Note from DSA Editor: According to Frost and Sullivan in a survey commissioned by Microsoft “Understanding the Cybersecurity Threat Landscape in Asia Pacific”, it will cost Malaysia exactly that much. It’s a great headline number, however closer inspection would suggest the number is a little speculative. Based on interviewing 100 Malaysian businesses, Frost and Sullivan used a modicum of estimation on things like cost of lost reputation and possible lost business to hit the headline. However what we know holds true, is that Cyber Security threats are growing in Malaysia and they do cost money. According to F&S Asia VP, Sapan Agarwal, US$180million can be tied to cast iron hard costs. However you skin it, cyber security breaches are getting increasingly costly and painful.
 
In an event to discuss the deeper findings of the survey and the implications for security, Microsoft, Cyber Security Malaysia and Frost & Sullivan provided speakers to explain just how the cyber threat is evolving, how business should mitigate that threat and the economic costs associated with the threat as identified through the survey itself.
 
Dr Mansor, National technology Officer reminded us of a now famous quote from former head of FBI James Coney. “There are two types of Big Business. Those who have been hacked and those that don’t know they have been hacked.” The point is clear. In this connected age you will be hacked, it’s just a case of making sure you have the plans, procedure and policies to deal with it when, not if it happens.  He shared a statistic that the global average number of days between a cyber breach infiltration and detection is 99 days, Mansor suggested that in Asia it may be closer to 180 days. Hitting home on the point that companies are getting breached and may not realise. (Note from Ed. In the case of Cryptojacking this can mean expensive resources are being stolen, perhaps using legitimate resources for illegitimate aims.
 
The key point that Mansor drove home, which was later reinforced by the other presenters was that Cyber Security is a catalyst for enabling business and organisations to undergo very necessary digital transformation. He pointed to the fact that to compete in the 4^th Industrial revolution, companies need to employ technologies like Big Data, AI, IoT, mobile computing even virtual reality. However all of these are glued together and made functional by one underlying technology – The Internet – and ironically it’s the internet that opens up the unparalleled level of cyber security risk that business is experiencing today.
 
Frost and Sullivan’s Sapan Agarwal shared that their survey found 62% of Malaysian businesses cited fear of cyber-attacks as hindering Digital transformation progress. Even if you dispute Cyber Security as an enabler to digital transformation, what seems indisputable  is that lack of modern cyber security capability is an absolute blocker to that said transformation.
 
Cyber Security Malaysia’s CEO Dato’ Dr Amirudin reminded us that traditional cyber security tools simply can’t keep pace with the rate of change from the new high tech threat. He explained that the only way to keep pace is to deploy new modern adaptive cyber security solutions that are able to utilise predictive detection techniques.  He also reminded us just what the people behind these cyber threats look like. Criminals don’t put on a mask and use a gun to steal your money anymore. They are high tech cyber criminals that use technology to take what they want.  But to fight this threat requires more than just technology. Dr Amirudin highlighted that to fight the threat, organisations need to focus on People, Processing and Policy. Interestingly all three experts made the point that despite the tech getting smarter, the weakest link in the security chain is still “people”. Which is why Cyber Security Malaysia runs training for non-security users. Keeping all users of IT aware of the threat is arguably as important now as it has ever been, with Phishing emails still having open rates as high as 25%.
 
Despite the increasing threat Dato’ Dr Amiradin was proud to share with us that Malaysia is  fairing well, ranking third on the ITU  Global Security Index for nations most  committed  to cyber security.
 
Frost & Sullivan’s Sapan, delved a little deeper into the cost of cyber-attacks. He maintained that the real costs are “below the tip of the iceberg”, and explained their calculations of cost involved  inferred costs such as brand damage and lost business, so there is some subjectivity in the numbers. That said, it’s still an interesting stake in the ground. His findings show that for Malaysia’s largest companies the average cost of a security breach incident hit US$22.8 million, for a mid-sized company the figure was much lower at $36K with the national average based on F&S calculations being $58K per security breach incident. We could argue the semantics of their calculations but the point still comes  through, security breaches hit companies in the pocket. Sapan, went on to point out that in today’s world where security breach could impact production lines or even driverless cars, the impact can be health or even life threatening.
 
Perhaps the most telling stat that Sapan shared with us was not on cost but on complexity. He showed a correlation between number of security products deployed by a company and the amount of breaches that impacted the business. The general correlation was that as the number of products increased, so did the percentage of successful attacks. This brought vigorous agreement from both Dr’s in residence with Mansor and Dato’ Amirudin confirming in an age where the threat is getting more complex, the more simple you can keep your security solution, the more likely you will be able to stay ahead of the threat.
 
Full press release as follows:

Microsoft in collaboration with Frost & Sullivan today released the results of its study titled “Understanding the Cybersecurity Threat Landscape in Asia Pacific: Securing the Modern Enterprise in a Digital World”. The study reveals that the potential economic loss in Malaysia due to cybersecurity incidents can hit a staggering US$12.2 billion. This is more than 4 percent of Malaysia’s total GDP of US$296 billion.
 
The study aims to provide business and IT decision makers with insights on the economic cost of cybersecurity breaches in the region and identify the gaps in organizations’ cybersecurity strategies. The study involved a survey of 1,300 business and IT decision makers ranging from mid-sized organizations (250 to 499 employees) to large-sized organizations (>than 500 employees). 
 
The study reveals that more than half of the organizations surveyed in Malaysia have either experienced a cybersecurity incident (17%) or are not sure if they had one as they have not performed proper forensics or data breach assessment (36%).
 
“As companies embrace the opportunities presented by cloud and mobile computing to connect with customers and optimize operations, they take on new risks,” said Dr. Dzahar Mansor, National Technology Officer, Microsoft Malaysia. “With traditional IT boundaries disappearing the adversaries now have many new targets to attack. Companies face the risk of significant financial loss, damage to customer satisfaction and market reputation—as has been made all too clear by recent high-profile breaches.”
 
The findings of the study were launched in the presence of CyberSecurity Malaysia, Malaysia’s national cyber security specialist agency. “Cyber-attacks have become a common occurrence not just in Malaysia but around the globe,” said Dato’ Dr. Haji Amirudin Bin Abdul Wahab, Chief Executive Officer of CyberSecurity Malaysia. “The findings of this study provide businesses with a greater understanding of the economic impact of cyber threats. As cyber security specialists, we are grateful for the efforts taken by Microsoft in spreading awareness on the importance of cyber security and we hope our efforts in creating a safer cyberspace for Malaysia will continue to align."
 
The True Cost of Cybersecurity Incidents – Economic, Opportunity and Job Losses 
The study revealed that:

• A large-sized organization Malaysia can possibly incur an economic loss of US$22.8 million, more than 630 times higher than the average economic loss for a mid-sized organization (US$36,000); and

• Cybersecurity attacks have resulted in job losses across different functions in three in five (61%) of organizations that have experienced an incident over the last 12 months.

To calculate the cost of cybercrime, Frost & Sullivan has created an economic loss model based on macro-economic data and insights shared by the survey respondents. This model factors in three kinds of losses which could be incurred due to a cybersecurity breach:

• Direct: Financial losses associated with a cybersecurity incident – this includes loss of productivity, fines, remediation cost, etc;

• Indirect: The opportunity cost to the organization such as customer churn due to reputation loss; and

• Induced: The impact of cyber breach to the broader ecosystem and economy, such as the decrease in consumer and enterprise spending.

“Although the direct losses from cybersecurity breaches are most visible, they are but just the tip of the iceberg,” said Sapan Agarwal, Vice President, Asia Pacific, Frost & Sullivan. “There are many other hidden losses that we have to consider from both the indirect and induced perspectives, and the economic loss for organizations suffering from cybersecurity attacks can be often underestimated.”
 
In addition to financial losses, cybersecurity incidents are also undermining Malaysia organizations’ ability to capture future opportunities in today’s digital economy, with more than three in five (62%) respondents stating that their enterprise has put off digital transformation efforts due to the fear of cyber-risks.
 
Key Cyberthreats and Gaps in Malaysia Organizations’ Cybersecurity Strategies 
Although high-profile cyberattacks, such as ransomware, have been garnering a lot of attention from enterprises, the study found that for organizations in Malaysia that have encountered cybersecurity incidents, data exfiltration and data corruption are the biggest concerns as they have the highest impact with the slowest recovery time.
 
Besides external threats, the research also revealed key gaps in organizations’ cybersecurity approach to protect their digital estate:

• Security an afterthought: Despite encountering a cyberattack, only 23% of organizations consider cybersecurity before the start of a digital transformation project as compared to 32% of organizations that have not encountered any cyberattack. The rest of the organizations either think about cybersecurity only after they start on the project or do not consider it at all. This limits their ability to conceptualize and deliver a “secure-by-design” project, potentially leading to insecure products going out into the market;  

• Creating a Complex Environment: Negating the popular belief that deploying a large portfolio of cybersecurity solutions will render stronger protection, the survey revealed that 15% of respondents with more than 50 cybersecurity solutions could recover from cyberattacks within an hour. In contrast, 71% of respondents with more than 11 to 25 cybersecurity solutions responded that they can recover from cyberattacks within an hour; and

• Lacking cybersecurity strategy: While more and more organizations are considering digital transformation to gain competitive advantage, the study has shown that a majority of respondents (42%) see cybersecurity strategy only as a means to safeguard the organization against cyberattacks rather than a strategic business enabler. A mere 20% of organizations see cybersecurity strategy as a digital transformation enabler.

“The ever-changing threat environment is challenging, but there are ways to be more effective using the right blend of modern technology, strategy, and expertise,” added Mansor. “Microsoft is empowering businesses in Malaysia to take advantage of digital transformation by enabling them to embrace the technology that’s available to them, securely through its secure platform of products and services, combined with unique intelligence and broad industry partnerships.”
 
Artifical Intelligence (AI) is the Next Frontier in Cybersecurity Defense
In a digital world where cyberthreats are constantly evolving and attack surface is rapidly expanding, AI is becoming a potent opponent against cyberattacks as it can detect and act on threat vectors based on data insights. The study reveals that almost three in four (73%) organizations in Malaysia have either adopted or are looking to adopt an AI approach towards boosting cybersecurity.
 
AI’s ability to rapidly analyze and respond to unprecedented quantities of data is becoming indispensable in a world where cyberattacks’ frequency, scale and sophistication continue to increase.
 
An AI-driven cybersecurity architecture will be more intelligent and be equipped with predictive abilities to allow organizations to fix or strengthen their security posture before problems emerge. It will also grant companies with the capabilities to accomplish tasks, such as identifying cyberattacks, removal of persistent threats and fixing bugs, faster than any human could, making it an increasingly vital element of any organizations’ cybersecurity strategy.
 
Recommendations for securing the modern enterprise in a digital world
AI is but one of the many aspects that organizations need to incorporate or adhere to in order to maintain a robust cybersecurity posture. For a cybersecurity practice to be successful, organizations need to consider People, Process and Technology, and how each of these contributes to the overall security posture of the organization.
 
To help organizations better withstand and respond to cyberattacks and malware infections, here are five best practices that they can consider in improving their defense against cybersecurity threats:

• Position cybersecurity as a digital transformation enabler: Disconnect between cybersecurity practices and digital transformation effort creates a lot of frustration for the employees. Cybersecurity is a requirement for digital transformation to guide and keep the company safe through its journey. Conversely, digital transformation presents an opportunity for cybersecurity practices to abandon aging practices to embrace new methods of addressing today’s risks;

• Continue to invest in strengthening your security fundamentals: Over 90% of cyber incidents can be averted by maintaining the most basic best practices.  Maintaining strong passwords, conditional use of multi-factor authentication against suspicious authentications, keeping device operating systems, software and anti-malware protection up-to-date and genuine can rapidly raise the bar against cyberattacks. This should include not just tool-sets but also training and policies to support a stronger fundamental;

• Maximize skills and tools by leveraging integrated best-of-suite tools. The best tools are useless in the hands of the amateur. Reduce the number of tools and the complexity of your security operations to allow your operators to hone their proficiency with the available tools. Prioritizing best-of-suite tools is a great way to maximize your risk coverage without the risk of introducing too many tools and complexity to the environment. This is especially true if tools within the suite are well-integrated to take advantage of their counterparts;

• Assessment, review and continuous compliance: The organization should be in a continuous state of compliance. Assessments and reviews should be conducted regularly to test for potential gaps that may occur as the organization is rapidly transforming and address these gaps. The board should keep tab on not just compliance to industry regulations but also how the organization is progressing against security best practices; and

• Leverage AI and automation to increase capabilities and capacity: With security capabilities in short supply, organizations need to look to automation and AI to improve the capabilities and capacity of their security operations. Current advancements in AI has shown a lot of promise, not just in raising detections that would otherwise be missed but also in reasoning over how the various data signals should be interpreted with recommended actions. Such systems have seen great success in cloud implementations where huge volumes of data can be processed rapidly. Ultimately, leveraging automation and AI can free up cybersecurity talents to focus on higher-level activities.

This study is but one example of Microsoft’s approach towards creating a safer cyberspace for everyone. Microsoft’s continued efforts in terms of cyber safety is also apparent in the bi-annual Microsoft Security Intelligence Report (SIR) which provide in-depth data and insights into the global threat landscape globally and in Asia Pacific.