Deeper #5 — #WorkFromHome and the state of ASEAN cybersecurity
How COVID-19 has accelerated digitalization and highlighted the pressing need for better security.
Humans are lazy.
That sentence kept running through my head while I was writing this. Humans—are—lazy (including me—I’m one of the laziest people I know). How many of us use the same passwords for our work and personal accounts? How many of us use the dreaded password password? How many of us use social logins in order to save time typing out e-mails, usernames, and passwords?
The more we use our devices, the more apps and tools we sign up for—the more data and privacy we give up. I wish there were a nice little platform that could help me track how much of my data is being stored and tracked and sold, and by whom. But we don’t have that (not yet, anyway).
We have to protect ourselves in the digital world. I hope that, after reading this, you’ll consider turning on 2FA (if you haven’t already) and using fingerprint/facial recognition when possible. It’s true that we’re lazy, but that laziness is what allows us to be exploited by organizations that don’t always care so much about us. Stay vigilant!
Digitalization has been a buzzword for the past few years, but many creaking, groaning businesses were resisting the transformation thanks to cost and culture concerns. But because it’s now illegal—or strongly discouraged—to gather in an office during the pandemic, companies have to digitalize—or face the possibility of dying.
Digitalization isn’t just changing the way companies create goods and services. It also revolutionizes the way companies run their internal operations.
Now that COVID-19 has forced millions of employees to work from home, some have posed the question: is the #WorkFromHome movement introducing too many cybersecurity risks? Should we be going back to the old way of running a company once the pandemic ends?
Here’s our answer: it’s not that working from home is necessarily more dangerous. Rather, it simply coincides with a shift in the meta.
For years, cybersecurity used a “perimeter security model”. You could protect hardware and information by keeping them isolated (with locked physical server rooms, for example)—thus preventing them from being accessed from the “outside”. However, we’ve seen this status quo change slowly over the years with the advent of cloud software-as-a-service and infrastructure-as-a-service and platform-as-a-service solutions. This new way of managing internal operations inevitably changes the way we approach cybersecurity.
TL;DR: The #WorkFromHome movement is highlighting just how far behind ASEAN actors are—both companies and governments—when it comes to protecting stakeholders from cybersecurity threats.
Cloud tools are not all made equal—some are riskier than others
The ASEAN region lags behind the rest of the world in cybersecurity
Poorly-educated users pose a major business risk
A lack of government support against cybercrime will ultimately lead to billions in losses for ASEAN enterprises
An increasing reliance on the cloud and on digital services will require massive changes and rapid education in order to adequately approach and combat threats to cybersecurity.
The costs of poor cybersecurity are enormous, long-lasting, and increasingly difficult to measure
Cybersecurity has quickly become one of the most pressing business and governmental issues around the world. The Allianz Risk Barometer 2020 states that cyberattacks are ranked the top serious business risk in the world, and the World Economic Forum ranks data fraud and cyberattacks within the top ten global risks that we face in upcoming years.
IBM’s most recent Cost of a Data Breach report states that the average global cost of a breach is $3.9m. However, the impact balloons the more records are lost. Incidents that leave over one million records compromised cost businesses $42m on average, and breaches of 50 million records cost $388m.
Let’s zoom in to ASEAN: an average data breach costs S$3.6 million (US$2.62 million) and compromises and compromises 22,500 records.
Approximately 96 percent of Singaporean businesses suffered a data breach from September 2018 and September 2019.
Between December 2015 to November 2016, Vietnam registered 1.68 million IP (Internet protocol) blocks designed to attack IoT devices and networks.
OceanLotus, which had been previously linked to the Vietnamese government, reportedly broke into the computers of ASEAN before a regional leader summit in Manila. They compromised dozens of government agency websites in Laos, Cambodia and the Philippines, and attempted to load the computers of high-ranking officials with malicious code.
Indonesia experiences more than 50,000 cyberattacks daily and is the second most targeted country for cyberattacks, following Vietnam.
An April 2020 data breach jeopardized over 15 million user accounts of Indonesian unicorn Tokopedia (and 7 million merchant accounts).
Cybersecurity now bleeds into nearly every aspect of human life. We rarely identify data breaches in real time—it may take months or years—and it is impossible to clearly, definitively measure just how much damage a cyber breach does. Not only does poor cybersecurity cost billions in fraud—its impact on an enterprise’s reputation and infrastructure can last for years.
ASEAN organizations and governments lag behind in cybersecurity
The #WFH movement has governments realizing just how ill-prepared they are when it comes to cybersecurity—no surprise considering many of the countries in the region have only begun digitalizing relatively recently.
The region’s Internet penetration is low, but growing rapidly—meaning that millions of poorly-educated consumers will be coming online within the next few years. Compare numbers from 2017 to 2019:
This new digital population combined with the region’s lackadaisical attention to cybersecurity provides plenty of opportunities for criminals to strike.
Governments must do more to protect this increasingly digital population, especially as COVID-19 speeds up digitalization movements in business and industry. If these consumers aren’t properly educated about safe ways to access the Internet and do business, not only will the risks increase—socioeconomic divides may also deepen.
Unfortunately, remedying such a situation is easier said than done. One Asia Centre report states that “many Southeast Asian countries lack a strategic mind-set, policy preparedness, and institutional oversight over cybersecurity” (Dobberstein, 2018).
It doesn’t help that roles aren’t often clearly defined—no one seems to be sure who should be in charge of cybersecurity (National police? The interior ministry? Telco industries? The military? The private sector?) or how collaborations (domestic and international) should take place.
Singapore is a good example of how countries can address cybersecurity within their borders. In 2015, the Cyber Security Agency (CSA) was formed to strengthen the national protection of cybersecurity. And after the SingHealth cyber attack in 2018—which compromised the personally-identifiable-information of over 1.5 million patients—the government then passed the Cybersecurity Bill (now the Cybersecurity Act) in 2018 as a framework to govern the licensing and regulation of cybersecurity service providers.
ASEAN governments need to get more involved
Governments need to acknowledge that cyberattacks can impact not only telcos or tech companies, but their entire population. As countries develop smart cities, business ecosystems, and increasingly-interconnected infrastructure, the impact of a single breach will only grow bigger. Perhaps most frightening is the possibility that hackers can cause political instability and disrupt essential government activities.
The best solution to this on a macro-level is the creation of international partnerships to further joint security initiatives and commitments. The Singapore-ASEAN Cybersecurity Centre of Excellence (ASCCE), launched in 2019, is one such organization.
The ASCCE will spend $30 million over five years on policy and technical programmes for its participants. Singapore hopes the centre can be a place for ASEAN member states to “strengthen strategy development among ASEAN states through training and research, enhance Southeast Asia’s resilience with more national Computer Emergency Response Team (CERT) training, and promote open-source information sharing among these CERTs.”
Additionally, each government should establish its own domestic cybersecurity agency—responsible for driving domestic policy, educating the population, and protecting end-users.
Mark Thomas, Vice-President of Cybersecurity at Dimension Data, suggests that ASEAN member states will each need to spend between 0.35 and 0.61% of their GDPs (or US$171 billion collectively) on cybersecurity between 2017 to 2025 to ensure that they are well-protected.
This will take a lot of effort considering ASEAN member states spent a measly cumulative US$1.9 billion (just 0.06 percent of the region’s gross domestic product) on cybersecurity in 2017.
Data source: AT Kearney
A report by Gartner states that this year, 100% of large enterprises will be asked to report to their board of directors on cybersecurity and technology risks—a massive jump compared to the previous figure of just 40%. Digitalization is now a necessity for a majority of companies in the region. The first step enterprises must take in this process is to carefully vet the cloud tools they will use.
Cloud tools are not all made equal—some are riskier than others
Cybersecurity has become a major differentiator for cloud solution providers. Zoom's massive explosion in popularity, for example, revealed ridiculously exploitable security flaws that put over 300 million users at risk.
Zoombombing trolls would regularly pop in unwanted and unannounced to derail meetings, and flaws in the Zoom installer made it possible for dedicated hackers to gain root access to computers. Despite Zoom’s claims that the calls were end-to-end encrypted, ex-NSA hacker Patrick Wardle discovered that the enterprise software company was lying.
In response, many governments and organizations banned Zoom entirely. Not a single Taiwan government agency is allowed to use the platform. Philippines-based ISP Smart Communications banned employees from using Zoom for internal purposes. And after Singapore saw issues with students being exposed to obscene images and online harassment during Zoom sessions, the government moved to suspend its use by all teachers in the country. In response to the security scandals, many turned to alternatives like Google Meets and Cisco Webex.
Zoom is the most recent example of a high-profile enterprise software data leak, but we shouldn’t forget Teamviewer’s months-long fiasco in 2016, where an unknown number of accounts were hacked and funds from Paypal and banks drained. Though the hack seemed to mainly affect consumer accounts, around 90% of Fortune 500 companies use the service for remote access, making the risks to enterprise enormous.
And recently, VMWare’s popular Cloud Director software—which allows enterprises to bring offline data centers online—also faced a vulnerability that could potentially allow an attacker to control entire private clouds within an enterprise.
Businesses aren’t paying enough attention to security, either
The Tokopedia hack shows that even the region’s largest unicorns aren’t paying enough attention to safe cyberpractices. This is one of the most dangerous byproducts of an ecosystem that focuses on growth at all costs—security (and many other factors) become afterthoughts, and we end up scrambling to try and salvage what remains.
Businesses and consumers are all increasingly turning to digital platforms for their daily needs and operations. The increased digital dependence has highlighted just how little attention we pay to cybersecurity, as organizations and as individuals. Companies must be security-obsessed as they build their platforms—and governments need to spend more money on the development of governing bodies that can hold stakeholders accountable for shoddy security practices.
Consumers must push their favorite online platforms and tools to be more security-minded, and companies must listen. The next step: companies pay more attention to the 3rd-party tools they are using to facilitate remote working and access to sensitive information.
The mobile workforce needs to be properly trained on proper security protocols
The final key to this puzzle—one no less difficult to deal with—is the workforce. Humans are inherently lazy. As much as 65% of people use the same passwords for all of their accounts, both work and personal. Some reports say that a majority of cyberattacks could have been easily prevented if only humans weren’t so careless and standards so lax.
One of the reasons why few end-users care about their personal data is because it is an intangible asset that can only be monitored or controlled to a limited degree. Though one IBM study found that 81% of consumers say they have become more concerned about how their data is used online, there is no real framework for data governance and data ownership.
These murky boundaries results in careless data and security practices. It’s cause for concern because, during the pandemic, cybersecurity risks are higher than ever. Google reported that the number of phishing websites increased from 149,000 to 522,000—a 350% increase within three months. Another report found that COVID-19-related email attacks increased by 667% in the span of one month; UN Under-Secretary-General Izumi Nakamitsu stated that approximately “one cyberattack takes place every 39 seconds."
Ideally, employees would be trained on cybersecurity in the office, and do company work on company devices. But COVID-19 quarantines and lockdowns have forced the workforce to go remote—in many cases, before their organizations were prepared. A 2020 Kaspersky study shows that 62% of employees use personal devices for remote work, and 73% have not had proper security training before working from home. Even established companies with existing cybersecurity best practices have been disrupted.
Digital privacy expert Daniel Markuson, from NordVPN, says, “Personal laptops might lack the necessary security software, such as an antivirus, a business VPN, and others. On top of that, people tend to be more relaxed when using personal computers. They may download games, browse shady websites, and click suspicious links” while logged into their business accounts.
A Gartner, Inc. survey of 317 CFOs and Finance leaders on March 30, 2020 revealed that 74% of respondents are planning to move at least 5% of their previously on-site employees to permanently remote positions. Thanks to digitalization, remote work is here to stay—and rather than burying their heads in the sand, organizations must adapt, adapt, and adapt.
Security measures must be hard-coded into an organization’s operations. This means you must require difficult passwords, biometric logins when possible, facial recognition, and more. Understand that because humans will naturally take the path of least resistance, it falls to organizations to up their security standards and ensure that, on a human end, they’ve covered their bases. Additionally, we must put more pressure on stakeholders to properly define how end-user data is owned, shared, and sold.
The low digital literacy among the ASEAN population is arguably one of the greatest threats to the region’s socioeconomic growth. Take the digital payments sector, for example. Nearly every country in ASEAN has at least one digital finance player. But because users aren’t educated properly on how to safely access these services, they are leaving themselves open to hacking and getting fooled by simple phishing scams. This, in turn, leads to hundreds of reports of hacked and drained accounts from angry consumers.
Consumers are being burnt by their general lack of knowledge on how to protect themselves when accessing online services. Increased consumer doubt and suspicion then makes it harder for enterprises to drive adoption. If left unaddressed, pushes for digitalization—from private sectors and governments—may one day be met with hostility and anger, which in the long-term will slow the pace of regional socioeconomic growth.
How companies can address cybersecurity risks during COVID-19
The security/network perimeter of yore has all but vanished now that cloud is king. Users aren’t just connecting from within an organization’s building or network anymore. They’re reaching in from “outside”—from any location in the world—with personal mobile devices in order to access sensitive data.
Data is stored on clouds and SaaS platforms instead of physical servers that businesses can own and monitor. This offers immediate access, but requires even more vigilance to protect.
In order to address these changes, here are some of our humble recommendations:
Upgrade legacy cybersecurity systems
Update and maintain security patches for devices, systems, and software—routine maintenance and implementation of cybersecurity measures is imperative
Organizations in all industries are adopting IoT technologies. Device endpoints could be exploited to gain access to the rest of the system. Ensure that end users are properly educated on how their hardware should be protected.
Invest in cybersecurity—you will not be able to scale without it
Implement stronger authentication mechanisms, such as 2FA
Define clear access control policies to limit who can access information, and under what circumstances
Build relationships with your cloud service providers, and reach out when you have security concerns
Look into machine-learning-based cybersecurity solutions
Embed security services and features into devices and applications—such as encryption and antivirus protection
Implement an Account Lockout Policy so that after multiple failed attempts to login to a system, the account can be blocked.
Microsoft recommends, “Utilize host firewalls to limit lateral movement and prevent endpoints from communicating on TCP port 445 for SMBs. This can significantly disrupt malicious activities.”
The shift from traditional infrastructure to the cloud has been underway for the past few years, and remote working was bound to happen regardless of when. Still, COVID-19 has undeniably accelerated the digitalization process, causing companies to transform more in a single month than they have in entire years. An ideal security model for the future is focused on educating users, selecting the right, security-focused tools, and protecting device endpoints.
If you are a consumer-facing business, we recommend that you invest time and funds into educating your customers on how to use your digital services correctly. It is exhausting and costly to constantly have to mitigate and salvage preventable cybersecurity problems that arise as a result of poor consumer knowledge. It isn’t possible to wait for consumers to educate themselves—because we are the foremost drivers of digitalization in the region, the responsibility has fallen to us to educate other stakeholders.
P.S. Like what you read? Support our work by sharing this newsletter with a friend or two. Send them here to sign up: https://deeper.substack.com/