More regulations necessary for APAC cybersecurity

With hacking services easily available online, the region should assess the need for more stringent policies to improve its security posture as well as encourage businesses to belt up.
Written by Eileen Yu, Senior Contributing Editor

To aid the fight against cybercrime, organisations operating in the Asia-Pacific region should be strongly encouraged to report security loopholes and breaches, and government regulations may be one of the most effective ways to ensure this.

With cybercriminals widening their targets and hacking tools easily available online, all organisations should be concerned about their security posture and guarding against potential attacks.

Bradley Marden, Interpol Digital Crime Centre's coordinator for digital crime investigative support, said organised criminal groups were no longer simply focusing on financial institutions. Noting that hackers today would put a pretty broad net, he explained: "Now they're being more creative in monetizing the compromise and not limiting themselves to banks and financial institutions, where previously they would target just bank accounts and credit card information."

Based in Interpol Global Complex in Singapore , Marden added that banks were getting better at stopping cyberattacks, prompting hackers to adapt and widen their target. A widget developer, for instance, might be a target if their tool provided access to email.

And why target email? Because it remains one of the most popular intrusion tools.

Some 30 percent of attacks are launched through email and this form of attack provides hackers a 25 percent success rate, in which users will likely to click on the email, according to Eric Chan, Fortinet's regional technical director for Southeast Asia and Hong Kong.

Both Marden and Chan were speaking to ZDNet in an interview this week, on the sidelines of a Fortinet customer event.

Chan noted that companies also typically focus their attention on desktops and servers, but a hacker's point of entry into their network could come from any device. Chan pointed to the Home Depot breach in 2014, which affected 56 million payment cards through a malware in the retailer's point of sales (POS) terminals.

He further stressed the need for more education and awareness about the importance of robust cybersecurity policies.

A June 2015 study by BSA found several markets in Asia-Pacific to be lacking or slow in implementing national security strategies and legal frameworks to protect critical infrastructures. China, Indonesia, and South Korea, for instance, were hindered by local standards and testing requirements that were not in line with global best practices. Indonesia also had yet to implement a national cybersecurity plan, while other nations such as China, Korea, Malaysia, and Vietnam had some measures in place but are still in the midst of developing their cybersecurity infrastructures.

According to Chan, the lack of security strategies in the region was "obvious", but he noted that governments were increasingly aware of the need for one.

He added that it would help to make some policies mandatory, for instance, passing a law to make it compulsory for businesses to report cybersecurity breaches; this has been implemented in the US, Chan said. "You also see CEOs resigning after a severe breach, but this is not necessary the case in the Asia-Pacific region," he noted.

Senior management teams in all organisations must recognize that to place equal importance on security as they do on business growth, in order to achieve the latter. If this mentality trickles down to the rest of the organisation, it will help improve the overall cybersecurity environment.

However, today, many companies still see security as a cost, rather than a necessary component to support their business, Chan said.

Marden recommended businesses kept detailed log of their network activities, which would help track the source of attack in the event of a breach.

He noted that the Interpol, as a politically neutral outfit, was not actively engaged in discussions with governments regarding cybersecurity regulations, but strongly encouraged organisations to report breaches to the relevant authorities.

"That's how we catch the criminals, so they should report any attack," he said, adding that most countries today would have some form of a cybercrime unit within their law enforcement.

Increasing risk for IoT, open source

Chan also issued a reminder for organisations to ensure their patches were updated, noting that the number of attacks on known vulnerabilities had been on the incline. He pointed to studies that showed 99 percent of vulnerabilities remained unpatched a year after they were discovered.

He added that advanced persistent threat (APT) attacks and mobile malware were on the rise, with hacking attempts becoming more targeted. Some 70 percent of malware targeted specific organisations, he said.

Internet of Things (IoT) and open source platforms also were seeing increasing cyberattacks, Chan said, noting that many IoT devices ran on the open source kernel.

"I have no doubt IoT will be a criminal goldmine," Marden said. He noted the increasing complexity of managing many different devices running on different operating systems, as well as different variations of an operating system.

Amid this multi-faceted environment, he urged users to be cognizant about safeguarding their security well-being.

Editorial standards