Imminent threats to our digital culture

Approximately five hours – or about 20 per cent of a full day – that is how much time an average person spends online either on mobile or computers.

We may not realise it, but most of our waking hours are spent online, statistics by GlobalWebIndex showed. From the minute we wake up to notifications from half a dozen social medias, to the tired hours at the end of the day; streaming one last episode of an online TV show, we have without doubt incorporated the digital culture into our daily lives.

With so much of our personal and social activities as well as working and retail transactions revolving around the digital world, a huge amount of personal data are constantly being transferred and stored online.

And with that much important data, comes the question of keeping that data safe from prying eyes.

This year, data breach and cyber threats, in general, have become major concerns for governments, consumers, and conglomerates worldwide, particularly given the massive, wide reaching attacks seen within the first half of this year.

Just last week, still fresh in the wake of the WannaCry ransomware attack earlier this year, the digital world was once again shaken by another global ransomware outbreak.

The latest attack, which IT experts have deemed as a powerful cyberattack called ‘Petrwrap’; a modified version of Petya ransomware, started last Tuesday and similar to the WannaCry ransomware, the virus demanded money from victims in exchange for the return of their data.

In a news report by AFP, Sean Sullivan, a researcher at the Finnish cybersecurity group F-Secure, said the attack “seems to be done by professional criminals”, with money as the motivation.

He was reported as saying that unlike the recent WannaCry attack, the new attack had Generalsophisticated elements that could make it easier to rapidly infect many more systems.

Experts also said this latest attack could heighten fears that companies might be more vulnerable to cyberattacks than suspected, potentially putting personal data at risk.

The fight against cyber attacks has sparked exponential growth in global protection spending, with the cyber security market estimated at US$120 billion this year, more than 30 times its size just over a decade ago.

But even that massive figure looks set to be dwarfed within a few years, experts said, after ransomware attacks crippled computers worldwide in the past week.

That is not the end of it. Beyond ransomwares, as frequently as every other week, we would receive news of multinational companies’ systems being hacked, cyber espionages targeting government systems, global banks and financial institutions being under cyber threats, and more.

Cyber criminals are now constantly evolving to find ways to disrupt and manipulate our growing culture of going digital.

For Malaysia, while on average, a Malaysian would spend about two to three hours online daily, this number could rise as the government is on a mission to boost the development of the nation’s digital landscape to push the country into a high-income producing nation.

Furthermore, the government is also looking to expand the digital economy in Malaysia. With the establishment of various tech hubs, agreements with major international companies and more, Malaysia’s government aims to increase the contribution of the digital economy to its gross domestic product (GDP).

According to Treasury Secretary-General Tan Sri Dr Mohd Irwan Serigar Abdullah, the contribution of the digital economy to Malaysia’s GDP, at about 17 per cent currently, is expected to exceed the projected target of 20 per cent earlier than 2020.

“Seeing the rate at which Digital Economy Corp Sdn Bhd (MDEC) is bringing in the investments, we can achieve it (target of 20 per cent to GDP) earlier than 2020,” he told reporters after officiating the Malaysia Digital Hub and Malaysia Tech Entrepreneur Programme in Kuala Lumpur.

Similarly, in Sarawak, the state government is also aiming to build the state’s digital platform to push the state to the frontier of the digital revolution that is sweeping across the nation.

Hence, it becomes more vital for the Malaysian government as well as Sarawak’s government, businesses and consumers to be highly aware of the current cyber threats trends to better protect the nation, the state and themselves from being victims to these cyber threats.

“With Malaysia’s emphasis to continue growing and developing the Digital Economy, there needs to be an increased awareness on cybersecurity to improve Malaysia’s digital threat landscape.

“Businesses and consumers need to educate themselves about security risks and best online practices,” global IT expert Symantec suggested.

BizHive Weekly takes a look at the cyber threat landscape.

The heavy price of ignorance

With the rate of how fast and vast cyber attacks can spread throughout the world, it is still surprising to note there are still plenty of major organisations and companies that are unconcerned about beefing up their cyber security system despite having most of their day-to-day workflow synced with some form of ICT tools that is connected to the digital world.

While reports show that there has been a rise of concern regarding cyber risk but few company leaders are aware of the full extent of damage caused by a cyber breach, or the full costs of it.

It takes just one oblivious employee, or one phishing email, or one virus, to corrupt a whole system and disrupt a week or even years’ worth of business and cost a company millions.

According to Cisco’s 2017 Annual Cybersecurity Report (ACR), over one-third of organisations that experienced a breach in 2016 reported substantial customer, opportunity and revenue loss of more than 20 per cent.

A study issued by IT consultant CGI and Oxford Economics showed that cyber security breaches erode companies’ share prices permanently, with financials the worst hit Investors in a typical FTSE 100 firm would be worse off by an average of 120 million pounds or approximately US$156 million after such a breach, the report said.

Overall the cost to shareholders of these 65 companies would be in excess of 42 billion pounds (US$52.40 billion).

The heavy price of ignorance In some extreme cases, it pointed out that breaches have wiped as much as 15 per cent off affected companies’ valuations, substantially more than this sum.

Severe cyber security breaches, such as those having legal or regulatory consequences, involve the loss of hundreds of thousands of records and hurt the firm’s brand, caused share prices to fall on average 1.

8 per cent on a permanent basis, the analysis of 65 companies affected since 2013 globally has found.

“Financial services experience the greatest burden in terms of impact, reflecting the high levels of regulation, the importance of customer confidence and the potential for financial fraud to be a facet of the breach,” the report said.

Overall, Cybersecurity Ventures predicts global annual cybercrime costs will grow from US$3 trillion in 2015 to US$6 trillion by 2021.

These include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.

With the growing threat of ransomware, reports show that the cost of cybercrime could run up to billions more, yearly.

With that much amount of finances and brand reputation at risk, still, in Malaysia, about more than 50 per cent of Malaysian companies are unsure about their cyber security system.

According to Pricewaterhouse- Coopers (PwC) Malaysia’s Global Economic Crime Survey 2016 report, while almost half of Malaysian organisations (42 per cent) see an increased risk of cyber threats, more than half (54 per cent) are unsure of whether or not they are at risk.

This indicates a worrying lack of understanding of cyber risks in Malaysia’s corporate landscape.

“Responsibility for redressing cyber vulnerabilities starts at the top.

Yet our survey suggests that many boards are not sufficiently proactive regarding cyber threats, and generally do not understand their organisation’s digital footprint well enough to properly assess the risks – despite the fact that in several countries, boards have a fiduciary responsibility to shareholders when it comes to cyber risk.

“Surprisingly, less than half of board members globally actually request information about their organisation’s state of cyberreadiness,” it reported.

It further pointed out that only 35 per cent of Malaysian respondents to its survey say that they have a fully operational cyber incident response plan.

It highlighted that three in ten have no plan at all, and of these, nearly half do not think they need one.

BAE Systems Applied Intelligence Cyber Defence Asia Pacific & Japan vice president Gundeep Singh Sandhu said: “In our research we found that 95 per cent of respondents believe their organisation has the right security controls in place.

“Yet more than half (51 per cent) of those surveyed said they had experienced a cyber attack in the past year, with the average cost being at least RM1.712 million.

” Cyber risks are constantly on the rise at a faster rate, now.

Hence, businesses and agencies need to ensure that their systems are protected from these threats that are seen as getting more prevalent and sophisticated.


Better safe than sorry

There is no surefire way to ensure that a company or a system is completely protected from cyber attacks.

However, there are still plenty of ways to minimise the damage or avoid it altogether, if detected at an earlier stage.

According to Gundeep, “Almost every day we learn about new, sophisticated cyber attacks that have wreaked havoc on targeted organisations.

For organisations to be protected against the growing cyber threat, it takes more than just building a firewall, but awareness at top management levels.

“As such, we encourage all organisations to take this simple test to assess the strengths and weaknesses in their cyber security and understand where they might be most vulnerable to attack.

“At the same time, businesses must ensure they have the right people, processes and tools in place so when a major incident occurs, they have the ability to understand, contain and remediate.

If action isn’t taken immediately, the price of cyber ignorance – for the company and the wider economy – can be severe.

” Symantec Malaysia suggested various methods to protect businesses and consumers.


For Businesses

Don’t get caught flat-footed: Use advanced threat intelligence solutions to help you find indicators of compromise and respond faster to incidents.

Prepare for the worst: Incident management ensures your security framework is optimized, measureable and repeatable, and that lessons learned improve your security posture.

Consider adding a retainer with a third-party expert to help manage crises.

Implement a multi-layered defense: Implement a multi-layered defense strategy that addresses attack vectors at the gateway, mail server and endpoint.

This also should include two-factor authentication, intrusion detection or protection systems (IPS), website vulnerability malware protection, and web security gateway solutions throughout the network.

Provide ongoing training about malicious email: Educate employees on the dangers posed by spear-phishing emails and other malicious email attacks, including where to internally report such attempts.

Monitor your resources” Make sure to monitor your resources and networks for abnormal and suspicious behavior, and correlate it with threat intelligence from experts.


For Consumers

Change the default passwords on your devices and services: Use strong and unique passwords for computers, IoT devices and Wi-Fi networks.

Don’t use common or easily guessable passwords such as ‘123456’ or ‘password’.

Keep your operating system and software up to date: Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers.

Be extra careful on email: Email is one of the top infection methods.

Delete any suspiciouslooking email you receive, especially if they contain links and/or attachments.

Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content.

Back up your files: Backing up your data is the single most effective way of combating a ransomware infection.

Attackers can have leverage over their victims by encrypting their files and leaving them inaccessible.

If you have backup copies, you can restore your files once the infection has been cleaned up.

Using cloud services could help mitigate ransomware infection, since many retain previous versions of files, allowing you to “roll back” to the unencrypted form.


What to do if you receive ransomware messages?

Symantec Malaysia Systems Engineering director David Rajoo shared that once the encryption process starts, there is little the user can do, as it happens very quickly.

He noted that it is unlikely that the user will notice the ransomware is encrypting until it’s too late.

But, if by a slim chance, the user realises in the seconds after running the malware, they may attempt to power off the machine, then use an external boot disk to boot the machine and run a cleaner tool.

This may prevent the ransomware from encrypting all the files.

“Any computer that has been infected should not be trusted.

It is always best to restore the computer either from a backup, or reset to factory using a recovery disk and then immediately update and apply all patches.

“These are important steps, as we have seen ransomware, that not just ransoms the users’ files, but also installs banking Trojans to clean out the users’ bank accounts, typically capturing the users’ banking details when they log into their bank to pay the ransom.

If the back-ups were not encrypted by the ransomware, it is unlikely that the files were infected,” he added.

Most important ly, those affected should never give in to these threat by paying the ransom stated, IT experts have warned.

In doing so, users will only fuel the growth of this senseless crime.

“Paying criminals is never recommended, as it feeds them and rewards them for their crimes.

There is also no guarantee that your files will be released back to you,” Symantec Malaysia stressed.


A continuous fight against cyber threats

We’re up against an uncertain future when it comes to cyber threats as the attacks can be very unpredictable given the rate of techn evolution.

Symantec Malaysia deemed that we face a new era of cyber crime, predicting a range of wide-reaching, fearful threats that are very realistic, based on past threats and current technologies in a recent statement.

It noted that rogue nation states could finance themselves by stealing money online.

“There is a dangerous possibility that rogue nation states could align with organized crime for their personal gain, such as what we saw in the SWIFT attacks. This could result in down time for countries’ political, military or financial systems,” it explained.

It also pointed out that fileless malware could increase while we could also see an increased on phishing sites using HTTPS.

New technologies such as drones and Internet of Things (IoT) devices also pose new threats and new vulnerabilities that cyber criminals could manipulate.

“This could be seen in 2017, but is more likely to occur further down the road. By 2025, we can expect to see ‘dronejacking’, which will intercept drone signals and redirect drones for the attacker’s benefit. Given this possibility, we can also expect to see anti-drone hacking technology being developed to control these devices’ GPS and other important systems.

“Connected cars will be taken for ransom. As cars start to have connected capabilities, it is only a matter of time until we see an automobile hack on a large scale. This could include cars being held for ransom, self-driving cars being hacked to obtain their location for hijacking, unauthorised surveillance and intelligence gathering, or other automobile-focused threats.

“This will also lead to a question of liability between the software vendor and automobile manufacturer, which will have long-term implications on the future of connected cars,” it highlighted.

Aside from that, it warned that IoT devices in the enterprise could increase points of exposure as beyond looking simply at computers and mobile devices for vulnerabilities, incident response teams would need to consider thermostats and other connected devices as jumping points into the network. Similar to how printer servers were used for attacks several years ago, nearly everything in an enterprise is now connected to the internet and will need to be protected.

In the hacking realm, ransomware, as we could see today, could be a huge issue we face this year.

Symantec Malaysia believed that aside from personal computers, ransomware could find its way to attacking cloud systems.

“Given the significant shift towards cloud-based storage and services, the cloud is becoming a very lucrative target for attacks. The cloud is not always automatically protected by firewalls or more traditional security measures, so there will be a shift in where enterprises need to defend their data.

“Cloud attacks could result in multi-million dollar damages and loss of critical data, so the need to defend it will become even more crucial,” it said.

Meanwhile, Barry Johnson, country manager (Malaysia) of International Services & Solutions, BAE Systems Applied Intelligence, pointed out that data breaches and cyber attacks are unfortunately very common today and it’s no longer the case of if an organisation will be attacked, but when.

“In today’s hyper-connected world, vulnerabilities are becoming increasingly sophisticated, targeted and difficult to detect. Hence, it is important for businesses to be continually thinking of what they can do next so as to stay ahead of the cyber threat,” he said.

He added, “In the battle for talent and the need to get more out of scant cyber resources, leaders will increasingly turn to gamification to engage with their teams and supercharge innovation.

“In 2017, the volume of personal data being stored and shared throughout the private sector, and between government departments, will continue to increase. As this happens, data privacy will become an increasingly critical discussion topic as the public starts to comprehend how their data is being used, and there will be a continuing tension between privacy and a frictionless customer experience.

“We predict 2017 will see the end of the age of innocence for senior business leaders and boards faced with cyber attacks; we will see more executives being held to account for security failures.”

Therefore, he pointed out that no longer could any internet-connected system be expected to be 100 per cent secure, and no longer could businesses get by without proper investment in cyber defence.

“However, companies will also realise they needn’t view security and privacy as a compliance burden, but as an opportunity to win the trust of their customers and differentiate themselves in the market.

“Just as we have agreed measurement standards for the health of the economy or vital services like education, we predict 2017 will see cyber security readiness measured in a more standardised way in a growing number of countries, and in a more all-encompassing manner; across more industries, threat vectors and data points,” he assured.

However, he pointed out that what that measurement looks like is a question industry, government and the wider business community must work out together.

For Sarawak, the state has taken a step forward in ensuring that a proper system is in place before pushing its digital economy forward.

In April this year, during a study tour to UK and a visit to BAE Systems headquarters in London, Chief Minister Datuk Amar Abang Johari Tun Openg stressed that it is imperative for Sarawak for Sarawak to establish a cyber-security defence system to ensure that the state’s digital economy stays safe, secured and reliable.

“We must have a state-of-the-art cyber security defence system to insulate our systems from cyber attacks from outside as well as inside perpetrators,” he emphasised.