THE growing cybersecurity threat in Malaysia has called for a more proactive approach by all stakeholders in dealing with such a menace.

While Malaysia is ranked third globally in its commitment to address cybersecurity issues, it is ranked sixth in the region and 33rd globally in terms of vulnerability to cyberattacks.

Cyber Intelligence Sdn Bhd chief executive officer Raj Kumar said the most vulnerable sector in Malaysia was the services industry, which accounts for 72.4 per cent of phishing attacks.

He said Malaysia is ranked sixth in the region and 33 globally for incidences of social media scams.

“In terms of ransomware attacks, Malaysia is ranked 47th globally and 12th regionally.

“This accounts for 5,069 of attacks in 2015, averaging 14 attacks per day,” he said, quoting statistics from American software company Symantec.

Raj said this to the New Sunday Times during Cybersecurity Asia 2017: Developing A Resilient Organisation in Kuala Lumpur recently. The event was attended by global experts in cybersecurity from various industries.

He said with the growing threat of cyberattacks affecting critical sectors and organisations (known as the Critical National Information Infrastructure or CNII), Malaysia in 2006 had implemented the National CyberSecurity Policy (NCSP), a comprehensive cybersecurity initiative.

The NCSP seeks to address the risks to CNII, comprising the network information systems of critical sectors, including national defence and security, banking and finance, information and communications, energy, transportation, water, health, government, emergency services, food and agriculture.

He said attackers were aware that many of the service providers relied on the Internet connectivity, ICT infrastructure and services.

“However, not all service providers have implemented proactive security measures, and this is due to budget constraints, poor governance, lack of security policies and controls, lack of employee awareness programmes and more,” he said.

Raj said the attackers often looked for vulnerabilities in the system before committing the crimes.

“For example, attackers are using social engineering tactics, such as phishing email, which can easily bypass many technical and administrative security controls that are in place, by targeting people.

“People are the easiest target and will remain as such, because they are unable to tell the difference between a well-crafted phishing email from a legitimate email.”

He said dependence on digital technologies posed a risk to
both technology and users, as cyber criminals continue to find ways to exploit the vulnerabilities and commit malicious activities, such as hacking, intrusion, phishing, malwares, denial of service and ransomware.

Meanwhile, the Southeast Asian region is being targeted by cybercriminals who view it as “easy pickings” because of its cybersecurity flaws.

Singapore’s Vantagepoint Security Pte Ltd director (offensive security) Paul Craig said the region’s growing economic community and a relatively trusting and naive population made it an easy target for hackers.

“They see it as a suitable place to attack as most Southeast Asian countries are quite new to cyber crimes.

“Some of the smaller Asean countries only started getting the Internet at home and on the phone.

“They don’t have 10 to 20 years’ of online exposure. It creates quite a unique situation because organisations are seen as targets and people become more vulnerable to cyberattacks.

“Developments in digital banking and mobile banking are super-rapid in Southeast Asia.

“Banks and financial institutions are producing mobile software and rolling them out at a really fast pace, because if they don’t, customers will go elsewhere.

“But is this at the expense of security?” he asked.

Craig said hackers targeted companies that were dealing with large amounts of personally identifiable information.

“We live in the Information Age and data is more valuable than money,” he said.

For example, he said on June 5, 2012, social networking website LinkedIn had a data breach and the accounts of nearly 6.5 million users were hacked by Russian cybercriminals.

Last May, another 100 million LinkedIn email addresses were compromised, believed to be additional data from the same 2012 breach.

“Jobseeking sites keep everyone’s detailed CVs. Just imagine how much valuable information was leaked during the breach.

“If people gain enough information about someone, they can commit identity theft.

“For example, someone’s medical insurance will contain enough information on supportive documents, like the birth certificate, age, identity card for someone to claim to be another person.”

Referring to the findings of the Verizon Data Breach Investigations Report (DBIR) 2017, he said 75 per cent of data breaches were committed by outsiders and hackers, while 51 per cent involved organised groups and 25 per cent involved internal actors.

“In terms of tactics used, 62 per cent of breaches featured hacking and 51 per cent or over half of breaches included malware.

“A whopping 81 per cent of hacking is related to either stolen or weak passwords,” he said.

Craig said the highest number of hackings probably occur in countries with the highest domestic population.

“Although most hackers go after the big fish, don’t forget that domestic hackers can be just as lethal as the state sponsored hackers,” he said.

He said organisations, which had been victims of cyberattacks, were reluctant to report such incidents because of the Asian mentality of “saving face” and the fear of losing the clients’ confidence.

Craig said hacking tools, which were currently available on the Internet, should be considered as weapons.

“This (hacking) knowledge needs to be controlled, or at least monitored, so something that should be considered is the possibility of licensing.”

He said ransomware had moved from 22nd place to 5th place as the most common form of malware this year, with phishing, found in 21 per cent of incidents last year, up from eight per cent in 2015.

From this, the public sector was the number one industry target, with healthcare second, and financial services third.

Raj said the threat of ransomware had become more sophisticated and aggressive, targeting smartphone technology.

“Now ransomware attacks are moving towards smartphones, Mac and Linux systems or any network-connected device,” he said, adding that victims of cybersecurity incidences were urged to report to the Malaysia Computer Emergency Response Team (MyCERT).

“However, many organisations did not want to report the incidents to safeguard their brand and reputation.”

He said all stakeholders needed to work together by reporting incidents and sharing their experiences to local authorities, such as MyCERT, so that such incidents could be better understood and proactive measures implemented.

“By being vigilant and exercising due diligence, many of the threats can be mitigated at human and device layer.

“This can only be achieved through security awareness and behaviour management programmes for all employees supported by the management.”

To manage regional and international-level cyber threats, international cooperation and coordination among Asia Pacific countries was crucial, he added.

“Organisations such as The Asia Pacific Computer Emergency Response Team and Forum of Incident Response and Security Teams, maintain a trusted network of cybersecurity experts working across borders, supporting each other to improve region’s awareness on cyber threats and malicious activities.

“They can provide information sharing platforms, training and capacity building programmes to enhance their capabilities for defending against local and regional cyberattacks by sharing technical information, standards, tools, methodologies, processes and best practices.”

“The proactive measure to manage this threat, is to keep your device updated and train employees to identify and mitigate phishing email; this is the most effective attack vector used today for ransomware attacks,” said Raj.

“A ransomware attack encrypts the victim’s computer content and holds it hostage until a ransom is paid. In some cases, even when the ransom is paid, there is no guarantee that the content will be returned.”