Better efforts seen in tackling cyber-security: Cisco Study
By Edwin Yapp January 17, 2020
- Malaysia has improved in mitigating against cyber threats
- Multi-vendor solutions a legacy that enterprises are struggling with
ENTERPRISES in Malaysia seem to be more prepared in mitigating against cyber-security threats last year compared to the year before, according to a new study commissioned by Cisco Systems Inc.
The San Jose, California-based enterprise networking and cyber-security giant noted that a recent survey of Malaysian cyber-security professionals seems to suggest that while they faced more cyber-security threats in 2019 compared to a year before, they are better in capturing them and acting against these threats.
The study also revealed that Malaysian enterprises are experiencing a decline in the financial impact from cyber breaches while budget allocations for cyber-security efforts have improved over the course of the years, despite still being an impediment.
Culled from a poll of close to 2,000 security professionals from 11 countries across the region, including 200 from Malaysia, the study is entitled, “Cisco 2019 Asia Pacific Chief Information Security Officer (CISO) Benchmark Study.” It covered leaders from organisations of between 100 and 499 employees, comprising large enterprises and the public sector.
The data was gathered across four key areas including cyber-security culture; security alerts and the impact of data breaches; cyber-security threats in cloud and operational technology; and the defenders’ approach on managing vendors.
Speaking to the media to reveal the findings Cisco Systems Malaysia’s managing director Albert Chai (pic, above) said Malaysian cyber-security professionals have had “a very busy last year” based on the numbers revealed in the study, compared with their regional and global counterparts.
“Malaysian companies receive more 10,000 threats a day, regardless of whether they are genuine or not,” he said. “Despite the higher alerts, they were investigating more than in 2018.”
Chai said Malaysia investigated 44% of the threat alerts they received in 2019, up from 40% 2018. Of the alerts that were investigated and found to be genuine in the country, 46% were remediated.
“We are remediating security issues and threats better than our regional and global peers. This is a very significant achievement for Malaysian cyber-security professionals,” he said, noting that this is better than the Asia Pacific and global averages, which stood at 38% and 43% respectively.
Chai also said Malaysian companies are seeing relatively lower financial impact costs from breaches as the Cisco study showed that only 26% of companies in Malaysia reported the most severe breach in the past one year cost them more than US$1 million (RM4.11 million), compared to 50% in 2018.
“This is another positive for Malaysian organisations,” he stressed.
There was also a sharp decline in the number of companies suffering an impact of more than US$10 million (RM41.05 million) from their most severe breach, according to the poll. Only 3% of respondents reported impact costs of this amount, compared to 8% a year ago.
However, Chai acknowledged that enterprises in Malaysia are facing longer downtimes due to cyber breaches. Among the respondents, 27% of companies experienced a downtime of 24 hours or more after their most severe breach in 2019, compared to just 4% globally and 23% regionally in the Asia Pacific.
The reported downtime figure is also a huge increase from 2018, when only 9% of organisations in the country suffered going offline for 24 hours or more.
Chai said the survey did not specifically investigate why this was so but he postulated that the long downtimes could be due to Malaysian cyber-security professionals being much more conservative about reporting their recovery after experiencing breaches.
“On the surface, we seem to be worse than our regional and global peers, in terms of downtime,” he argued. “Perhaps our cyber-security professionals and senior leadership teams are more prudent in isolating the incidents, and communicating these issues to the customer and to the public. This could be one reason why threats are taking longer than a day (24 hours) to be remediated.”
Multiple vendor conundrum
Another major challenge faced by enterprises today concerns the use of multiple vendors in a bid to fortify their cyber-security, noted Kerry Singleton (main pic), Asean director of cyber-security at Cisco Systems.
According to the poll, 35% of respondents say they use more than 10 security vendors in their respective organisations. While this is a slight improvement from 2018 (39%), it is still a key issue.
The study also reported that 90% of enterprises in Malaysia said they find it challenging to orchestrate alerts from multiple vendors’ security products. This is higher than the regional (88%) and global averages (79%).
Asked why this trend is so prevalent, Singleton said part of the reason is due to legislation such as the Sarbanes-Oxley, which required redundancy for everything that was implemented.
The Sarbanes-Oxley Act of 2002 is a law the US Congress passed on July 30 of that year to help protect investors from fraudulent financial reporting by corporations, according to Investopedia. Also known as the SOX Act of 2002 and the Corporate Responsibility Act of 2002, it mandated strict reforms to existing securities regulations and imposed tough new penalties on lawbreakers.
“There used to be a time when security practitioners used to tell our customers that you need to protect yourself using a multi-layer approach to solving problems,” he argued. “[So] there is a need for vendor A for the endpoint and vendor B for a server.
“But when you do multilayers – one multilayer on top of another – it’s doubling up everything,” he explained. “Clearly this hasn’t worked, and has in fact created more complexity and challenges for automation,” he said, adding that the whole mindset of that industry has already moved away from this philosophy for about 10 years.
Chai added that the approach to solving security problems hasn’t evolved that far.
“In the old days, you had a perimeter to protect but with the proliferation of devices on the edge becoming a trend, the perimeter has dissolved. Suddenly your vector of attack has increased multifold.
“As the vector of attacks increase, security professionals started to ‘throw a box [solution] at the problem.’ And the more boxes we throw, it has gotten out of hand and those boxes don’t talk to each other, and create more complexities for today’s enterprises.”
Quizzed as to how to address this problem, Singleton said that enterprises need to make decisions more holistically and look consistently at how you address the organisation’s security posture across the whole company, and to stop different teams from making buying decisions on a piecemeal basis.
“This is where frameworks are changing and where we as vendors and partners are trying to educate customers,” he argued. “We are also doing security audits to ensure that we address this problem and educating our customers to implement better frameworks to address this problem.”
The Cisco study also identified the following:
The top barriers for adopting advanced security technologies in Malaysia are:
- Organisational culture/attitude about cyber-security (43%);
- Budget constraints (38%);
- Lack of trained personnel (38%); and
- Lack of awareness of advanced security technologies and processes (38%).
The lack of trained personnel is a greater issue for a number of enterprises in Malaysia this year compared to 2018, when only 26% of organisations cited it as a one of their main challenges.
As for data breaches and the improvements that were made following a breach, the top measures among Malaysian companies were to increase:
- Security awareness training among employees (56%);
- Enforcement of data protection laws and regulations (44%);
- Focus on preventing security breaches caused by employee-owned mobile devices (37%); and
- Focus on risk analysis and mitigation (37%).