Home SMEs are Achilles heel for ASEAN security The monthly magazine from Computer Weekly focusing on business IT in Southeast Asia NOVEMBER 2016 Mobile devices feed CWASEAN card fraud in ASEAN The problem of passwords and how to deal with it Security weakness Hackers are using small, unsecured companies for easy Lauri Love: the access to the secure networks of large organizations student accused of hacking the US computerweekly.com MACH/FOTOLIA VÁCLAV cw asean november 2016 1 DATA BREACHES Home SMEs are Achilles heel for ASEAN security SMEs are Achilles heel for ASEAN security Mobile devices feed card fraud in ASEAN Small to medium-sized enterprises in the ASEAN region could be serving as gateways for cyber criminals to gain access to large enterprises unless they improve their security, writes Ai Lei Tao The problem of passwords and how to deal with it mall and medium-sized enterprises (SMEs) have become personal details of 2,000 foreign nationals living in southern the preferred targets for cyber criminals. Not only are they Thailand during the testing stages. The data contained people’s Lauri Love: the often easy prey, but they offer a stepping stone to larger, names, addresses, professions and passport numbers. student accused S of hacking the US more lucrative corporate and government targets. While large enterprises have the resources and often place a According to Bill Chang, CEO group enterprise at Singapore priority on investing in shoring up their defenses, SMEs’ priori- Telecommunications giant Singtel, SMEs are “an entry point into ties can be very different. Most SMEs feel they are too small to the large organizations that are part of their supply chain”. attract the interest of a hacker or are unaware how best to protect The figures back this up. Smaller companies have been expe- themselves. They also lack the IT staff to ensure their systems riencing a steady increase in cyber attacks in the past five years, and networks are protected. according to Symantec’s 2016 Internet Security Report. The report found that 43% of all attacks in 2015 were targeted at small busi- Attacks are cheaper nesses with fewer than 250 employees. An SME owner’s assumption that the business is too insignifi- “Every partner that plugs into an enterprise environment brings cant to interest cyber criminals may have been true in the past, in a fresh set of vulnerabilities, which results in security lapses,” but that is no longer the case. The decreasing cost of compute said Nikhil Batra, research manager, telecommunications at IDC power and growth of automation allows cyber criminals to mass Asia-Pacific. “Hackers and malware developers are constantly on produce attacks at a fraction of what it used to cost. the lookout for such partner ecosystems, where they can creep “The cost of compute power has gone down and we can assume into a secure network through an unsecured partner.” this will continue,” said Mark McLaughlin, CEO at Palo Alto For example, in Thailand earlier this year, a third-party devel- Networks. “The advantage goes to the attacker as it means they oper commissioned by the immigration police briefly leaked the can launch bigger and more sophisticated attacks at less cost. cw asean november 2016 2 DATA BREACHES Home “When the cost of an attack goes down, the number of success- “In 2015, the median time it took the typical Asia-Pacific organi- SMEs are Achilles heel for ASEAN security ful attacks will go up at an alarming and exponential rate.” zation to know it had been compromised was 520 days – about Singtel’s Chang said: “This is a major issue as large enterprises 17 months,” he said. “The global figure is only 146 days and in have funding and resources to build or leverage security service Europe, the Middle East and Africa, it’s 469 days, according to the Mobile devices feed card fraud in ASEAN providers to increase their level of defenses, but SMEs either do 2016 Mandiant M-Trends Asia Pacific report.” not have the resources or do not bother.” The problem is compounded by the fact that Southeast Asia It is a popular myth that attackers have to force their way into is significantly more exposed to targeted attacks than the global The problem of passwords and how organizations. In fact, most breaches occur when attackers trick average. “In the second half of 2015, 27% of the organizations we to deal with it employees into letting them inside the organization, said Alex Lei, observed in Southeast Asia were exposed to at least one targeted regional director for Southeast Asia at FireEye. attack. This is almost double the global average of 15%,” said Lei. Lauri Love: the A particular challenge is the fact that most breaches in the Asia- student accused of hacking the US Pacific region never become public, as governments and industry- “LARGE ENTERPRISES HAVE FUNDING governing bodies may lack effective disclosure laws, according to the Mandiant M-Trends report. Also, SMEs are less likely to under- TO INCREASE THEIR DEFENSES, BUT stand attacks and report them to authorities. SMES EITHER DO NOT HAVE THE Breach losses not revealed RESOURCES OR DO NOT BOTHER” Symantec’s 2016 Internet Security Report found that in 2015, more companies chose not to reveal the full extent of the breaches BILL CHANG, SINGTEL they experienced, with an 85% increase in the number of firms that chose not to report the number of records lost. For instance, in January 2014, an employee of a contractor “In ASEAN, a lot of [cyber security] breaches are not shared,” engaged by KB Kookmin Card, Lotte Card and NH NongHyup said Chang. “But increasingly, countries will mandate that noti- Card used a portable hard drive device to steal credit card data, fication is mandatory when there is loss of customer, citizen and according to prosecutors in South Korea. Some 20 million cus- public data. Due diligence will take cyber security measures to a tomers were reportedly affected by the firms’ data breach. different level.” An added challenge, said Lei, is that Asia as a whole and Regulatory requirements can be a deterrent. For instance, Southeast Asia in particular are playing catch-up in cyber security. Singapore’s Computer Misuse and Cybersecurity Act (CMCA) cw asean november 2016 3 DATA BREACHES Home gives law enforcement agencies the power to investigate and and conduct surveillance work, monitor cyber threats and test the SMEs are Achilles heel for ASEAN security apprehend individuals or entities behind cyber crime. ability of supervised institutions to manage cyber security issues. Data protection laws can also encourage organizations to ensure Meanwhile, the Monetary Authority of Singapore took “appro- their IT infrastructure is secure enough to protect data. ASEAN priate supervisory actions” against Standard Chartered after the Mobile devices feed card fraud in ASEAN nations Malaysia, Singapore and the Philippines have introduced data of 647 of the bank’s wealthy clients was stolen in Singapore. comprehensive data protection regimes in the past five years. The data was taken from a server hired by Standard Chartered at Singapore has started to enforce this legislation, with the Personal a Fuji Xerox printing facility to print bank statements. The problem of passwords and how Data Protection Commission imposing a fine of S$50,000 on to deal with it karaoke chain K Box Entertainment Group for not having suffi- Mitigating the risk cient security measures to protect the personal data of 317,000 “The truth of the matter is that nobody can guarantee that an Lauri Love: the members, for inadequate data protection policies and not having SME or enterprise won’t be hacked or breached,” said IDC’s student accused of hacking the US a data protection officer. Its IT supplier, which was responsible for Batra. “It’s all about assessing the security landscape and miti- its content management system, was fined S$10,000. gating the risk. SMEs need to have plans in case of a breach. Regulators in industries such as finance are also playing their “Investing in security for enterprises and SMEs is like a country part. In the Philippines, the central bank has set up a separate investing in its nuclear arsenal – with the hope that they never cyber security surveillance division to craft cyber security policies have to use it.” n Editor: Karl Flinders Sub-editors: Bob Wells, Jaime Lee Daniels, Ryan Priest CW Production editor/design: Claire Cormack Vice-president APAC Jon Panker TechTarget/CW ASEAN © 2016 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or by any means without 55 B/C Tanjong Pagar Road written permission from the publisher. TechTarget reprints are available through The YGS Group. Singapore 088476 About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable quick access to a deep store of news, advice and analysis about the technologies, products and processes crucial to your job. Our live and virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts. cw asean november 2016 4 CYBER CRIME Home SMEs are Achilles heel for ASEAN security Mobile devices feed card fraud in ASEAN Mobile devices feed Card fraud is rising in ASEAN countries, and high use of mobile devices is a contributing factor, reports Ai Lei Tao card fraud in ASEAN ard fraud is on the rise in ASEAN countries, mirroring a “The faster-maturing markets, such as Thailand, Indonesia The problem of passwords and how global trend, a study has found.