Being proactive is the best defence: Ixia

• Investment in security still varies wildly across Asia Pacific
• 7% of a company's annual revenue can be impacted in an attack

MANY organisations still do not fully appreciate the threat they are under, according to Ixia, the California-based company which provides test systems and service verification platforms for wireless and wired infrastructure and services.
 
Speaking to Digital News Asia (DNA) in Singapore recently, Ixia's vice president and general manager for Asia, Naveen Bhat, cited IDC research which found that 7% of a company’s annual revenue is impacted by a successful cyber-attack.
 
“With a second successful attack, the damage done is a compounded effect, as the brand image deteriorates more rapidly with a loss of costumer confidence,” he said.
 
According to another report conducted by the Centre for Strategic and International Studies (CSIS), a Washington DC-based think-tank, and commissioned by Intel Security, the losses associated with attacks on corporate networks and intellectual property theft cost businesses an estimated US$400 billion annually.
 
The report, called Net Losses – Estimating the Global Cost of Cybercrime, also warns that the global economic impact will continue to increase.
 
There are many factors fuelling the increase, the report noted, such as businesses severely underestimating the risks associated with intellectual property theft and cybercriminals acting faster to monetise the stolen information.
 
In addition, law enforcement globally suffers from inadequate resources to investigate cyber-attacks, while the cost of conducting attacks is inexpensive for criminals who rely on social engineering tactics and exploit widespread software vulnerabilities and configuration weaknesses to gain access to systems.
 
The main message Ixia seeks to convey to governments, policy-makers and organisations is to be proactive rather than reactive to the consequences of infiltration and compromised security.
 
“The reason we say that is because many companies still do not fully appreciate the threat that they are under. With a physical disaster scenario, everybody has an immediate mental image of what happens and can prepare accordingly, be it with structural fixes or contingency plans.
 
“But with cybersecurity, people can’t see what’s coming their way – there is no visual reference of impact and they don’t necessarily prepare for it. The only thing that happens during a cyber-attack is that your network goes down or there’s malware on a PC bleeding data out, and they don’t know about it until it happens,” Naveen said.
 
Helping this proactive approach is where Ixia believes it can do the most good, as a 15-year-old company listed on Nasdaq and currently worth US$600 million but “aiming for US$1 billion," according to Naveen.
 
He shared that the enterprise space was not always a sweet spot for the company with an historical competency as an IP/ Ethernet testing house, and a traditional customer base comprising telecommunications equipment manufacturers.
 
However, over the years and through a series of acquisitions, the company has broadened its portfolio and moved into the wireless and security realm as well.
 
“Our security solutions fall right under the enterprise high-spend areas, but for many people we’re a new entrant,” he said.
 
Naveen said that what the company does in security can be broadly classified as testing how resilient an organisation's network is.
 
“Testing network resiliency is a largely an offline activity, where we create a lab environment and test everything out for customers which want to know how well protected they are.
 
“The other is testing online, on a live network which is mainly concerned with transactions and online banking that is subject to attacks by malicious software. We tap the data coming in and check to see if there are any signatures of malware present,” he said.
 
Naveen said that while offline network testing has always been a significant portion of Ixia's business, online testing is rapidly growing in demand.
 
Navigating the extremes of Asia
 
The Asia Pacific region accounts for close to 30% of Ixia's total revenue, unlike the 5-10% of other vendors, accroding to Naveen (pic).
 
“As a result, what happens in Asia drives a lot of the company’s direction in terms of product direction and solution space,” he claimed.
 
However, Asia is far from a homogenous region and he was quick to point out that concerns around security are vastly different depending on which part of the region one decides to focus on.
 
“For example, India is a market where spend on security is high but not because of the domestic Indian market, but rather is being driven by all the international R&D (research and development) labs or facilities that do business overseas.

"While in China, right now it's a growing wide open space and can be considered the ‘wild wild East.’
 
“In contrast, in markets such as Japan, Singapore and Australia, the spend is high overall as everyone is concerned about having a safe secure environment to work with.
 
“And in markets such as Vietnam and Indonesia, spend on security is extremely low but they rank high as a source of malware and other malicious attacks,” said Naveen.
 
Asked about Malaysia, he said that at this point, the market was not high on the list as a source of cyber threats but it was also not high on security spending.
 
“At a CIO (chief information officer) forum in Indonesia, when revealed that the country had the highest number of malware as a country of origin in the region, nobody had a clue that it was the case. The consensus about what to do to address the problem was to just wait for something to happen, and remain in a state of blissful ignorance.
 
“That being said, it’s going to get interesting in markets such as Indonesia and Malaysia as they start to wake up to the reality of the problem, a process we’re starting to see happen slowly,” Naveen said.
 
While the banking and financial services industry is typically at the forefront of robust security measures, he argued that it was not the industry vertical with the most to lose in the event of a cyber-attack.
 
“It’s actually oil and gas with a revenue per hour metric of roughly US$2.2 million, while financial services is at US$1.5 million. Transport stands at about US$500,000-800,000 an hour.
 
“But the high awareness with potential financial services breaches is due to the consumer element to the business. If a bank is compromised, you feel that the money is lost; versus other verticals, with retail being number two on the list,” he added.
 
The awakening of Asian CIOs can’t come sooner as the migration to cloud environments has amplified security issues, with more potential entry points for attack, along with the bring-your-own-device (BYOD) trend adding a more diverse set of devices and machines to the network.
 
“The fact with LTE (Long-Term Evolution) networks is that every device is its own IP address, making it possible for attacks to originate from these end-points. These will all incrementally add to the security picture in the coming months,” Naveen said.

Next Page: The gap between spend and confidence, and the problem with securing security