Asian firms can do more to protect data
Despite greater awareness among businesses in Asia on the need to protect data assets, security breaches seem to be on the increase across the region over the past year.
Claudio Scarabello, Verizon Business' senior global product manager for security product marketing, said in an e-mail interview that data breach incidents appeared "to have increased greatly in Asia" between 2009 and 2010.
"When the Albert Gonzalez sentence was published in the U.S., there was a sharp downturn in cases in the [country] and a corresponding jump in cases in the Asia-Pacific," said Scarabello. "At one stage, we had three independent cases come in on the same day from one Asian country."
Gonzalez, the hacker mastermind behind one of the most widely known identity fraud cases in the United States, was sentenced in March to 20 years imprisonment for stealing millions of credit card and debit card numbers from major U.S. retail chains.
Citing Symantec's 2010 State of Enterprise Security study, Ronnie Ng, the company's senior manager for systems engineering in Singapore, said 75 percent of organizations in the Asia-Pacific region, including Japan, experienced cyberattacks in 2009. These attacks, which contributed to data breaches, cost these enterprises an average of USD$763,000 in losses each.
The risk of a data breach is "now higher than ever before", Ng noted in an e-mail, particularly for organizations that have critical information assets including customer data and intellectual property.
On a more positive note, awareness among Asian businesses about the importance of securing vital corporate information has risen over the last two or three years.
Kan Shik Kiong, associate director for IT advisory at KPMG in Singapore, reported in an e-mail that the advisory firm has increasingly received "many requests for advice on data loss prevention (DLP)".
And businesses can do better in this aspect.
According to Kan, although more companies are deploying DLP technologies, most are "only implementing point solutions to address specific issues".
"It is still a big challenge for most companies to implement a comprehensive data loss prevention program in their companies as they lack insight into where, what and how to protect their information assets," he said. "The main reason may be that most of them do not have comprehensive data classification and handling policies in place."
P.F. Vilquin, director of security for Asia-Pacific and Japan at CA Technologies, pointed out that the state of enterprise data protection has not changed much over the past two to three years in most Asian countries. With the global economic crisis, companies in the last year or so also tended to focus on technologies that would help the business stay afloat or grow revenues, he said in an e-mail.
On top of that, Vilquin noted, data breaches in Asia are typically not subject to the same level of profile as in more regulated countries.
"[Data breaches] cost money to companies but they are unlikely to put them out of business, so the cost of completely protecting data is still seen as too high compared to the risk of exposure."
Also, he added that there is a strong tendency "to sweep actual incidents under the carpet" as the data protection regulatory landscape is "weak" in Asia.
"This means awareness remains low, maturity doesn't improve, understanding of the risks stays incomplete, risk at the country level is not properly assessed, and the need for regulation is not created. It's a vicious circle," he said.
Need for data protection regulations
According to Symantec's Ng, having a strong legal framework in place is important because it encourages companies to adopt the necessary measures to protect important information that they collect or process. In addition, it also heightens public awareness of the importance of protecting their personal data.
"Data breach notification laws provide an additional level of protection because the authorities and consumers can be notified early of any serious data breaches and consequently take the necessary steps to mitigate the impact of the breach," he said.
Within the region, there has been heightened public focus and discussions on data breaches and data protection, noted Ng.
Countries such as Australia, New Zealand, Hong Kong, Japan and Korea have put in place data protection laws. Australia, in particular, is considering implementing mandatory data breach notification and establishing developed guidance such as the voluntary breach notification guide and privacy impact assessment guide, he added.
Within Southeast Asia, Malaysia's Personal Data Protection Bill 2009 was recently passed by the country's lower house, and economies such as Thailand, the Philippines and Singapore have been contemplating similar legislation or have rolled out industry codes of practice in the interim, he noted.
Data protection legislation, however, does not only need to be effectively implemented, it also has to be enforced with appropriate penalties, Ng said.
Avoiding data breach
Legislation aside, the 2009 Verizon Business Data Breach Investigations Report revealed that nearly nine out of 10 breaches globally could have been avoided if security basics had been followed. On top of that, most of the breaches investigated would have been detected without the need for complex or expensive preventive controls.
To help Asian businesses better guard against a data breach, industry experts from CA, KPMG, Symantec and Verizon offered some practical tips.
1. Identify business sponsor and steering committee for DLP.
Other than having a dedicated champion and team to focus on data security, adequate resources ought to be channeled, said KPMG's Kan.
A DLP roadmap should be developed, which should include the identification of "quick wins" to plug the immediate gaps.
2. Assess and classify data.
CA's Vilquin highlighted the need to conduct security assessments that "go beyond the traditional perimeter threats". Companies should understand what the internal threats are, review data importance, and initiate data classification and processes to allow appropriate data access.
3. Practise good habits.
Verizon's Scarabello urged companies to change default credentials for both employees and third-party users, as well as avoid sharing of credentials.
The IT department should also patch comprehensively and work with human resources to ensure user accounts are disabled and access privileges removed, following termination of employment.
4. Automate security through IT compliance controls.
Symantec's Ng urged organizations to develop and enforce IT policies across their networks and data protection systems. Automating regular checks on technical controls, such as password settings, server and firewall configurations and patch management, will allow businesses to reduce the risk of exposing sensitive information.
5. Integrate prevention and response strategies into security operations.
To prevent data breaches, it is essential to have a breach prevention and response plan integrated into the day-to-day operations of IT security, Ng noted.
He added that organizations should continuously improve their strategy and progressively reduce risks by expanding their knowledge of threats and vulnerabilities.