Challenges Around the Cybersecurity Regulatory Environment in Southeast Asia
Barely a day goes past that the international press does not carry a story of a massive data breach—whether it is about a billion records taken from a tech company, a health insurer’s 80 million records, or a bank’s small but significant 9,000. And yet, rarely do we hear of breaches from Asian organizations.
Could it be that the information technology (IT) security of Asian organizations is ahead of those of our Western counterparts, or, as many in the region think, that Asian organizations are either below or do not figure on the radar of the cybercriminals who steal this information?
Sadly, this is far from the truth.
In 2015 and 2016, the International Data Corporation (IDC) undertook a study of the maturity of the IT security of organizations in the U.S. and across the Asia-Pacific region, and the comparison provides deep cause for concern. The evidence indicates that very few organizations in Asia embrace anywhere near the level of sophistication or general awareness, and have not invested in the technologies that secure their organizations to the degree their Western counterparts have.
A recent report pointed out that the global average number of days taken to discover malware inside an organization is 146 days, but in Asia-Pacific the number jumps to over 500. This means that many Asian organizations have malware sitting within their network environments, for well over a year. Traditional burglars could retire if they could wander around their target environments, unnoticed, for that long.
So why do we not hear of breaches in Asia? We could assume they are not happening, but that would be naïve. In reality, the lack of notification is due, almost entirely, to a lack of breach notification legislation. Aside from a few countries in the region, breach notification legislation is non-existent, and as such, even if an organization knows of a data breach (and the above statistics would imply that this is unlikely), there is no motivation to go public with such news. And why would any organization want to in the first place? There is no benefit to telling the world at large that you are unable to secure your IT security systems … or is there?
Although personal data privacy laws are on the books in numerous countries, for the most part the legislation covers the use of such data in terms of marketing outreach. Organizations cannot, without the individual’s express permission, re-use or sell the data they have collected for any other purpose than that which it was originally collected for. This makes for a challenge to IT managers, who focus on the issue or storing a wealth of data.
If details of cybercrime are shared more broadly, the chances of evading future hacks are much greater.
Business users have a different understanding of the regulations for using this data, but are unlikely to know how or where it is being stored within IT systems. So, the promise of big data—the ability to mine the data we own and can obtain to gain critical insights to accelerate business growth (or whatever the premise is)—becomes a regulatory challenge for many, if indeed they understand the legislation and also accept that the cost of contravening such personal privacy legislation is too much of a business risk to take.
But this is not always the case. Some countries do have strong legislation around the protection of personal data, but they don’t have a way to enforce this legislation, making it ineffective at best or totally ignored at worst. And as it has been mentioned, even if such personal identifiable information is misused, leaked, lost or stolen, there is no motivation to inform anyone, leaving the individual to blow the whistle on any misuse or data loss they become aware of.
Will Stronger Regulation Make a Difference?
On the horizon is a piece of legislation coming out of Europe that will have an impact on a sub-segment of companies in these under-legislated markets, including in Asia. The General Data Protection Regulation (GDPR) coming from the EU will potentially apply a huge fine to anyone losing data on a European citizen or resident. The criteria an organization needs to consider here is whether they own any such data and have an operation in Europe. If the answer is “yes” then an organization will fall under this legislation, regardless of where the data is lost (so organizations need to look closely at their developing country operations).
Hackers, too, are aware that legislation is missing for the most part, and they are leveraging such laws as the EU GDPR to hold data to ransom. An emerging crime is that of data theft from organizations—cybercriminals steal data that can be clearly attributed to the organization and threaten to post the data to a public site and “name and shame” the business unless a ransom is paid.
To Tell or Not To Tell
So, to the question of “why tell the world about your data loss?” The issue is that hackers get away with far more if their “modus operandi” is unknown. If a perfect theft is one where nobody realizes anything is stolen, then data theft is likely at the top of that list, since the victim still retains a copy of the data and potentially has no knowledge of the theft. But, if the details of how such crimes are committed get shared with the broader community, then the chances of evading the next hack are much greater.
This, perhaps, is where government legislation should focus itself. Issuing a punitive fine because a better-funded, better-organized criminal with access to more financing and computer resources than the average CIO is able to steal data is perhaps not the best approach to take. Encouraging organizations to share details of any data breach or hack into their environment, perhaps even offering some form of amnesty program, will provide countries with far better knowledge that can be used to better protect their IT infrastructure in the future.
Whether or not a newspaper headline is required is very much a cultural question. The concept of “face” carries far more value in Asia than elsewhere, and so perhaps we will never see these headlines … but the data loss and hacks will continue regardless.