Cybersecurity a rising concern
Calyn Yap 
Cybercrimes, especially ransomware, are fast becoming a top business threat. There is increasing concern over how cyberattacks affect business continuity. Multi-layer cybersecurity is the best solution, but the human element is still the weakest link.

Smaller companies are becoming increasingly aware of cybersecurity and cybercrime, as well as the implications to their business.

Although cybersecurity providers have been cautioning businesses on the rise of cybercrime for many years, it is only lately that more companies are taking the issue seriously, with some considering security measures.

Trend Micro technical sales manager Law Chee Wan says there has been rising interest in security solutions from companies in the past year, especially in light of ransomware activity picking up pace in recent months.

Ransomware is a type of malware that prevents users from accessing their system by encrypting files and demanding a ransom for release, with a time limit before the affected files are deleted.

The string of global WannaCry ransomware incidents in April had prompted more attention among businesses.

“A lot of enquiries were made when news of WannaCry spread. This variant attacks older Windows-based systems such as Windows 2003 and Windows XP, exploiting an existing Microsoft vulnerability,” says Law.

“All it takes is just one infected machine, and it will spread like wildfire without users having to do anything. It means instant interruption to business and loss of sales for every minute (the system is down).”

Trend Micro notes this highlights the real-life impact of ransomware, including crippled systems, disrupted operations, marred reputation and financial losses resulting from being unable to perform normal business functions. This is in addition to the cost of incident response and clean-up.

HP PPS Sales Sdn Bhd (HP Malaysia) MD Kym Lim says companies were not initially aware of the critical nature of security, but have developed interest due to the recent cases.

“There have been more requirements on information relating to ransomware and malicious software attacks, and customers want us to work with them to further educate their users. We’ve seen that increasing based on conversations we’ve had with our customers,” she says.

A matter of resources
In the case of the majority of SMEs, however, awareness is one matter and action is another.

Systech group CEO Raymond Tan Hock Ann, on the other hand, says the company’s experience with SMEs shows that the majority, if not all, are well aware of the perils and risks of cyberattacks.

He states: “The feedback we obtained is that given the current scenario where operating costs are rising and revenues declining, these SMEs are not willing to consider any investments into managing their cyber-risks.

“Given the possible fallout scenarios from a cyberattack on their business, these owners would rather take the risks than to have their profitability affected by investing to ensure their companies are cyber-resilient.”

Besides the investment required, however, a number of SMEs are still negligent when it comes to security practices.

Trend Micro’s Law says companies generally have security in terms of general antivirus programmes, but whether they are disciplined enough to do frequent updates is questionable.

He adds that not all companies are able and systematic in updating patches to operating systems and applications within servers and desktops. In some cases, patches for legacy systems such as Windows XP and Windows 2003 are not available or problematic.

HP’s Lim says users typically do not extend security considerations to devices such as printers, which leaves vulnerabilities in the network that hackers can exploit.

She adds: “Based on our understanding, the printer is the last thing companies will pay attention to, so it usually sits on an open network. That allows hackers to exploit it to get into the servers and network.

“It is part of the ecosystem, as printers can be a vulnerability. We don’t want to just sell them the device, but go beyond that by educating them to increase awareness and attention in protecting their IT system.”

This is why she says a secure print environment is key for businesses, as encrypted hard disks prevent hackers from reading and extracting data from print memory and document output protection ensures the safety of such data.

Building a secure foundation
Experts recommend multi-layer security as the best form of defence against cyberattacks.

“Multi-layer security makes it as hard as possible for hackers, as they have to bypass layers of security instead of just one. It makes it not worth their time, so they move on to easier targets,” says Trend Micro’s Law.

PwC Malaysia senior executive director Tan Cheng Yeong says there is a need to realise there is no such thing as full-proof security.

“Hackers, including organised criminals, will always find a way to bypass the security measures in place. However, to mitigate these risks, what we need to ensure is that our security infrastructure, design and set-up are ready to take on that attack challenge,” he opines.

He further says cybersecurity should go beyond security solutions as the sole defence mechanism and must be incorporated at the early stage of any technology development.

As an example, he points to how multi-layer security must be integrated into the development phase of new interface creation between financial institutions
and financial technology providers.

The weakest link
He adds: “Security practices such as secure design/coding must be practised from the start. This is an example of multi-layer security, whereby you have protection from your security solutions as well as a product that is designed with security in mind.”

That said, countering cyberthreats is not just about adopting technology and security solutions. The human element is the weakest link that hackers exploit.

Despite being one of the most cyber-savvy countries in the region, individual internet users here still take unnecessary security risks and lack knowledge of proactive steps to stay safe online.

“There has to be a check-and-balance process, as the human element is always the weakness. That has to be tackled through processes, although technology can help to an extent.

“When it comes to risks in technology or security, the security posture of the entire organisation has to have a more frequent review, half a year or yearly,” Law adds.

Changing threat landscape

The Symantec Internet Security Threat Report (ISTR) Volume 22 released in early May reveals that ransomware continues to escalate as a global problem and a lucrative business for criminals. It identified over 100 new malware families released and a 36% increase in ransomware attacks worldwide.

In addition, the report notes there is a spike in the use of email as an infection point, with one in 113 emails containing a malicious link or attachment last year, as compared to one in 437 in 2015.

Phishing rates continue to rise and spear-phishing – especially Business Email Compromise (BEC) – remains a concern. These are targeted emails claiming to have originated within the
company, which trick employees into divulging sensitive information.

Trend Micro technical sales manager Law Chee Wan (pic) says: “BEC is similar to email scams, but what hackers do is get into email accounts of high-profile executives such as CEOs and CIOs.

“By doing so, they can look into emails, find out how organisations do wire transfers and identify the people responsible for that.

“Then they impersonate the executives and send emails requesting wire transfers to fraudulent accounts.”

Law says hackers also disguise themselves as vendors or suppliers targeting property and construction companies that frequently do wire transfers.

There is also growing reliance on Cloud services that is leaving businesses open to attacks and Cloud security continues to be a challenge.

Moreover, the trend of Internet of Things (IoT) is gaining traction in Malaysia, and along with it comes security concerns as cyberthreats are also emerging in the IoT environment. More devices mean more vulnerabilities, and in turn additional risks of cyberattack.

This article first appeared in Focus Malaysia Issue 241.