 million, according to the FBI.
“In these cases, criminals masqueraded as company executives to request a change in account information for wire transfers to siphon off money to their own accounts, or to request for personally identifiable information on employees. In 2017, the real estate sector in particular was heavily targeted,” says the FBI.
What is the lesson for companies, especially since the top management is at risk? That data security be a board-level topic and be an essential part of any digital business strategy. Business leaders have not always been receptive to this message, but a string of high-profile incidents are changing that sentiment, according to a report by Gartner Inc.
Examples include an Equifax data breach that cost the CEO, chief information officer and chief security officer their jobs; a WannaCry attack that caused worldwide damage estimated at US$1.5 billion to US$4 billion; and Verizon’s US$350 million discount on its purchase of Yahoo! as a result of the latter’s data breach.
“Business leaders and senior stakeholders at last appreciate security as much more than just tactical, technical stuff done by overly serious, unsmiling types in the company basement. Security organisations must capitalise on this trend by working closer with business leadership and clearly linking security issues with business initiatives that could be affected,” says Gartner vice-president of research Peter Firstbrook.
Another key point worth considering is geopolitical factors. Companies need to take these into account when drawing up requests for information (RFIs), requests for proposals (RFPs) and information and communications technology contracts. Increased levels of cyberwarfare, cyber political interference and government demands for backdoor access to software and services have resulted in new geopolitical risks when it comes to buying decisions on software and infrastructure.
“Recent government bans against Russian and Chinese firms are obvious examples of this trend. It is vital to account for the geopolitical considerations of partners, suppliers and jurisdictions that are important to your organisation. [Make sure to] include supply-chain source questions in your RFIs, RFPs and other legal contracts,” says Firstbrook.
The problem is all the more acute in Asia-Pacific, where cybersecurity is relatively nascent. Very few countries have implemented national cybersecurity strategies and not many organisations are equipped to keep up with the ever-evolving threats and regulations, according to a recent study by Palo Alto Networks.
Asia-Pacific is home to 60% of the world’s population, has 1.2 billion mobile phone users and nearly 50% of the world’s internet users. The region’s digital services market is set to experience double-digit growth rates. That is both an opportunity for businesses and an opportunity for hackers. “The survey shows that despite devoting more resources to cybersecurity, organisations in the region remain confused about the best way to mitigate cyberthreats — a reality that severely hinders their ability to lead in the digital era,” the study notes.
This is despite the fact that cybersecurity budgets are huge in Asia-Pacific. The majority of organisations (74%) devote between 5% and 15% of their total IT spend to cybersecurity, with China, India and Hong Kong leading the way. At 86%, financial institutions with more than 500 employees are the leading vertical segment.
Is money the solution? No. As in many other areas, simply throwing money at the problem does not yield results. Knowledge and expertise are vital components of any coherent cybersecurity response, especially in a world where threats move quickly and stealthily across borders.
The Palo Alto study reported that China led the pack in maturity, with 97% of surveyed organisations having a dedicated IT security team or department, followed by India (95%) and Singapore (86%). Which vertical sectors are the leaders? The government (97%) and financial institutions (90%). The Achilles heel? SMEs. Up to 55% of them do not have — or cannot afford — dedicated teams. But then, when their supply chains are connected to government agencies and large companies, the risk of hackers using the SME door to get into the larger enterprise soars.
The bottom line: Are you secure enough? You can never be. Cybersecurity is a dynamic game, which the hacker and the hacked, the attacker and the attacked, play 24/7. It is a stealth game played in the shadows, sometimes with tools that turn employees against their employers, without the employees even knowing about it, like a developing cancer. Vigilance and tools such as analytics, artificial intelligence, big data and business intelligence must be used to mitigate the risks, halt the hackers, alert the authorities and keep the cyberterrorists out.