'

One in four APAC firms not sure if they suffered security breach

A quarter of Asia-Pacific companies have experienced a security incident, while 27 percent aren't even sure because they haven't conducted any data breach assessment--even as the region is estimated to have lost US$1.75 trillion last year due to cyberattacks.

One in four organisations in Asia-Pacific have experienced a cybersecurity incident, while 27 percent cannot ascertain if they have because they do not conduct any data breach assessment.

And when businesses in the region fell prey to cyberattacks, a large enterprise--with more than 500 employees--could potentially suffer an estimated economic loss of US$30 million, revealed a study by Frost & Sullivan. Commissioned by Microsoft, the survey polled 1,300 respondents across 13 markets in the region including Singapore, Indonesia, Australia, India, Japan, and China.

With businesses fumbling, Singapore must take more care in data aspirations

Singapore government has been opening up user data access to ease information exchange and business transactions, but it should observe some caution as major organisations continue to slip up over security.

Read More

In comparison, a midsize business--with 250 to 499 employees--could potentially suffer an average economic loss of US$96,000, the study found. Across all organisations in the region, cybersecurity incidents last year were estimated to have resulted in economic losses totalling almost US$1.75 trillion.

In Singapore alone, cybersecurity threats cost businesses US$17.7 billion in economic losses, with a large enterprise potentially hit with an average economic loss of US$13.8 million, while a midsize business could suffer US$177,000 in a similar loss.

According to Edison Yu, Frost & Sullivan's vice president and Asia-Pacific head of enterprise, the research firm estimated the cost of cybersecurity incidents based on direct, indirect, and induced losses.

Direct losses encompassed factors such as drop in productivity, financial penalties, and remediation costs, while indirect losses looked at other variables such as job losses and customer churn as a result of the negative impact on the company's reputation.

To calculate induced losses, Frost & Sullivan assessed factors that could impact the broader ecosystem and economy, such as a drop in consumer and enterprise as the result of a security breach, explained Yu at a media briefing Friday.

Pointing to the study findings, the analyst said organisations in the region still regarded security as an afterthought, with just 25 percent of respondents that had experienced a cyberattack saying they would consider cybersecurity before starting a digital transformation project.

Some 34 percent that had not experienced an attack would do likewise and the remaining either had assessed the role of cybersecurity after they starting on a digital transformation project or had not considered security at all.

Stressing the importance of adopting a "security by design" approach, Yu noted that the lack of consideration for security at the start of any project could introduce insecure products into the market. He added that just 20 percent of Asia-Pacific businesses regarded a cybersecurity strategy as an enabler of digital transformation, with 41 percent viewing such framework simply as a way to protect their organisation against cyberattacks.

Such views also contrasted to the 59 percent that had put off their company's digital transformation efforts over concerns about cybersecurity risks.

The study also revealed that 67 percent in Asia-Pacific saw jobs lost due to cyberattacks, while 57 percent in Singapore also saw job losses across different business functions and not limited to IT.

And while ransomware dominated several headlines in the past year, Yu noted that companies were most concerned about data exfiltration, data corruption, fraudulent wire transfer, and online brand impersonation, because these had the highest impact, and slowest recovery time.

Describing them as silent killers, the Frost & Sullivan analyst said such threats could fester unnoticed while the hackers made away with volumes of data or money.

Too much security spoils the broth

He also advised companies against implementing too many security tools, as these could prove complex to manage and maintain. In fact, the study determined that 52 percent of Asia-Pacific companies with more than 50 different cybersecurity products experienced higher incidents, he said.

He added that the complexity of having to manage multiple tools also would lead to longer recovery time, with 45 percent of companies that had more than 50 security products needing more than a day to recover from a breach. In comparison, 37 percent with 26 to 50 security tools and 29 percent with fewer than 10 such products taking a day to recover.

Asked where the biggest gaps were with regards to a company's security posture, Yu noted that phishing remained a leading cause of a breach, indicating that the human factor still played a big role. He stressed the need for companies to focus on the fundamentals, which meant urging employees to practise strong personal hygiene such as using robust passwords and not clicking on phishing email.

According to Microsoft Singapore CTO Richard Koh, the software vendor scans 1.2 billion devices and detects 930 million threats on such devices each month.

Eric Lam, Microsoft's Asia director of enterprise cybersecurity group, said: "As companies embrace the opportunities presented by cloud and mobile computing to connect with customers and optimise operations, they take on new risks.

"With traditional IT boundaries disappearing, the adversaries now have many new targets to attack. Companies face the risk of significant financial loss, damage to customer satisfaction, and market reputation."