SINGAPORE: A succession of major “cyber” events in Asia have reinforced the need for companies to take a proactive and realistic approach to cyber resilience.
In recent weeks we have seen the much publicised SingHealth Data breach, the ransomware attack on Chinese shipping giant Cosco, and the crippling of Taiwanese semiconductor manufacturer TSMC by a virus.
Most organisations are conscious of the significant malicious cyber traffic seen in Asia, but often discount the risks and wonder:
Why would anyone attack me?
Most don’t consider the broader context in which these attacks occur and the collateral damage that is common.
It has been suggested that the target of the SingHealth attack was Prime Minister Lee Hsien Loong’s medical data, but hackers are not known to differentiate when extracting other sensitive information, hence the exfiltration of data pertaining to 1.5 million SingHealth patients.
If the attack was state-sponsored then it serves as a useful reminder that exposure to cyber risk does not exist in a vacuum. Geopolitical tension has been the driver behind some of the more significant attacks in recent memory.
That organisations may be collateral damage should not be discounted. In the case of TSMC, which was shut down by a latent variant of the WannaCry malware, the impact of non-targeted attacks is evident. The most significant cyber losses of 2017 belonged to those companies caught in the web of WannaCry and NotPetya ransomware.
WE NEED AN ‘ASSUME BREACH’ MENTALITY
Acceptance of such risks is critical, but there’s no turning back from the reliance on data, automation and connectivity that gave rise to the risk. Indeed, organisations which have fallen victim to cyber losses have turned to technology to mitigate the damage.
Integrated transport and logistics company, Maersk, and Cosco used a combination of social media and personal email accounts to keep their businesses running – not the most secure measures, but business continuity is often paramount. SingHealth communicated with affected parties by SMS.
But there is one way to get ahead of the curve. Public comments from government officials in Singapore suggest an acceptance that while every effort must be taken to secure data, attacks will be ongoing and breaches are inevitable.
Indeed, there is a growing acceptance that cyber risk is an unavoidable cost of doing business – a necessary consequence of the benefits derived from technology. This was also clear in Prime Minister Lee Hsien Loong’s Facebook statement where he says:
We cannot go back to paper records and files. We have to go forward, to build a secure and smart nation.
The logical extension of this acceptance is a shift towards an “assume breach” mentality for organisations, an approach to cybersecurity that recognises the inevitability of some degree of intrusion, and emphasises incident response and protection of critical assets once the perimeter is compromised.
RED-TEAMING STRENGTHENS SYSTEMS
But this approach depends on a willingness among the broader public to forgive organisations which have been successfully attacked, as well as to be far more critical of those who have mishandled communications or failed to act prudently after a breach has occurred.
Adopting this mentality does not mean that organisations sacrifice cybersecurity measures because it will educate how those measures are deployed.
Sophisticated organisations will often engage ethical hackers for “red-team testing” – launching attacks on their systems to detect vulnerabilities. Good red teams have an incredibly high penetration rate, but this is only part of the story.
Once breach is assumed, the more important questions emerge – can attackers move within our systems to access sensitive data? Are internal access controls appropriate? How quickly did our own security team detect the intrusion?
Similarly, organisations which adopt an “assume breach” mentality are more likely to have an incident response plan which has been tested and can be readily deployed in a crisis.
A RESPONSE PLAN NEEDED
In underwriting an organisation, cyber insurers will want to see that an incident response plan is in place, but the best risks will have a plan that is regularly tested and updated. Table-top simulations of cyber events can help senior management understand the pressures and responsibilities of handling a crisis and aid companies to identify gaps in incident response and business continuity plans.
These exercises also focus on communication with clients, employees, commercial partners and regulators.
But quick and clear communication with stakeholders in the wake of a cyber event is not common for businesses in other parts of Asia, particularly as most jurisdictions do not feature mandatory breach notification laws, in stark contrast to the experience in Singapore (where mandatory breach notification amendments to the Personal Data Protection Act are pending), the US, Europe and Australia.
That is expected to change in the coming years, but companies are also recognising that controlling the message can be best practice.
Perceptions of honesty and transparency are two key drivers of successful recovery from a reputation event, according to the 2018 Reputation Risk in the Cyber Age study released by Pentland Analytics and Aon.
Both SingHealth and TSMC communicated with the media quickly and may have avoided reputational damage that may arise from speculation and unanswered questions.
Ultimately, companies that are confident with the efforts they have made to bolster cyber resilience and have prepared for these events with an assume breach mentality will be much better placed to face the media, clients and their shareholders.
Andrew Mahony is regional director of Financial Services and Professions at leading professional services and risk management firm Aon Asia.