Out-Law News 2 min. read
26 Aug 2016, 3:58 pm
The M-Trends 2016 report into cyber incident response in APAC by IT security business Mandiant Consulting found that businesses in the region are generally slower to discover that they have been the victim of a cyber attack than those based elsewhere in the world.
Mandiant said that APAC businesses "are often unprepared to identify and respond to breaches". It said the companies "cannot defend their networks from attackers because they frequently lack basic response processes and plans, threat intelligence, technology and expertise".
Technology law expert Bryan Tan of Pinsent Masons MPillay, the Singapore joint venture partner of Pinsent Masons, the law firm behind Out-Law.com, said the report's "gloomy assessment" of cybersecurity in APAC was accurate. He said the wealth in APAC, the widespread fondness for and adoption of technology, a lack of awareness of good security practices and local cultures and attitudes amongst computer users are all contributing factors in the problem.
However, Tan said some APAC countries are taking steps to encourage better practices. He also said that cybersecurity is considered a major concern by in-house lawyers in APAC and is at the very top of their agenda.
"The report is a good wake up call," Tan said. "It shows why countries like Singapore are looking to enhance cybersecurity laws, which are currently focused on critical infrastructure, to ones which are wider-ranging and which can help address the seriousness of the problem. Measures such as minimum data security standards, staff training, breach notification and information sharing are all possible enhancements."
Paul Haswell of Pinsent Masons said most people and businesses in Hong Kong are underprepared and uneducated when it comes to cybersecurity.
"There is a serious lack of awareness of risk, of best practices, and the attitude for many is simply to assume that an attack will never happen to them," Haswell said.
"However, Hong Kong is seeing increasing levels of reported attacks, which, given there is no obligation to report any attack here, suggests that they are taking place on a growing scale. More needs to be done in this jurisdiction to teach all users of technology of the risk of cyber attack, so that they may better take steps to ensure they are prepared when one occurs," he said.
According to the Mandiant report, it takes APAC businesses a median average of 520 days from the point of systems breach to discover that they have been attacked. The median average time it takes businesses elsewhere in the world to make such discoveries is 146 days, it said.
The data indicates that businesses in APAC detect cyber incidents "far too late", Mandiant said. Most breaches that occur in APAC never become public because businesses do not generally face obligations in the region to disclose when they have experienced data breaches or other cybersecurity incidents, it said. However, "this is changing slowly".
Mandiant said that it had seen "heightened levels of cyber threat activity across APAC" in 2015 and that this was down to a number of factors.
"We surmise that this is likely fuelled by regional geopolitical tensions, relatively immature network defences and response capabilities and a rich source of financial data, intellectual property and military and state secrets," Mandiant said.
Cybersecurity measures implemented by APAC businesses were often lacking, it said.
"During investigations we observed that most organisations depended only on antivirus software to detect malicious persistence mechanisms," Mandiant said. "Antivirus software is a signature-based technology that cannot detect every malicious event across an entire estate. A number of commercially available tools can monitor persistence mechanisms; however, we often found that APAC organisations had not reached the security maturity to introduce this kind of technology."
"Because they struggled with these and other security issues, deployment of tools to monitor persistence mechanisms were not prioritised in their roadmap," it said.