In a report published last week titled M-Trends: 2016 Cyber Security Threats [gated PDF], Mediant, part of FireEye showed that APAC lags a long way behind the rest of the world on security. In fact, it takes organisations three times longer – nearly a year and a half – to spot breaches than it does elsewhere.
Separate findings from SecureWorks suggested this trend could be worsened further as attackers have started using specially localised ransomware to target particular countries in the region.
So why is APAC so far behind? To gain some perspective we conducted a short email Q&A with Bryce Boland, Chief Technology Officer for Asia Pacific at FireEye and also sought the view of a variety of other security professionals.
Feedback from FireEye:
Why are organisations in APAC less security ready than those in other parts of the world?
Most organisations in Asia Pacific have not yet developed the security maturity necessary to detect advanced attacks or detect attackers inside their networks. Far too many organisations here are still relying on firewalls and antivirus and assuming those will stop threats.
We also see they often lack basic response processes and plans.
This is compounded by the disproportionate focus APAC organisations place on perimeter defence, when many cyber attackers have evolved beyond that. Most targeted organisations weren’t familiar with lateral attacker movement and did not impose any security controls around these activities.
What is this likely to mean longer term?
Today the ramifications of this long dwell time are very significant when you consider the impact to national security and economic security, as well as the potential damage incurred by individual organisations. We do expect Asian organisations to improve their defences in the future, just as we have seen in recent years in Europe and the United States. Awareness across the region is improving as more people understand they could be in the crosshairs of advanced attackers.
What will it take to change the situation?
Reports like this help to demonstrate the scope of the problem. Most breaches in Asia go unreported, and as a result most people think the problem isn’t serious. Unfortunately, the problem is much greater in Asia than it is in the US, precisely because of this lack of awareness. Governments have a role to play in raising awareness and raising the bar in security requirements. And business leaders should start asking themselves if they would ever find out if they were breached.
Perspective from a variety of security professionals:
Lack of regulation is critical
“The APAC region isn’t necessarily different from the rest of the world in the respect that they are less prepared. Government agencies haven’t made breach disclosure laws a priority and I expect this will change in line with the Western world as trade increases. Furthermore, the complexity of networks and the advent of more technologies don’t always mean an organisation is going to be safer in adopting these. In order to get security tightened up, better security management is needed and there are tools and platforms that can help companies achieve this.”
Michael Callahan, VP at FireMon
“Companies implement cybersecurity because it’s a business need, and that simply hasn’t been the case in APAC.
The business need for cybersecurity is driven either by customer demand and the potential brand damage from a breach, or by adequately enforced regulations. Without customer demand or regulation, businesses simply aren’t motivated to spend money on cybersecurity.
In places where regulations do exist, lack of enforcement can result in haphazard implementations. You can’t have compliance without effective audit.”
Tim Erlin, Senior Director of Product Management at Tripwire
Things are changing rapidly
“It's been normal to see APAC lag the North American and European technology markets. A combination of lagging consumer maturity not demanding advancement and vendors not offering solutions localised or built for the spread out geographies of APAC contributes to this well recognised gap. However, bad guys have no reason not to wade into APAC attacks. They're not dependant on any of those factors. That means APAC may have to forego their usual wait and see period and live with solutions not exactly suited to them or find local vendors to help. We're also seeing a rapid increase in the maturity of the APAC condiment base from a tech point of view, which will put more pressure on organisations to have the same level of protections as other regions."
Jonathan Sander, VP of Product Strategy at Lieberman Software
Culture always plays its part
“Many countries have a very different mind-set and way of operating from Western countries.”
Javvad Malik, Security Advocate at AlienVault