SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Asian SMEs lagging behind in data breach disclosure policies
Mon, 9th Oct 2017
FYI, this story is more than a year old

With the Asia Pacific region's security technology spending forecast to grow 13.8% in the next two years according to research from IDC, a recent report from ESET says that Asia Pacific's small and medium enterprises are worried about the cost of implementing such technologies.

Released in August, ESET's State of Cybersecurity in APAC: Small Businesses, Big Threats report found that 35% of SMEs find it difficult to justify security spending, especially when other areas of the business need it more.

 "The lack of sufficient budget is more apparent in developed markets such as Japan (40%), Singapore (34%) and Hong Kong (28%) compared to emerging markets such as India (24%) and Thailand (20%). This could mean that SMBs in emerging markets could leapfrog those in the developed markets when it comes to cybersecurity solutions," ESET comments in the report.

Local SMEs also have some way to go in the areas of information and communication in the event of informing employees about cyber breaches.

While 54% of the 1500 respondents surveyed said they had suffered a breach in the last year, only 56% have policies in place to inform employees about the breaches and 49% have policies to inform clients.

“This lack of transparency can be particularly damaging as it can erode customers' trust in a business. SMBs need to reconsider their communication policies and see how they can be improved. Successfully recovering from a breach with transparent communications can help bolster trust and improve relationships with customers,” ESET comments.

Hong Kong SMEs see the greatest costs associated with cyber breaches, at $43,607. India fared lowest in the costs, incurring $29,948 in damages.

The report also found that 81% of SMBs apply encryption to at least one form of information or device type within their organisation; and most used antivirus software and firewalls.

However, fewer organisations use anti-ransomware and two-factor authentication as part of their cybersecurity measures.

ESET says there have been a number of breaches targeting the Asia Pacific region. Singapore telecommunications company StarHub was hit by a DDoS attack; Japan's Mitsubishi Heavy Industries was also hacked.

“The economy in this region, particularly Southeast Asia, is largely driven by SMBs and there is a need to highlight the importance of investing adequately to combat the increasingly rampant cyberattacks,” ESET comments.

Over the last three years, 75% of Indian SMEs suffered a security breach, followed by 61% in Hong Kong, 54% in Singapore and 53% Thailand. Japan is most resilient with only 29% of SMEs experiencing breaches.

SMEs cite the risk of employees using non-company devices to access networks as the biggest cybersecurity challenge they face (22%), followed by the risks from using third-party service providers and suppliers.

“With a rise in the ‘Bring Your Own Device' (BYOD) culture in the workplace, SMBs are exposed to a larger attack surface, especially if they do not restrict access to the organisation's network to only authorised devices,” ESET comments in the report.

“Network monitoring is essential for organisations in reducing the mean time to detect potential malware attacks. SMBs need to be able to react quickly in order for them to take proactive measures which can either prevent problems from occurring or reduce the impact of the damage.

All countries surveyed (Singapore, Hong Kong, India, Thailand and Japan) cite the cybersecurity skills shortage as a major barrier to ensuring cybersecurity. The concern is most pronounced in Japan, where 40% of companies are worried about the shortage.

“Cybersecurity only became a major consideration in the last few years. Demand for cybersecurity experts currently outstrips the supply of such individuals. Unlike enterprises, SMBs do not necessarily have the funding to outsource the role to a managed service provider,” ESET concludes.