Cybersecurity confidence may be overstated in Singapore and Malaysia

In Singapore, Malaysia, and India, a newly released ISACA survey reveals that businesses are very confident—moreso than businesses in other regions of the world—that they will escape cyberattacks. That confidence may not be well-founded, esepcially in Singapore and Malaysia.

ISACA, which provides security training and advisory services, surveyed 3,659 people globally in late 2020, of which 154 respondents came from Malaysia and Singapore, 65% of which represent organisations with more than 1,500 employees. There were 210 respondents in India, of which 80% represent organisations with more than 1,500 employees.

Confidence in defences largely tracks with cyberattack expectations—except in Malyasia and Singapore

Of the Malaysian and Singaporean respondents, just 33% expect that their organisation will experience a cyberattack in the next year. Likewise, few Indian businesses (29%) expect to suffer a cyberattack in the next year. By comparison, 46% respondents in Africa and 58% in the UK expect that their organisations will experience a cyberattack in the next year. (There were 119 Africa respondents, 55% of which were in organisations with more than 1,500 people. There were 112 UK respondents, 63% of which had 1,500 or more employees.)

Of the respondents in Singapore and Malaysia, 67% said they are confident in the ability of their cybersecurity teams to detect and respond to cyberthreats. Of Indian respondents, 69% were confident. That compares to confidence levels of 75% in Africa and 81% in the UK.

So why do Malaysian, Singaporean, and Indian businesses believe they are less likely that peers in other regions to suffer a cyberattack despite their relatively low confidence in their abilities to fend off cyberattacks?

“It is hard to know exactly what is causing these lower expectations in India, Singapore, and Malaysia, but confidence in their team could be a factor, as lower confidence in security teams often results in more worry,” said Karen Heslop, senior director of content development at ISACA. Higher confidence in security teams tends to equate to less worry. Although the overall confidence levels in India (69%) is similar to that in Malaysia and Singapore (67%), Heslop noted that Indian businesses have a 46% rate of complete or very confident, versus just 27% in Malaysia and Singapore. That tracks with Indian businesses’ lower fears suffering cyberattacks.

Furthermore, 32% of African businesses and 37% of UK businesses reported being completely or very confident in their ability to repel cyberattacks, which tracks with higher percentages in both regions expecting to be attached in the next year.

That leaves Singapore and Malaysia as outliers, with fairly low levels of high confidence in their abilities to repel cyberattacks and also low expectations that they will be attacked.

Misplaced confidence or trying not to create a bad impression?

Andrew Milroy, founder of Veqtor8, a digital risk advisory firm based in Singapore, theorizes that the apparent dichotomy of misplaced confidence among Singapore and Malaysian cybersecurity professionals may have to do with trying to look good when responding to questions.

“ISACA is reporting its findings from a survey. Often survey respondents misinterpret questions, answer based on perception rather than fact, or answer inaccurately because they don’t want to create a bad impression,” he said.

For example, Milroy said he does not believe that 65% of organisations assess their cybersecurity maturity, certainly not in Singapore and Malaysia. “Yes, they are overconfident in the survey,” he said. “This is common—people don’t want to give the impression they are not confident, especially in Singapore. But in truth, their defences are full of holes. All companies are at greater risk than before and few, if any, are doing enough to manage risk.”

What Southeast Asian businesses should do to boost cybersecurity

Whether the respondents’ self-confidence is misplaced or reflects a desire to look good publicly, Southeast Asian businesses do need to improve their cybersecurity defences. “Cyberattacks have increased tremendously in Southeast Asia during the last 18 months, especially during the COVID-19 pandemic,” said Ashish Saxena, chairman of Haltdos, a cybersecurity company based in Singapore and India.

But cybersecurity investments have not kept up. “To the point made in the ISACA study, I can share that findings from our recent Cost of Data Breach Report 2021 study found that investment in security capabilities has lagged somewhat as organisations have had to respond to the pandemic by moving more to cloud-based activities and requiring their employees to work remotely,” said Derek Tay, integrated security leader at IBM ASEAN.

Saxena said the increase in cyberattacks is primarily due to remote work and its reliance ion remote connectivity. Utilities like Windows RDP (Remote Desktop Protocol), AnyDesk, and Windows TeamViewer are being used by most employees and third-party staff without even strong password protection, Saxena said, which has resulted in giving backdoor access to attackers on the server and consequently increased spread of malware on other machines and, in some cases, led to ransomware attacks.

“Countermeasures that we would recommend is for companies to provide secure remote access on need-to-know basis with multifactor authentication,” he said. “Users need to be made aware about the types of social engineering attacks with their modus operandi to avoid getting defrauded.”

Saxena also said that web applications are the frontline for any cyberattack, so securing web apps is critical for any organisation. “Therefore, in addition to security testing of apps, a web application firewall is an ideal tech solution that companies should adopt,” he said.

“The [IBM] study also suggests that security incidents are more costly and difficult to contain due to drastic operational changes during the pandemic. The financial industry was the most affected in ASEAN, with an average of US$4 million per data breach incident, followed by services and technology,” IBM’s Tay said. “Our study shows that in ASEAN, people-oriented controls such as board-level oversight and extensive testing of the incident response plan are the two most effective means of reducing the cost of a data breach,” he said; in Singapore, that reduction could be more than half million dollars per incident, he added.

“In addition, the implementation of technical controls such as encryption, artificial intelligence platforms, and security analytics help reduce cyberattack costs,” Tay said. “Unfortunately there are multiple economic challenges for business to cope with and, to a certain extent, probably only the larger enterprises are prepared with technology, process, and people. Much efforts are still needed for the midsize to smaller enterprises in terms of preparing for cyberattacks.”

Veqtor8’s Milroy also cautioned that businesses may not be highly motivated by some of the ISACA findings and recommendations, especially around the costs of reputational damage. “Reputational damage is not the primary concern for most companies. Lots of companies (think United Overseas Bank, Grab, and many others) in Singapore have been breached, and this has not affected their reputations badly,” he said. “The main concern is the operational cost of an outage or penalties for noncompliance, usually.”