Why Asia is a prime target for cybercriminals
US security company cites lack of awareness of cyber threats and lack of disclosure regulation as reasons why the region is vulnerable
From attacks on Ukrainian power grids to central bank heists in Bangladesh and the leak of stolen information from the Democratic National Committee in the US, cybersecurity threats have escalated massively in recent years.
Governments, companies and individuals are equally susceptible all over the world, but cybersecurity experts believe Asia is most vulnerable to such attacks.
Data from American security company FireEye showed 28 per cent of organisations in Asia-Pacific were hit with an advanced cyber-attack in the second half of 2015, nearly double the global average of 15 per cent.
Experts told CNBC there were several reasons why Asia is a prime target for hackers.
Large, potential victim pool to target
Housing nearly 60 percent of the world’s population, the aggregate number of people connected to the Internet in Asia is massive - nearly a billion people have access to the Internet, with more than half of them in China .
In August, Xinhua, China’s official news agency, reported the country had 710 million internet users as of June 2016, according to an official report from the China Internet Network Information Centre.
“That’s a lot of people on the Internet, transacting, doing social work, social media [and] doing business,” Keshav Dhakad, regional director at Microsoft’s Digital Crimes Unit, told CNBC in a recent interview.
Low awareness towards cyber threats and cybersecurity
Collectively, experts say, Asia’s level of awareness towards cyber threats and cyber security was comparatively lower than other regions, such as the United States and Europe.
As a result, many companies were less likely to devote additional resources to secure their technology infrastructure against external breaches and their response time to detect such breaches would be slower.
FireEye data showed globally, companies took a median of 146 days in 2015 to identify a security breach, while in Asia Pacific that number was at 520 days.
The delayed response time meant attackers were more likely to succeed in stealing information without immediate detection and could make a good return on their investment, according to Bryce Boland, chief technology officer for Asia Pacific at FireEye.
Cyber attackers usually have to invest capital, time and effort to build new forms of attack and their reward is often in selling the data they manage to steal.
Boland explained to CNBC, “If I spend US$10,000 to try to break into a company, and they keep detecting me, I’m not going to make any money back.” By remaining undetected for longer, the same attack could be used repeatedly to steal data.
Lack of disclosure regulation
In the United States and the European Union , when a company is breached and their data are stolen, they are legally obliged to report the issue or risk facing penalties.
“In Asia, it’s different. It varies from country to country,” Paul Haswell, a partner at law firm Pinsent Masons in Hong Kong, told CNBC by phone. “In Hong Kong , there is no requirement under law to notify someone if there has been a data breach.”
This created the perception that cyber attacks in the region were comparatively lower than those reported in the US and Europe, according to FireEye’s Boland, even though Asian businesses were twice as likely to be targeted.
In 2015, a Hong Kong-based company that made electronic toys for children, V-Tech, said information about at least 6.4 million children and 4.9 million adult customers was compromised due to a data breach, according to The Wall Street Journal.
“There was no penalty for them for not telling because they were required to,” Haswell said. He added it was possible that only 10 to 20 per cent of the data breaches that take place in Asia Pacific are reported.
Earlier this month, the Singapore government announced a new cybersecurity act that will make it mandatory for companies in 11 critical information infrastructure sectors to report cybersecurity incidents to relevant authorities.
Such regulations, however, are still uncommon across the broader region.
Use of outdated or unlicensed technology
A common problem in Asia that experts pointed to was the use of outdated technology by many organisations - both private and public.
Microsoft’s Dhakad said it was critical for government agencies, businesses and individual users to understand they cannot hold on to older technology. “Those technologies were brilliant at the time they were created.”
For example, many automated teller machines (ATM) were vulnerable to being hacked because they still relied on outdated operating systems such as Windows XP, which is threat-prone since Microsoft ended support for it in 2014. That meant Microsoft could not release any new security updates to protect the operating system from new threats.
Another issue that is widespread in Asia is the use of non-genuine, or pirated, software, which studies show criminals are taking advantage of.
A hacker could, for example, install a malware - the generic term for malicious software - inside an unlicensed software. When a user installed it on their computer, it could immediately compromise the security of the device, and the hacker could gain access to it.
In May, a report from BSA | The Software Alliance — an advocacy group that was set upto tackle software piracy — showed there was a strong connection between cyber-attacks and the use of unlicensed software.
Asia Pacific, the study showed, had the highest overall rate of unlicensed software installed on computers in 2015at 61 per cent.