Cyber-security threats to cost Malaysian organisations US$12.2bil in economic losses

By Digital News Asia July 13, 2018

Attacks have led to job losses in three out of five (61%) organisations over the last year
Cyber-security concerns delay digital transformation plans within organisations

Cyber-security threats to cost Malaysian organisations US$12.2bil in economic losses

MICROSOFT in collaboration with Frost & Sullivan on July 12 released the results of its study titled “Understanding the Cybersecurity Threat Landscape in Asia Pacific: Securing the Modern Enterprise in a Digital World”.

The study reveals that the potential economic loss in Malaysia due to cyber-security incidents can hit a staggering US$12.2 billion (RM49.15 billion). This is more than 4% of Malaysia’s total GDP of US$296 billion.

The study aims to provide business and IT decision makers with insights on the economic cost of cyber-security breaches in the region and identify the gaps in organisations’ cyber-security strategies.

The study involved a survey of 1,300 business and IT decision makers ranging from mid-sized organisations (250 to 499 employees) to large-sized organisations (>than 500 employees).

The study reveals that more than half of the organisations surveyed in Malaysia have either experienced a cyber-security incident (17%) or are not sure if they had one as they have not performed proper forensics or data breach assessment (36%).

“As companies embrace the opportunities presented by cloud and mobile computing to connect with customers and optimise operations, they take on new risks,” said Microsoft Malaysia national technology officer Dr Dzahar Mansor.

“With traditional IT boundaries disappearing the adversaries now have many new targets to attack. Companies face the risk of significant financial loss, damage to customer satisfaction and market reputation — as has been made all too clear by recent high-profile breaches.”

The findings of the study were launched in the presence of CyberSecurity Malaysia, Malaysia’s national cyber-security specialist agency.

“Cyber-attacks have become a common occurrence not just in Malaysia but around the globe,” said CyberSecurity Malaysia chief executive officer Dr Amirudin Abdul Wahab.

The true cost of cyber-security incidents

The study revealed that:

A large-sized organisation Malaysia can possibly incur an economic loss of US$22.8 million, more than 630 times higher than the average economic loss for a mid-sized organisation (US$36,000); and
Cyber-security attacks have resulted in job losses across different functions in three in five (61%) of organisations that have experienced an incident over the last 12 months.

To calculate the cost of cyber-crime, Frost & Sullivan has created an economic loss model based on macro-economic data and insights shared by the survey respondents.

This model factors in three kinds of losses which could be incurred due to a cyber-security breach:

Direct: Financial losses associated with a cyber-security incident – this includes loss of productivity, fines, remediation cost, etc;
Indirect: The opportunity cost to the organisation such as customer churn due to reputation loss; and
Induced: The impact of cyber-breach to the broader ecosystem and economy, such as the decrease in consumer and enterprise spending.

“Although the direct losses from cyber-security breaches are most visible, they are but just the tip of the iceberg,” said Frost & Sullivan Asia Pacific vice president Sapan Agarwal.

“There are many other hidden losses that we have to consider from both the indirect and induced perspectives, and the economic loss for organisations suffering from cyber-security attacks can be often underestimated.”

In addition to financial losses, cyber-security incidents are also undermining Malaysian organisations’ ability to capture future opportunities in today’s digital economy, with more than three in five (62%) respondents stating that their enterprise has put off digital transformation efforts due to the fear of cyber-risks.

Key cyber-threats and gaps in strategies

Although high-profile cyber-attacks, such as ransomware, have been garnering a lot of attention from enterprises, the study found that for organisations in Malaysia that have encountered cyber-security incidents, data exfiltration and data corruption are the biggest concerns as they have the highest impact with the slowest recovery time.

Besides external threats, the research also revealed key gaps in organisations’ cyber-security approach to protect their digital estate:

Security an afterthought: Despite encountering a cyber-attack, only 23% of organisations consider cyber-security before the start of a digital transformation project as compared to 32% of organisations that have not encountered any cyber-attack.

The rest of the organisations either think about cyber-security only after they start on the project or do not consider it at all. This limits their ability to conceptualise and deliver a “secure-by-design” project, potentially leading to insecure products going out into the market.

Creating a complex environment: Negating the popular belief that deploying a large portfolio of cyber-security solutions will render stronger protection, the survey revealed that 15% of respondents with more than 50 cyber-security solutions could recover from cyber-attacks within an hour. In contrast, 71% of respondents with more than 11 to 25 cyber-security solutions responded that they can recover from cyberattacks within an hour.

Lacking cyber-security strategy: While more and more organisations are considering digital transformation to gain competitive advantage, the study has shown that a majority of respondents (42%) see cyber-security strategy only as a means to safeguard the organisation against cyber-attacks rather than a strategic business enabler.

A mere 20% of organisations see cyber-security strategy as a digital transformation enabler.

“The ever-changing threat environment is challenging, but there are ways to be more effective using the right blend of modern technology, strategy, and expertise,” added Mansor.

Artifical Intelligence (AI) is the next frontier

In a digital world where cyber-threats are constantly evolving and attack surface is rapidly expanding, AI is becoming a potent opponent against cyber-attacks as it can detect and act on threat vectors based on data insights.

The study reveals that almost three in four (73%) organisations in Malaysia have either adopted or are looking to adopt an AI approach towards boosting cyber-security.

AI’s ability to rapidly analyse and respond to unprecedented quantities of data is becoming indispensable in a world where cyber-attacks’ frequency, scale and sophistication continue to increase.

An AI-driven cyber-security architecture will be more intelligent and be equipped with predictive abilities to allow organisations to fix or strengthen their security posture before problems emerge.

It will also grant companies with the capabilities to accomplish tasks, such as identifying cyber-attacks, removal of persistent threats and fixing bugs, faster than any human could, making it an increasingly vital element of any organisations’ cyber-security strategy.

Recommendations for securing the modern enterprise

AI is but one of the many aspects that organisations need to incorporate or adhere to in order to maintain a robust cyber-security posture. For a cyber-security practice to be successful, organisations need to consider people, process and technology, and how each of these contributes to the overall security posture of the organisation.

To help organisations better withstand and respond to cyber-attacks and malware infections, here are five best practices that they can consider in improving their defence against cyber-security threats:

1 - Position cyber-security as a digital transformation enabler

The disconnect between cyber-security practices and digital transformation efforts creates a lot of frustration for the employees. Cyber-security is a requirement for digital transformation to guide and keep the company safe through its journey.

Conversely, digital transformation presents an opportunity for cyber-security practices to abandon ageing practices to embrace new methods of addressing today’s risks.

2 - Continue to invest in strengthening your security fundamentals

Over 90% of cyber incidents can be averted by maintaining the most basic best practices. Maintaining strong passwords, conditional use of multi-factor authentication against suspicious authentications, keeping device operating systems, software and anti-malware protection up-to-date and genuine can rapidly raise the bar against cyber-attacks.

This should include not just tool-sets but also training and policies to support a stronger fundamental.

3 - Maximise skills and tools by leveraging integrated best-of-suite tools

The best tools are useless in the hands of the amateur. Reduce the number of tools and the complexity of security operations to allow operators to hone their proficiency with the available tools.

Prioritising best-of-suite tools is a great way to maximise risk coverage without the risk of introducing too many tools and complexity to the environment. This is especially true if tools within the suite are well-integrated to take advantage of their counterparts.

4 - Assessment, review and continuous compliance

The organisation should be in a continuous state of compliance. Assessments and reviews should be conducted regularly to test for potential gaps that may occur as the organisation is rapidly transforming and address these gaps.

The board should keep tab on not just compliance to industry regulations but also how the organisation is progressing against security best practices.

5 - Leverage on AI and automation to increase capabilities and capacity

With security capabilities in short supply, organisations need to look to automation and AI to improve the capabilities and capacity of their security operations.

Current advancements in AI has shown a lot of promise, not just in raising detections that would otherwise be missed but also in reasoning over how the various data signals should be interpreted with recommended actions.

Such systems have seen great success in cloud implementations where huge volumes of data can be processed rapidly. Ultimately, leveraging on automation and AI can free up cyber-security talents to focus on higher-level activities.