You are here

REVIEW 2015

As world goes online, so do criminals and hackers

BT_20151231_ACSECURITY31_2044972.jpg
Organisations in South-east Asia are 45 per cent more likely to be attacked by cybercriminals than the global average.

Singapore

AS THE world moves into an era of connected devices, big data, cloud computing and Internet of Things (IoT), more data is being produced in a year than in all of human history. Some estimates calculate that as much as 90 per cent of all the data in the world was generated over the past two years. As an example of the exponential growth of data, this same statement can be repeated two years later and still remain true.

Most of this data resides online and much of it is valuable information and thus a magnet for criminals and hackers, security experts and company heads told The Business Times.

Cyber security company Trend Micro's Singapore country manager, David Siah, observed that 2015 has seen a number of high-profile attacks globally, "serving as a strong warning that no company is safe in the war against cyberattacks".

Giving some examples, Mr Siah said health insurance company Premera BlueCross BlueShield was breached in January, which affected as many as 11.2 million subscribers and business partners.

In the public sector, the Internal Revenue Service (IRS) in the US was attacked in May. At least 334,000 taxpayers had their information stolen, and nearly US$50 million in refunds were siphoned when attackers used stolen accounts to file fraudulent tax returns.

The most infamous cyber security incident this year was the Ashley Madison data breach which affected about 37 million users - a perfect example of hacktivism, said Mr Siah.

As Singapore moves to become a Smart Nation, the government is well aware of the danger of cyber-attacks as more services and data become available online.

Speaking at the Governmentware 2015 conference in October, Yaacob Ibrahim, Minister for Communications and Information, and Minister- in-charge of Cyber Security, said countries such as Israel and South Korea prescribe the level of cyber security expenditure required every year. Israel stipulates that 8 per cent of its total government IT budget must be allocated to cyber security, while in South Korea the figure is as much as 10 per cent.

Singapore will adopt a similar approach for government Infocomm Technology (ICT) projects. The newly set up Cyber Security Agency (CSA), the apex body in charge of defending Singapore's cyber borders which started functioning from April this year, has been asked to see how this can be institutionalised beyond the government Critical Infocomm Infrastructure (CII) sector.

Early this year, security vendor FireEye noted that a hacking group, purportedly from China, has been silently targeting several countries, including Singapore, over several years.

It is estimated that 33 per cent of organisations in the Asia-Pacific region were exposed to targeted cyber attacks in the first six months of this year. In South-east Asia, organisations were found to be 45 per cent more likely to be attacked than the global average.

Under the National Cyber Security Masterplan 2018, the government is making continuous efforts to enhance the protection of CII and improve cross-sector response to mitigate widespread cyber attacks. It also plans to work closely with critical sectors on cyber security.

Ron Totton, BT Global Services' managing director for South-east Asia, noted that in 2016 and beyond, security will stay at the very top of the agenda for CIOs (chief information officers) and business leaders, especially when they look at leveraging opportunities in the cloud.

"The risks associated with cloud computing are another business risk to be managed through robust governance practices, and those risks increase as organisations embrace cloud services hosted outside of their own estate," Mr Totton said.

BMC Software's Asia- Pacific's president, Gavin Selkirk, added that 2015 saw cyber security become a board-level discussion as many high-profile brands fell victim to vulnerabilities, attacks and data breaches. He noted that it is taking "far too long to address vulnerabilities, essentially giving hackers an open door to access anything they consider valuable".

Mr Selkirk said that 80 per cent of vulnerabilities are known, yet it takes an average of 193 days to patch these vulnerabilities - meaning that companies are exposing themselves to a potential breach for more than six months at a time.

"In 2016, it's not a matter of if your enterprise is going to get hacked, it's a matter of how and when. BMC expects more organisations to seek out internationally recognised data protection accreditation, like Binding Corporate Rules (BCRs), which allow secure data transfer across borders while continuing to comply with local rules and regulations," he added.

Sanjay Aurora, Asia-Pacific managing director of cyber security services provider Darktrace, noted that in 2015 countries like Singapore and New Zealand introduced cyber security toolkits for SMEs (small and medium-sized enterprises). "This is a good step in educating employees beyond the IT department on the sophistication and seriousness of today's threats," he said.

He added that 45 per cent of boards now participate in the formulation of security strategy - cyber security has become a common topic during boardroom discussions, with C-level initiated policies being developed to address cyber threats.

"As a next step, security professionals must become more conversant with business risks and business objectives, rather than remain as narrow and deep technological experts. Overall, these developments will help businesses better safeguard revenue, reputation and intellectual property."

Trend Micro's Mr Siah noted that 2016 will be a year of online extortion, which means online threats will evolve to rely more on mastering the psychology behind each scheme than leveraging the technical aspects of the operation.

"Trend Micro's research indicates that attackers will continue to use fear as a major device of attack, since it has been proven effective in the past. We will also see more hacktivists breaching systems of high-profile targets to steal data for lucrative returns."

He observed that mobile malware will continue to affect users globally due to the availability of third-party platforms and channels that offer free app downloads, especially in markets like China. Given the user behaviour, there is no stopping the exponential growth of mobile malware at a rate that's projected to reach the 20 million mark globally by the end of 2016. "The recent WhatsApp malware debacle is another piece of evidence of the rise in mobile malware in places closer to home," Mr Siah said.

He noted that cybercrime legislation will become a global movement. "In September we saw it in the continued arrests and sentencing of various individuals like the Russian national behind the Citadel Trojan malware and another Russian cybercriminal who pleaded guilty of targeting payment processors," he said.

"In Europe, the EU is in talks to implement the General Data Protection Regulation (GDPR), where privacy by design and privacy by default principles are obligations for data controllers, which will inevitably affect businesses operating in the EU or targeting EU consumers."

Singapore has enacted the Personal Data Protection Act (PDPA) since 2013, but has not done anything for data breaches. Following the footsteps of the US and Canada, Singapore is in discussions on implementing a law that requires companies and organisations to notify their customers once a breach takes place, Mr Siah added.

For more of BT's year-in-review stories, visit bt.sg/review_15