Sergey Nivens - Fotolia

APAC firms grapple with cyber security amid pandemic

Some aspects of cyber security have taken a backseat as companies across the Asia-Pacific region rush to shore up their infrastructure to cope with the demands of remote work

Some aspects of cyber security have taken a backseat as companies across the Asia-Pacific (APAC) region rush to shore up their infrastructure to cope with the demands of remote work amid the pandemic.

Consequently, some vulnerabilities could have been exposed for threat actors to exploit as patch management programmes fall behind, according to Anna Gamvros, head of data protection, privacy and cyber security for APAC at Norton Rose Fulbright, a global law firm.

Speaking at an online media roundtable on data protection and cyber security earlier this week, Gamvros added that threat actors had also taken advantage of organisations that only had single factor authentication to access their remote networks, rather than multi-factor authentication.

“Organisations that just had password access to their remote networks had been exposed,” she said, adding that there were also more incidents arising from a lack of security protection at endpoints.

Stella Cramer, Norton Rose Fulbright’s head of technology and innovation for APAC and financial technology in Southeast Asia, said in countries such as Singapore, there is also growing concern over the security of the internet-of-things, as well as ransomware attacks.

With ransomware, Cramer said threat actors are no longer just encrypting data, but also posting data that they have exfiltrated. “They are going after companies with more sensitive data and targeting jurisdictions with higher fines and penalties for data breaches to maximise their leverage on corporates to pay ransoms,” she added.

Steven Hadwin, the firm’s director and head of operations for data protection, privacy and cyber security, noted that while the operational challenge posed by ransomware looms large, the bigger risk lies in the regulatory and liability implications. “We tend to think of it now as cyber extortion more generally, rather than just ransomware itself,” he said.

Read more about cyber security in APAC

A starting point for organisations to assess their exposure to cyber risks, said Gamvros, was to have a thorough cyber risk assessment to know what their assets were as well as their key threats and vulnerabilities.

Hadwin said companies were generally well-prepared to respond to cyber incidents with incident response and recovery plans in place, but those plans often assumed the alternative of on-premises working and going back to face-to-face meetings.

“Now that alternative is no longer viable, companies need to revisit incident response plans looking afresh from perspective of large scale remote working,” he said.

The panellists also weighed in on the recent SolarWinds Orion Sunburst cyber attack that affected governments and some technology companies including Microsoft.

Though such supply chain attacks are not new, Hadwin said it was “one of the most significant and sophisticated incidents that we’ve seen”, and that the incident highlights the challenges in carrying out effective threat monitoring and identification.

Against this backdrop, increasingly sophisticated threat actors and evolving regulations that require stricter assessment standards will likely pose the biggest challenges to organisations.

However, the firm noted that the cyber risk landscape also lends itself to the use of technologies such as artificial intelligence to help firms conduct cyber due diligence and strengthen their security posture.

Read more on IT risk management