Earlier this year we published a pair of articles on how digital investments can create strategic value for your organisation. The advantages of digital transformation can be immense, but many businesses fear that the process of moving your business to the computerised realm could also open the door to cyberattacks.
They are right to worry. A recent Frost & Sullivan study and Microsoft entitled “Understanding the Cyber Security Threat Landscape in Asia Pacific: Securing the Modern Enterprise in a Digital World” collected data from 1,300 business and IT leaders in medium to large organisations. The study revealed that large organisations in Thailand (500 employees or more) each lost an average of $12.7 million in 2017 due to direct, indirect, and induced effects of cyberattacks.
In most cases, direct losses make up a small percentage of the total damage done via cyberattack. Harm to reputation is counted as an indirect cost, as is the resulting loss of customers, as well as opportunity costs from dealing with a security breach. Induced costs include the damage done to the wider economy and industry in which the attack took place.
For the average large Thai organisation included in the study, just $0.7 million was lost through the direct result of attacks. Indirect effects accounted for $6.7 million of the lost money, while induced losses accounted for the remaining $5.3 million. The subtle, sometimes hidden costs of indirect and induced losses often cause businesses to underestimate their exposure to cyberattacks.
Other related statistics have a similarly sobering effect. According to the same study, 62% of companies suffered job losses due to cybersecurity incidents, and nearly ¾ of companies said they had delayed their adoption of digital transformation plans due to fear over cyberattacks. In total, $8.9 billion – or 2.2% of Thailand’s entire GDP – was lost last year due as a result of cyberattacks.
Across the Asia Pacific region, upwards of $1.745 trillion (7% of its total GDP) could potentially be lost due to cyberattacks in the coming years. The most potent methods of attack include online brand impersonation, fraudulent wire transfer, data exfiltration, and data corruption. In such an environment, with botnets, hackers, and ransomware all adapting more vigorously to an increasingly complex digital world, it is no wonder that some companies are hesitant to commit to a greater reliance on computerised networks.
But there is hope. As cyberattacks become more advanced, so do defences. Artificial intelligence itself, if put to proper use, can be enlisted to protect your company’s data systems. In fact, according to the Frost & Sullivan study, 3 out of 4 Asia-Pacific organisations are already either planning to incorporate AI into their cybersecurity, or have already done so. AI can monitor computer use, scan systems, detect anomalies, and shut down irregular access to networks as threats are discovered.
AI, however, is but one link in a long chain of important security measures for the digital age. A year ago we published a report on the risks, and the countermeasures, that companies need to be aware of in the present environment. The recommendations in that report are process-based and universal, and can be summarised through the following guidelines:
- Assign responsibility for the issue. Risk must be acknowledged and someone must be put personally in charge of overseeing the mitigation of that risk through company-wide security procedures. The responsible person(s) must oversee the labeling of data in terms of its sensitivity; instruct company staff on the steps to follow in keeping information secure; and be accountable in case of a breach. In other words, security must be taken as seriously as any other core task that the organisation undertakes.
- Incorporate risk management into the business structure. Rather than treating security as an afterthought, it should be considered at each step when designing your business model. Each department should assess its potential risk to the organisation if it should fall victim to cyberattack, and systems should be put in place to delete data that is no longer needed by the company. Such measures allow organisations to operate with better security, and be mindful of the risks when planning ahead for future endeavours.
- Educate and train your staff at a human level. Not everyone can easily conceptualise the technical side of the online ecosystem, or speak at a level that your IT specialist may take for granted. Using simple and clear terms through ongoing training efforts is the best way to prepare them for the security threats they are likely to encounter. Teaching employees to follow best practice on their data security is a difficult task, but a persistent and down-to-earth approach can help them become more difficult targets for would-be hackers.
These security measures will take some time and effort to implement, but the inconvenience they pose is trivial compared to the potential impact of a targeted cyberattack. Despite experiencing significant losses from security breaches, many organisations have been slow to adopt these types of controls. As we reported a year ago, more than one in three (36%) organisations do not assign a risk profile to their data, making it difficult for their IT staff to know which information to focus most of their attention on protecting. Companies need to raise their awareness of these issues and adopt sensible plans to defend themselves. This isn’t a straightforward activity, or even a finite one, but it is an indispensable part of risk management in the digital era.