At the start of the year, businesses at large were on a gradual trajectory towards replacing and revamping legacy digital systems in the office. By end-March, however, the Malaysian economy had been forced to its knees, thanks to the Covid-19 pandemic. Digital Edge spoke to several local and regional experts to explore a deeply underappreciated corollary of the rush to go digital in the post-Covid-19 environment: cybersecurity.
Are you using protection?
Zaman Ahmad, an independent cybersecurity consultant, says that, at first, businesses were unable to anticipate the sheer scale of the work-from-home movement. “A lot of companies had to scramble to purchase laptops and other devices for employees, because in the first half of the year, everyone was desperate to just stay afloat and bring in some kind of revenue. They had no choice but to radically alter priorities for their IT budgets.”
In fact, he adds, device sales experienced quite a boom over the last year, as the private sector rushed to get their employees set up and working from home. In all this, however, he saw one very worrisome trend.
“While I noticed a surge in device sales, I had not seen a proportionate increase in the sale of cybersecurity products and services. In my opinion, inquiries and sales around cybersecurity suites failed to keep pace with the hardware.”
This implies a potentially drastic increase in new and vulnerable devices, spread across disparate locations, a vast number of which are likely to have to interface with businesses’ digital networks at some point this year.
“Although there was an element of inexperience and general lack of awareness around the need for cybersecurity protocols, I had also spoken to business leaders who made conscious decisions to prioritise the purchase of devices at the expense of an equivalent amount of cybersecurity protection.”
Zaman chalked this behaviour up to pressing short-term needs outweighing longer-term security considerations.
“Prior to the pandemic, bosses had not considered the need for entire workforces to be home-bound. And with the economy having essentially ground to a halt, businesses were desperate to just stay afloat. That meant giving employees the tools to continue working remotely, even if that meant devices would not always come with certain levels of protection.”
Cybersecurity as a reporting requirement
The number of cybersecurity incidents had already been on a consistently upward trajectory when the pandemic forced much of the global economy to work from home.
A May 2020 study by virtual private network (VPN) provider Atlas VPN found that the number of global breaches in 1Q2020 surged 273%, compared with 1Q2019. The number of hacked or accidentally exposed files also hit record highs in the first quarter of the year.
In all of this, could cybersecurity readiness and incidences eventually become a reporting requirement across the world? According to global consultancy giant Bain & Company, at the very least, consumers would have some level of protection if laws are instituted to mandate such reports and disclosures across the world.
To be fair, such reporting requirements already exist to some extent, even in Malaysia. At present, however, these requirements typically extend only to the financial services and insurance industries, as well as public-listed companies. Is it time to make this a general requirement across the board?
According to the firm’s global cybersecurity advisory services co-head, Syed Ali, at present, a majority of cybersecurity breaches go unreported, because either they have yet to be detected or businesses have made a decision to stay silent to avoid the public relations fallout.
He says: “The majority of cybersecurity incidences that do come to light are legally mandated. For example, the European Union’s (EU) Global Data Protection Regulation (GDPR) is a relatively new legal framework that requires companies around the world to report any form of breach that has impacted the consumer data of an EU citizen.
“We have seen companies complying with these requirements but, also, it should be noted that unless similar regulations are enacted to protect consumers in other jurisdictions, companies would not necessarily be under any legal requirement to report breaches that might impact consumers in these jurisdictions.”
Devices and data
As a starting point for making sense of and keeping track of the various devices accessing an internal network, businesses should first attempt to identify and categorise devices according to their relative levels of safety and priority.
Alvin Rodrigues, field chief security officer of global networking company Infoblox’s Singapore operations, advises businesses to segregate devices into three broad categories: managed and approved devices; owned and approved devices; and third-party and unapproved devices.
“The first category typically refers to devices directly owned by the company and is therefore pre-loaded with various security protocols and regularly updated. These devices are then given to employees as a means to run company business on.
“As for the second category, these devices are owned by employees, but have nonetheless been flagged to the business and approved for company use. Employees will usually be required to download various security protocols onto their private device, after which they will be able to use it for company business.
“The third category would be third-party, unapproved devices. These are unknown, unrecognised devices connecting into company networks. It may be as risky as an employee accessing company networks on a public desktop at an internet café or something as seemingly innocuous as using a relative’s device.”
Rodrigues recommends relatively low-cost strategies that can be quickly implemented, including using well-regarded antivirus software on all devices. “Antivirus software is now advanced enough, for example, to immediately detect a threat even before a webpage loads. Users should never ignore warnings like these,” he says.
He also advises businesses and employees alike to ensure that their devices are fully patched and running the most updated versions of operating systems and enterprise apps.
“One sees this frequently with Apple or Android phones. These devices tend to come with regular notifications about updating or patching the operating system. The reason these patches occur is that experts may have detected certain vulnerabilities, which they then patch. These patches are subsequently delivered to all relevant devices, thus improving the device’s security.
“Finally, everyone should maintain different passwords for different devices, and regularly change these passwords. Humans are the weakest link in the cybersecurity chain, but even so, the simple act of using different passwords is the lowest-cost, lowest-effort strategy to protect yourself from harm.”
Money or livelihood
Throughout the year so far, Malaysian businesses have increasingly become targets for ransomware attacks, according to Alan See, CEO of penetration testing outfit Firmus Sdn Bhd.
Ransomware refers to malicious third parties surreptitiously installing software that encrypts a business’ critical files, directories or even entire groups of workstations. This effectively locks the rightful owner out of these assets, thus crippling the business.
“If these businesses want to regain access to their assets, they are required to pay a ransom to these bad actors, usually in the form of cryptocurrency. For many of these businesses, the hope is that if they pay the ransom, the malicious third party would then provide them with a digital decryption key, allowing them to regain control of their systems and data.”
This is by no means a given, See warns, as there really is no guarantee that the bad actors would even provide a legitimate decryption key, or that they will not attempt another attack at some point in the future. “We tend to advise companies not to pay the ransom, because they risk losing a lot of money without ever regaining control of their systems,” he says.
Software like this is able to penetrate a business’ networks because in many instances, employees (and even leaders) can be subject to social engineering by bad actors.
According to See, social engineering entails malicious parties conducting various online and offline searches of particular individuals within a company. “For example, an attacker might first send an email to a high-level target, pretending to be from an executive headhunting service.
“The attacker will attempt to induce the target to either download an attachment or, more likely, to click on a link and fill out his personal details. Once the attacker gains access to details such as usernames and passwords, the attacker is then able to install ransomware into the business’ servers.”
Psychology is half the battle
One industry player, Joachim Sebastian of local e-commerce solutions provider Everpeaks, says today’s cybersecurity concerns are as much psychological as they are technological.
“People here have not really internalised the fact that if you’re participating in the e-commerce value chain, you must assume that everything is untrustworthy unless proven otherwise.”
Given the traumatic year so far, entrepreneurs, desperate for leads and sales, tend to lower their guard and trust in people who prey on this desperation, Sebastian says.
“It’s a fairly typical experience in e-commerce — imagine someone having struggled with sales for the past year and makes the jump into e-commerce channels. Very soon, he receives an email from someone purporting to be a possible client, asking for his list of products and prices. He’s soon directed to a link where he’s asked to fill in personal details.
“Today’s cybersecurity suites are actually very strong, and the technology is such that it can be impossible for all but the most committed attackers to breach. That’s why attackers have learnt to prey on a retailer’s desperation for sales.”
Alternatively, an attacker may attempt to induce another form of anxiety by pretending to be from a legitimate website such as PayPal. An e-commerce retailer is likely to have a PayPal account, so an attacker might send an email to a retailer, being sure to include a link that resembles PayPal’s legitimate domain name.
The email might warn the user that his PayPal account has been suspended, or is about to be frozen, unless he logs in and confirms ownership of the account. If a retailer is not careful and fails to spot the subtle differences between the fake portal and the real one, he might just end up signing away his livelihood.