Trust is the cornerstone of a digital economy, and it’s imperative that Malaysia ups its game.
In April of this year, Microsoft’s cyber-hunters discovered a group of hackers called "Platinum" who had been attacking targets in Southeast Asia since 2009. Malaysia, the focus of just over half the attacks, was by far “Platinum’s” biggest victim. The group aimed the majority of its attacks at government agencies—including intelligence and defence agencies, and Internet service providers.
The incident brings into sharp focus how vulnerable Malaysian companies and organisations are to cyberattacks, which are themselves becoming more and more sophisticated. Not only did Platinum manage to slip past existing defences, it remained undetected for years.
To be fair, Malaysia is not alone in its vulnerability to unscrupulous hackers. According to a study by US security company Mandiant, Asia is 80 percent more likely to be targeted by hackers, and the median time between a breach and its discovery is 520 days. Seven out of 10 organisations in Accenture’s global Technology Vision 2016 survey also said they suffered at least twice as many privacy or security breaches compared to two years ago.
At the same time, cybersecurity is still an emerging area of expertise—the current role of the chief information security officer (CISO) is barely a decade old.
Digital trust is, however, the cornerstone of a digital economy, and as we hurtle into the digital age, it is imperative that Malaysia ups its game.
A game of catch-up
Over the past three years, there has been significant focus on cyber security not just among Malaysian companies, but also the government, through CyberSecurity Malaysia, an umbrella agency that falls under the Malaysian Ministry of Science, Technology and Innovation (MOSTI).
The agency is taking a strong three-pronged approach to security by:
Working with universities and private colleges to plug the skills shortage and conduct research in the field
Developing public frameworks and helping government agencies bring cyber criminals to justice
Increasing awareness among the public on security best practices—not just with regard to hardware and software, but also user behaviour
This year, it took the fight further, with the decision to cooperate and collaborate with regional cybersecurity agencies, beginning with India’s CERT-In, to develop frameworks for incident response management, and international cooperation, dialogue and research.
We are moving in the right direction, with many crucial moves made. But more are needed for true cyber resilience, including in the private sector, particularly as cyber attackers become more cunning, and their tools, increasingly creative and sophisticated. Key to this is the need for collaboration at all levels, between companies in the same industry, across industries, and with national security agencies. However, many companies today continue to have non-disclosure policies when it comes to cyber-attacks.
A question of ethics
There is also a second component to digital trust—the need for strong digital ethics on the part of companies. The latter goes beyond simple data privacy, to consistently acting in accordance with corporate values, and sustaining trust with customers, investors and partners.
In short, digital trust is driven by how information and data assets are both secured and used.
A prime—although controversial—example is Apple’s refusal to give the FBI access to the locked iPhone of San Bernardino shooter Syed Farook, who killed 14 people. The company was unwilling to take action that could threaten the trust between its brand and its customers.
Digital ethics is still a very new area here in Malaysia. At the moment, beyond what has been mandated by the government, for example in the Personal Data Protection Act of 2013, there are few policies in the majority of companies that specifically deal with digital ethics. Such policies would be those addressing anything from the ethical decisions throughout the customer journey and the implications of doing no harm, to informed consent and what anonymity in data sharing really means.
It is important that Malaysian companies address both these areas, and that they do this urgently. There are a host of reasons why—starting with the impact of a cyber breach on a company’s reputation, and the financial impact of even a single data breach, which a 2015 study by IBM/Ponemon puts at US$3.79 million. The most critical reason, however, remains this: that a digital economy cannot function without digital trust.
Without digital trust, businesses cannot:
Share and use the big data that underpins their operations
Develop ecosystem connections with business partners
Satisfy regulators and cybersecurity insurers
Sustain long-term relationships with customers
Taking digital trust seriously
So what can Malaysian companies do? The first step is to take security and digital ethics out of IT departments and make them board-level issues. Only when executive management assumes an active, visible and engaged position will it foster a company-wide culture that values digital trust.
Collaboration is the second indispensable weapon in the cybersecurity arsenal. Companies in the same industry need to begin sharing information and working together not just to out-manoeuvre, but to out-innovate their adversaries. Instead of each company putting out fires as they occur, we need to bring the power of the entire ecosystem against would-be attackers, while raising strong industry specific defences to build resilience. Less than 25 percent of companies currently share threat intelligence with others in their own industries, according to research company Ponemon.
As collaboration between man and machines grows, it is also essential that companies employ systems that establish the trustworthiness of users and devices, and not just at the perimeter. Remember that trust is only as strong as the security that keeps data out of the wrong hands. It is crucial that security systems used extend well beyond the perimeter in establishing the trustworthiness of users and devices seeking access to network resources. Most next-generation security systems are now built this way.
Malaysian companies will also need to put into place comprehensive policies on data and digital ethics, both to reduce their exposure to risk and adverse outcomes, and to maintain trust, and retain customers, market share and company valuation. Policies of course work best when staff are offered training as well as clear incentives for compliance and consequences for breaches.
While digital trust is still an emerging concept, not just in Malaysia but globally, it affects and influences relationships with regulators, investors, employees, customers, partners and lenders, making it a critical asset in the digital era.