Just as I began this article, I was duly informed by e-ticketing startup Peatix that my user account information had been leaked. Details of approximately 4.2 million registered users including full names, email addresses, usernames, salted and hashed passwords had been made available for download on hacking forums. In the days after, my anxiety spiked when my Gmail blocked a sign-in attempt from the United States, and when I was logged out of several accounts that were linked to my leaked email address.
Rather than dismissing it as a one-off event, the incident can be read as just one out of many more breaches to come in the foreseeable future. After all, cyberattacks are increasingly commonplace due to the ubiquitous nature of the internet and rise of the digital economy. In October 2020 alone, two major announcements dominated the news. Personal information, including partial credit card numbers, from 1.1 million RedMart accounts was stolen from e-commerce platform Lazada and sold online. Similarly, data from approximately 2.8 million accounts of the restaurant reservation platform eatigo was offered in the cyberspace. Other notable tech firms that suffered privacy lapses this year include ShopBack, RedDoorz, and Grab.
Some of the affected users KrASIA spoke to seemed undeterred. Chia Xin Ying, whose account information was compromised in the RedMart breach, shared that the convenience of ordering groceries online is too hard to pass. “As a vegan, there are more options that are easily accessible on Redmart than the local supermarket. Furthermore, the data breach occurred under the old management. As Redmart is now under Lazada’s purview, I feel that there may be better data protection.”
The pandemic has accelerated the rate of digital adoption across Southeast Asia and brought lasting changes in consumer behavior. The latest e-Conomy SEA 2020 report by Google, Temasek, and Bain found that 36% of digital consumers were new to online shopping and 90% intend to continue using it post-pandemic. With 70% of the region’s population now online and an increased reliance on digital services, it is reasonable to expect that online platforms will continue to be a prime target for hackers. It begs the question—have data breaches become inevitable?
Yeo Siang Tiong, general manager for Southeast Asia at cybersecurity firm Kaspersky, seems to think so. “I would say that cybersecurity breaches are well and part of the ‘new normal’ we find ourselves in. In fact, a global survey we conducted back in 2018 revealed that 86% of 250 chief information security officers felt that cybersecurity breaches were inevitable,” he said.
Kumar Ritesh, founder and CEO of Cyfirma, a threat discovery and cyber-intelligence analytics company, said that “COVID-19 and rapid digitalization have proven to be the perfect storm to mount one cyberattack campaign after another. Hackers capitalize on the climate of fear and uncertainty to leverage social engineering tactics to steal credentials and gain unlawful access to corporate networks and data among others.”
Remote working has increased the risks
The former head of MI6’s cyber-intelligence arm also believes that remote working presents added attack surfaces when home networks are less protected than corporate networks. “Employee’s lack of cybersecurity awareness is a cause for concern as they inevitably fall prey to phishing attacks,” he said.
The increased volume and frequency of data breaches are mounting pressure on governments to enact better data protection reforms and privacy governance. Singapore’s amended data protection law, which was passed in early November, gives the Personal Data Protection Commission (PDPC) the power to impose stiffer financial penalties. Similarly, Australia has proposed to toughen its data privacy laws by raising the maximum penalty cap, imbuing relevant authorities with new infringement notice powers.
The deterrent policies are very much welcomed as they prioritize cybersecurity in the eyes of the public, enabling greater confidence in modern data management practices. However, both Yeo and Ritesh emphasized the need to complement the laws with continuous actions across the company such as engaging employees in cybersecurity awareness training, allocating dedicated staff to enforce security policies, and gaining access to threat intelligence tools.
“It is only in recent years that cybersecurity has entered boardroom agendas,” explains Ritesh. “Cyber risk has gained importance as business leaders experience the aftermath of cyberattacks. However, many organizations still perceive cybersecurity as a checkbox exercise to fulfil regulatory or policy compliance, particularly in Asia.” He warns that unless companies develop the habit to automatically insert cybersecurity considerations into both business and technology decisions, cyber risks and ensuing data breaches will continue to occur.
Unfortunately, organizations in Asia are at a higher risk of data breaches compared to other regions. According to FireEye’s M-Trends 2020 report, the median time APAC organizations need to detect cyber breaches from suspected intrusions is 94 days, which is significantly longer than the global median of 56 days.
Yeo says that the higher risk of data breaches in Asia is compounded by the fact that cybersecurity remains a relatively nascent sector within the region. “While countries such as Singapore and Australia are well ahead of the curve, others are still in the process of developing a comprehensive cybersecurity framework,” he said. “Additionally, we are also experiencing talent shortages in cybersecurity with an estimated 2.6 million cybersecurity workforce gap in APAC.”
Massive amounts of data
Asia is the home of many startup powerhouses with about 171 unicorns out of a total of 490 globally. “These companies hold massive amounts of information ranging from users’ financial records and spending habits to behavioral patterns and facial recognition data—a treasure trove for cybercriminals,” Ritesh said.
Yeo cautions against jumping to conclusions and attributing every data breach to incompetence and lack of preparedness. “We need to bear in mind that the digital economy landscape is rapidly evolving and it can be quite challenging for all companies to ensure that all aspects of their digitalization process are growing at an equal rate,” he said.
The issue, according to him, is not specifically limited to how organizations deal with threats but rather the emergence of multiple touchpoints for cybercriminals and a relaxed societal attitude towards privacy in the region. “The challenges are actually systemic in nature,” he said. Yeo cites another Kaspersky study conducted earlier this year which found that more than 20% of respondents in APAC are willing to sacrifice their privacy to gain a product or a service for free. A further 20% admitted they need some help to learn how to protect their privacy online.
How to prevent attacks
This echoes FireEye’s report which states that many of the cyberattacks begin with phishing, confirming the widely held belief that people are typically the weakest link in the security chain. Ritesh explains that it is important to build a basic level of ‘cyber hygiene,’ especially amongst employees and individuals, who must be educated on cyberthreats in order to mitigate its impact. To further minimize the risk of a successful attack, businesses should incorporate layered defenses with data and endpoint security, gateway-based security, automating scanning, monitoring, and malware removal, alongside other data protection strategies.
On a policy standpoint, Ritesh believes that the regulatory environment can be improved to build cyber resiliency. “One action to take would be to make incident reporting mandatory,” he said. “This will create a body of research data which can provide insights on threats and inform the government on strategies it can undertake to strengthen the nation’s cyber posture.” Another key area would be to impose mandatory risk and vulnerability assessments, at least biannually, on large enterprises. This would help identify threats early and remedies can take place to close any cybersecurity gaps.
Yeo recommends to involve all stakeholders into the cybersecurity strategy. “What we have learnt from data breaches is that the responsibility does not fall on any party alone,” he said. “The recurring theme is that proactivity is key.”
As the buck does stop with me, I proceeded to request for a password reset on my Peatix account knowing that I’m my own data’s first line of defense.