Increased investment in IT security imperative for firms
VietNamNet Bridge – Jimmy Sng, partner, PwC Singapore, leader of the Cybersecurity Consulting for South East Asia talked to VIR’s Khanh Tran on what Vietnamese companies should do to protect themselves from increasing cyber crime.
Cyber crime is an alarming issue worldwide. Could you provide any figures to indicate the great loss due to cyber crime worldwide and in Vietnam?
PwC’s Global Security Survey 2015 reported that the annual estimated reported average financial loss attributed to cyber security incidents was $2.7 million. In addition, the number of breaches that resulted in big financial loss has also increased. The number of organisations reporting financial loss of $20 million or more increased by 92 per cent over 2013.
McAfee, the Internet security company, estimated that the likely annual cost to the global economy from cyber crime is more than $400 billion.
In Asia, most cyber crime incidents go unreported and only a few organisations come forward with information on losses. Even in Vietnam, not all cases related to cyber-crime are reported. Hence, estimating the cost of cyber-crime in Vietnam is difficult. A report by Marsh & McLennan, a professional services, risk management and insurance brokerage firm, stated that virus attacks causes about VND8 trillion ($376 million) damages to consumers.
Vietnamese government agencies are making efforts to prevent cyber crime. Do you think those are effective and what advice will you suggest?
We understand that the Vietnamese Government has initiated programmes, including drafting laws on information security, and partnering with private sector companies. The legislation provides an avenue for prosecution when cyber crimes or security breaches happen.
However, legislation must be supported with cyber crime prevention programmes and mandates. For example, in Singapore’s banking industry, the Monetary Authority of Singapore publishes guidelines and mandates on Technology Risk Management and cyber security. This ensures that all banks and insurance companies operate a baseline standard of risk management and cyber security practices to minimise cyber crimes.
In addition, fighting cyber crime is not the sole responsibility of any government. Companies need to participate in that defence mechanism too – by having a robust cyber security framework, investing in security technologies, training for employees and IT security teams, and sharing cyber security intelligence with the government and within its relevant industry.
At a time of economic downturn, Vietnamese businesses are reluctant to invest in IT security system. How could this issue be addressed?
It is impossible to secure everything in any business within a reasonable budget. IT security investments must be risk-based. It starts from an organisation identifying the “crown jewels” of the organisation – the high risk systems and data, and investing appropriately to secure those assets.
During seasons where spending investment is restricted, investments must minimally address the following: Security countermeasures based on threat intelligence; fixing the basics – identity and access management, IT security hygiene (compliance and testing) and security monitoring; and training for IT security department and awareness training for all employees.
As more and more people are using mobile devices, how could they be immune from cyber crime? In these cases, what is the role of the government and service providers to help end-users ensure security?
In fact, mobile devices add to the challenge of cyber security. Mobile devices contain sensitive information and usually connect to office network. As such, mobile devices are increasingly becoming a target for hackers. Mobile device security is just beginning to mature.
For companies, Bring Your Own Device (BYOD) must be supplemented with an enterprise mobile device management solution that offer security capabilities such as remote wipe, enforcement of security policies, secure partitions between office and personal data.
For individuals, awareness on the risks and good practices on using mobile devices must be increased. For example, understanding the risk of jail-breaking or rooting a mobile device, downloading apps from untrusted sources. Government and service providers can play this role of enabling this user awareness.
How have you seen the security trends globally and in Vietnam in 2015?
There are two key trends we expect to continue from last year into 2015, globally and relevant to Vietnam. Firstly, the sophistication and frequency of cyber attacks will increase – through zero-day vulnerabilities and expanded attack surface (mobile devices, third parties networks, introduction of new technologies). Cyber attacks are also becoming more frequent, this means that companies and governments must to be able to monitor and react in a more agile manner.
Secondly, data loss will continue to increase. As data grow to support business, it is also being disseminated and duplicated at a fast pace. Correspondingly, the risks associated to data loss grow exponentially. It is imperative that companies must have a data loss protection programme as part of their security strategy.