In ASEAN, the COVID-19 pandemic has led to an increase in digital transformation, from banking and manufacturing to the healthcare and insurance businesses. An increase in connectivity among businesses, customers and employees, has created an environment where there are more opportunities for cyber-attacks.
“Millions of employees worldwide who are suddenly working from home and highly sophisticated actors are threatening the databases,” said Sandeep Kumar, resiliency services leader, Global Technology Services at IBM ASEAN.
According to Interpol’s ASEAN Cyberthreat Assessment report, the average cost of a data breach is US$3.86 million, and the average time to identify and contain a breach is about 280 days. In ASEAN, “ransomware continues to plague businesses and consumers, with indiscriminate campaigns pushing out significant volumes of malicious emails.” Phishing and Business E-mail Compromise (BEC) are other common attacks in the region.
At a recent roundtable discussion, we talked to leading IT executives from public and private organizations in ASEAN on the essentials and concerns for a cyber recovery.
Lack of awareness of cyber recovery
A cyber-attack can lead to business disruptions, data theft and corruption and eventually financial losses.
According to a Gartner survey, 62% of respondents are increasing investment in cybersecurity in 2021 in the Asia Pacific region. But the majority or 77% of companies do not have an incident response plan for a cyber breach.
Despite an increase in cyberattacks and malware, “if there is no incidence, it is just a threat, sometimes we are not getting the attention that it is important,” said Trisit Sookkiaw, head of infrastructure services assistant to the IT director at AIA Thailand.
In addition, “Many cannot do it. It is only on paper,” Kumar added.
He said IBM conducted a survey of about 1000 respondents and that 44% of organizations had cyber protection and a mere 32% had an effective plan.
When there is a breach in security, operations will fall apart. “Respond and recovery is important from a business perspective. The operations of the hospital cannot go down,” said Chong Keong Chew, group chief information security officer of National University Hospital in Singapore.
“We are not talking about protecting a system. We are talking about protecting the business,” said Emilio Griman, director of Centre of Competency, IBM Resiliency Services, Global Technology Services.
“It is not a matter of if you are going to get hit but when you get hit, what are you going to do? What is your plan? Who are the people engaged in the plan? What are the crown jewels you need to recover?” he added.
“It is important to respond and recover,” said Moses Romero, head of Security Clearance Advisor at Mayflower-Marriott Executive Apartments in Indonesia.
Participants concurred and said that they are focused on protecting the system but also worried about data integrity when there is a breach. This is especially so for the healthcare sector but there are challenges.
“Patient safety is important. The challenge is to restore the data and ensure accuracy to continue care. It involves a lot of planning because sometimes in healthcare there can be many sources which can include propriety systems like laboratory information systems, beyond the EMRs and administrative systems,” said Patrick Chia, director of Integrated Health Information Systems in Singapore.
“The challenge is to try to restore data integrity and the best copy from the safety and integrity standpoint. We need to prepare our systems so that we understand where the recovery sources of proof are. When there are attacks and systems are tampered with, what we fear is that patients are associated with the wrong clinical data. Hence it may be important to validate with data from originating sources and even paper records if necessary, during the recovery process. That is one of the big challenges as patient safety is paramount,” said Chia.
Another participant emphasized the importance of speed. “Speed in response is critical. I witnessed a ransomware attack, and the spread was quite widespread in one department and fast. To contain it was almost impossible and we had to unplug the infected hardware from the network. So, speed to respond is crucial and that will lessen the impact on the organization as well. We did a study and realised that the turnaround time where it infected several hundred files was only 7 minutes,” said Kam Cheun Fok, IT specialist.
Root cause analysis
Others acknowledge that root cause identification is important in recovery. “We need to clearly identify what is the potential cause for effective forensic information collection prior to performing remediation, restoration or rebuild,” said Elissa Cher, head of data management and chief information security officer at Sun Life Malaysia Assurance Berhad in Malaysia.
“[We need to know] where are our security positions are or unauthorised access. We have cyber drill exercises in terms of response and creating awareness of our team,” she added.
According to Kumar, one organization had 57 copies of backup and was still unable to recover. “The hackers were very smart and their online system was compromised. They were into the backup and they could not do anything because their backups were compromised.”
Collaboration and communication
Participants also discussed the importance of collaboration and communication in recovery.
“Once we have an attack, what was the scope? In response, what kind of training are we doing with the staff for awareness to not compromise the data,” said Romero.
“Then there is the public relations issue. How do we respond to the public, whether it is a hospital or a bank, credit cards? Training of staff before and after [an attack] is important,” he added.
“We have a tendency to forget about the business. When an attack happens, there are things the business needs to do to continue its operations. There must be a bridge between the business [and the technology team]. Without this, it will be difficult to recover,” said Christine Kempeneers, data protection officer & assistant VP, risk management at Aboitiz Equity Ventures in the Philippines.
Planning is key
How do organizations ensure fast and consistent responses?
“That is when planning comes in. You want to think [of what could happen and prepare for it] before the attack. When something happens, you can put the plan into action. Today, with remote work, it has become more important for everyone to know where to go and what they will do when they get there. How do you train the response team? Were they given access to these communication channels beforehand? Planning will be key,” said Kempeneers.
“When you identify certain incidents to be of higher impact or likelihood for the organization, you want to plan for those scenarios and have an understanding of how they will affect the whole organization,” she added.
In other words, “understand the risk in the environment and plan how you are going to address that,” said Griman.
“Having a solid plan to recover business function is to make sure everyone is coordinated. Internally and externally. This is something that must be continuously looked at and not wait for something to happen then do a review. Plans can be out of date, so it will make it difficult to recover from the breach,” he added.