July 7, 2017
About 96 percent of Malaysian companies are still in the infancy stage of digital security preparedness, according to an inaugural Asia Pacific survey jointly conducted by IDC and Singapore-based managed digital security services provider Quann.
These companies are vulnerable to cyberattacks due to "significant gaps in security device deployment, cyber awareness, resources and preparedness for attacks," said the Quann IT Security End User Study 2017.
To give some context, Malaysian companies are only slightly behind Singapore companies, as the study also said that 91 percent companies in Singapore are also in the early stages of security preparedness.
Some 150 senior IT professionals from medium-to-large companies based in Singapore, Hong Kong and Malaysia, formed the sample for this study, which assessed the companies' level of preparedness to cyber attacks and categorised them into four stages, with Basic Defence being the least mature.
The stages of the index are based on IDC's understanding of the range of organisational maturity globally, and is ranked against a globally established methodology. (See Appendix below.)
For each stage, the IDC IT Security Index addresses how capabilities across the five lenses - risk and governance, cyber security awareness, technology and architecture, resourcing, incident response and remediation - should change to foster the security maturity needed to compete in the new era of digital transformation.
The survey was conducted over the phone in 2H2016 with 150 senior IT professionals in Hong Kong (41), Malaysia (52) and Singapore (57). More than 90 percent of the respondent pool were from organisations with at least 300 employees - 45 percent from entities with 300-500 employees and 45 percent with 500-1,000 employees.
The Malaysia cut
Foo Siang-tse (pic below), who is managing director, Quann, said that some of top findings include:
- Almost all (96 percent) of the surveyed Malaysian companies are in the early stages of security preparedness
- More than half (52 percent) of the Malaysian respondents do not have a Security Operations Centre to monitor their networks and security devices for suspicious traffic
- Almost half (48 percent) of them have not conducted any form of IT security awareness exercise
The survey also finds that 38 percent of Malaysian respondents either do not have any incident response plans to protect the companies' networks and critical data in the event of a cyber attack or only react when a breach occurs, said Foo. Only one third (33 percent) of them practice their incident response plans.
He said cyber criminals usually target non-IT employees - the weakest link in cyber security. However, only 31 percent of the Malaysian companies require all members of the organisation -from the CEO down-to take part in IT security awareness training.
The study noted that many Malaysian respondents (71 percent) do not have a dedicated IT security budget and planning process.
Also, most Malaysian respondents do have a security lead but "he or she is not a dedicated resource and has other responsibilities at the same time. They also do not have round-the-clock security support, with 40 percent having security support only during work hours, and 21 percent only during the work week."
Security still not a board priority
Cyber security also has a low level of engagement from senior leadership in formulating IT security strategies, noted the survey. A majority (86 percent) of Malaysian respondents consult security executives, but only 17 percent of them will invite the executives to board meetings and involve them in risk assessment.
Lack of adequate security features to monitor and detect cyber attacks
While basic IT security features such as firewall and antivirus are widely deployed by the Malaysian companies surveyed, almost half (46 percent) of them do not have Security Intelligence and Event Management Systems to correlate and raise alerts for any anomalies.
Also, 52 percent of the Malaysian respondents do not have a Security Operations Centre (SOC) or a dedicated team to proactively monitor, analyse and respond to cyber security incidents that are flagged by the systems.
The lack of proper monitoring systems and processes means that anomalies picked up by security devices may go unattended and malware may reside and cause damage within corporate networks for long periods.
"Companies may consider working with an experienced cyber security partner to design, build and manage a 24/7 on premise Security Operations Centre that can quickly detect threats. Another option is to engage a Managed Security Services Provider (MSSP) that can provide a comprehensive suite of services, including 24/7 monitoring, regular vulnerability assessment and penetration testing and incident response and forensics," said Foo.
"The findings are worrying but they don't come as a surprise," he said. "Many companies are simply not investing enough in IT security, despite the obvious threats."
"The lack of investment in security infrastructure, professional services and employee training makes them extremely vulnerable," Foo said. "The recent WannaCry and Petya ransomware incidents are just the tip of the iceberg."
"Companies need to recognise that having a comprehensive security plan, comprising detection systems, robust processes and equipped individuals are critical in enabling them to detect threats early and mitigate their impact," he added.
Simon Piff, who is vice president of IDC Asia/Pacific's IT Security Practice, said: "Not all C-Suites in Asia are fully conversant with the fundamentals required to develop a robust cyber-security strategy, with the appropriate cyber security investments."
"Cyber security investments are akin to military spending - we do it in the hope that we would never have to use the tools," said Piff. "They need to understand that this is not a business ROI with immediate, visible returns. However, the consequences of not taking a proactive approach now could lead to legal disputes, customer dissatisfaction, and even loss of jobs and careers at all levels in the organisation."
For more recent local cybersecurity news, see:
WannaCry attacks: Former Malaysian hacker predicted healthcare target
Global ransomware attacks prompt national 'WannaCry' alert from CyberSecurity Malaysia
Crash Override, Industroyer malware: CyberSecurity Malaysia calls for critical infrastructure checks
Why Malaysia's PIKOM has not received a single WannaCry report
The latest edition of this article lives at Computerworld Malaysia.
Appendix: IDC's definitions of the key characteristics of the four maturity stages are:
Stage 1 - Basic Defence
IT security is perceived as an ancillary function and investments are restricted to the bare minimum. Compliance and governance distract from the day-to-day running of the business. There is limited capability to defend from anything but the most basic form of attack. No crisis response planning has been put in place.
Stage 2 - Tactical Knowledge
There is a minimal strategy for IT security and key technological solutions put in place. Whilst IT security is something that the IT team considers as important, the rest of the business consider it an issue only for the IT department. Senior management is lacking in engagement and understanding of critical systems and data.
Stage 3 - Strategic Intent
IT security is understood to be a concern for both the business as well as IT, with a dedicated lead. There is a clear delineation of security roles, and a Governance, Risk and Compliance (GRC) framework in place. While outsourcing is a consideration, it is kept minimal, and most technology and architecture are done in-house.
Stage 4 - Advanced Execution
A CISO is designated in the organisation, with clearly defined reporting lines to CEO. There are internal and external applications of IT security policies, and a well-informed workforce that understands the issues. A clear response strategy is in place and fully documented.