In 2020, the pandemic crisis disrupted pretty much everything. People worked at home in unprecedented numbers — stretching existing systems and networks to their limits and accelerating the adoption of scalable cloud computing resources.
Cyber criminals had new opportunities offered to them on a plate — the attack surface expanded rapidly but few organisations were able to adjust their cybersecurity postures to address the new threat environment.
Here are seven key digital and cybersecurity risk trends, in South East Asia, for 2021.
1. Expect regulators to be more aggressive. For South East Asian organisations, the risk associated with data leakage is minimal. The penalties for not taking measures to prevent data loss are negligible in much of the region. Even in Singapore, the region’s most mature economy, Grab, a company valued at over USD14 billion, received a fine of only SGD10,000 for leaking the personal data of thousands of drivers and customers. It is also the fourth reported privacy breach in 2 years. Contrast this with the European Union where retailer H&M recently received a fine of USD41 million for a data protection breach. As the scale of data theft becomes apparent, regulators in South East Asia will enforce their rules more aggressively and penalties will increase. In Singapore, the Personal Data Protection Act (PDPA) was recently amended, giving the regulator the ability to mete out much larger fines. South East Asia’s largest economy, Indonesia, will implement its Personal Data Protection (PDP) law which is modelled on GDPR, in the coming months.
2. Expect rapid growth in the cybersecurity insurance market. Risk transfer using cybersecurity insurance will become a critical form of risk management. But, the cybersecurity insurance market, in South East Asia, is immature — many policies don’t cover a variety of well-known risks such as rogue insider activity and losses from nation state attacks. Adequate cover for both first and third party risks including breach response costs, direct financial costs caused by breaches, and third party liability, should be considered.
3. Expect more targeted ransomware attacks in 2021. Larger organisations in South East Asia have grown wise to ransomware attacks but smaller organisations and those in less resilient industries such as health and education have not. Expect many more attacks on ‘soft targets’ such as hospitals, schools and smaller businesses, with lower ransom demands.
4. Expect an increase in cybersecurity awareness and training programmes across South East Asia. As the pandemic drives a huge increase in the number of phishing attacks in the region, employees’ ability to identify these attacks and other attempts at social engineering are under scrutiny. Employees are the first line of defence — organisations will implement many more programmes that are designed to build greater resilience by engaging employees to defend against cyber attacks.
5. Expect the largest organisations in South East Asia to focus on developing a zero-trust approach to cybersecurity. South East Asian organisations will move to a cybersecurity approach where access to resources is no longer granted based on location or asset ownership. Authentication and authorisation will be performed before every session to an enterprise resource is established. Increased remote working and cloud assets that are not located within the organisation-owned network boundary are accelerating the adoption of a zero-trust approach.
6. Expect the rapid migration of workloads to the cloud to increase focus on cloud security and insecure APIs. The pandemic crisis has driven much higher cloud adoption and increased the need for APIs. In the rush to keep businesses operational and shift workloads to the cloud, the vulnerability of APIs is often overlooked. As containerized cloud native deployments become more common, security postures need to adjust with greater focus on container security.
7. Expect security process automation adoption to grow rapidly as a way of reducing the number of false positives, addressing skills shortages and combatting alert fatigue. As organisations continue to add to their estates of cybersecurity solutions, they are increasingly implementing tools that generate alerts for any anomalous activity. Only security process automation can effectively address this surge in alerts and offer a more unified view of assets.
The roller coaster ride in 2020 shows no sign of stopping in 2021. The new year will offer many more radical changes to the ways we live, work and manage digital risk. Making your security posture agile will be more important than ever.
Let us know your thoughts.