Asia can lead a global transformation in security culture

More sophisticated, targeted attacks on Asia-based firms should drive the evolution of internal culture and processes to combat such threats. There are significant hurdles to overcome, however, and the cyberthreat landscape remains fundamentally global.
Written by Kevin Kwang, Contributor

Companies in Asia-Pacific can take the lead in developing an effective, holistic organizational culture and posture given their exposure to complex, targeted attacks in recent times. However, the increasingly global nature of cyberattacks means that no region can stand alone in battling such threats.

An April report by ISACA Singapore Chapter stated that Asia was increasingly a target for advanced persistent threats (APTs) due to the presence of more multinational companies (MNCs) and big local brands in the region. The fast-growing Asian market also presents a more lucrative target because it might not be as well-protected as organizations in more mature markets, noted Leonard Ong, president of ISACA Singapore Chapter, in the report.

R. Vittal Raj, a member of ISACA's Knowledge Management & Education Committee and former president of its Chennai Chapter, told ZDNet that with mobility technologies taking off in the region, security concerns around mobile, social media, and cloud computing are "clear challenges".

And with the increase in regulatory data security compliance requirements and privacy laws, organizations are under more pressure to increase their budgets to stay on the right side of the law. Said Raj: "While many enterprises have improved in getting their security apparatus better aligned, challenges remain in terms of measurable performance."

Foster more holistic security culture internally

These factors are why Raj believes Asian enterprises will lead in "achieving cultural transformations" in their organizations, while other regions invest in security technologies. These transformations revolve around stakeholder security perception, internal discipline, enterprise-wide collaboration, and alignment in strategizing and responding to security challenges.

"With attackers moving their focus from machines to the vulnerable victims behind these machines, Asian companies are likely to lead in responding to such complex challenges with innovative security strategies and solutions," he said.

Taking the lead in organizational culture transformation, though, would require companies to move away from some of the bad habits brought to light by Dimension Data's Paul Craig. The team lead for the vendor's penetration testing said in June that elements of Asian culture — such as the region's fear of failure, tendency to follow checklists involving IT security, and prioritizing cost savings over quality — were key hurdles that regional organizations must overcome in order to improve their security posture.

Another industry watcher believes there's much room for improvement among businesses in the region in terms of implementing the right security measures and posture across the organization. David Siah, country manager at Trend Micro Singapore, noted that in a recent internal survey of over 1,000 IT professionals and managers across Asia-Pacific, almost half indicated a data breach as the biggest perceived IT threat. However, in the same survey, the top security investment was still focused on antivirus or anti-malware tools, followed by data leakage prevention.

"What this highlights is the gap in the perception of threat and investing in the right tool to protect against it," Siah pointed out. "Traditional perimeter security is dead, and businesses need to look into new and innovative security solutions that monitor and analyze data from different sources to figure out when their networks are under attack."

He added that it would be "tricky" for Asia to play a prominent leading role in terms of introducing and coordinating security efforts. Given the multiple parties involved in an attack and how they are intricately interlinked across the globe, it would be challenging for one region to take the lead in security efforts, Siah noted.

Rob McMillan, research director at Gartner, shared similar sentiments. In a phone interview with ZDNet, he said there was little difference between the types of security threats afflicting Asian companies and others elsewhere in the world.

McMillan also dismissed the fact that Indonesia's recently acquired status as the top launch site for online attacks meant that Asian companies were more likely to become victims of cybercrimes. Akamai's State of the Internet report for the second quarter of 2013 showed that Indonesia had bypassed China to become the most popular location from which cyberattacks were launched.

"Don't mistake the source of attacks with the target of these attacks," McMillan stressed, adding that other regions had their own security challenges. North America, for example, has a very high proliferation of botnets, while Russia and Romania are known for fraud activities.

The Gartner analyst pointed out that when the motivation of such online attacks is financially driven, and many are, the target is then market-agnostic.

Improve sharing of threat incidents

Another area where Asian companies can improve is the sharing of information about their data breaches instead of keeping quiet.

Bryce Boland, APAC CTO at security vendor FireEye, noted that the practice of keeping silent worked against companies that might be targeted by the same threats, and that could have benefited and learned from information provided by other organizations with similar experiences.

To change this culture, Boland called on regional governments to introduce strong, regulatory frameworks to ensure there is a compelling reason for companies to detect and report breaches when these occur.

Trend Micro's Siah concurred, noting that because every APT attack is customized, a new level of visibility and intelligence is critical to combat these threats across one's computing environment. This would mean having a system that has capabilities of advanced threat detection, real-time analysis and reporting, and scalable custom sandboxing, among others.

"There is a need to combine threat and data protection within a context-aware security framework, which identifies who is accessing what data when, where, and how, [as the information] can help quickly identify and mitigate these attacks," he said.

Art Coviello, executive vice president of EMC and executive chairman of RSA, has called on Asian governments to play their part in facilitating information-sharing regionally. He suggested this could be done when governments acted as a central clearing house to exchange information speedily about current threats and attacks.

Boland also identified major telecommunication providers and internet service providers (ISPs) in Asia as ideal candidates to provide greater protection from APTs for their customers here.

Should these vendors reduce the number of malware-infected computers in the region, it would then be harder for attackers to carry out denial-of-service (DoS) attacks, spam campaigns, and other attacks, the FireEye executive explained.

Editorial standards