This post is also available in: 日本語 (Japanese)
As technology develops, the cybersecurity industry faces shifting challenges and opportunities. As a global cybersecurity company, we’re always working to identify key areas of focus for different regions. Here are some of the major cybersecurity issues we see on the horizon for the Asia-Pacific region.
While we’re still a fair way off widespread adoption, we’ve already started to see early 5G trial services launched in Australia, Singapore and South Korea. For instance, Singapore has begun its experiments in cloud gaming, autonomous vehicles, smart estates and the food and beverage industry. Once deployed successfully, 5G networks will hold the potential to unlocking autonomy, impacting the entire economy from sectors such as transportation and supply chain to manufacturing, to a high degree.
Before we even start to consider the rollout of 5G, however, 4G networks today are still vulnerable to a myriad of attack modes, from spam to eavesdropping, malware, IP-spoofing, data and service theft, DDoS attacks and numerous other variants.
While 5G will continue to evolve alongside 4G networks, the era of 5G isn’t quite upon us yet. In some APAC countries, 4G has only just been rolled out, so it will be some time still before 5G networks hit critical mass. According to forecasts by GSMA, 4G will still account for 68% of global mobile users by 2025 in this region. Many rural areas could still operate under LTE models, simply due to the longer range of 4G, compared to 5G’s mmWave.
If existing security risks are not dealt with and roll over, mobile ISPs could be the first point of failure during a cyberattack, and vulnerabilities, such as unsecured IoT systems, could be amplified exponentially under 5G if not addressed at 4G. New cybersecurity approaches are needed today, including adopting a preventive approach to security, increasing levels of security automation, establishing contextual security outcomes and integrating security functions with APIs. We foresee that 4G will continue to be targeted by hackers as a potential gateway to 5G networks over the next few years.
Much has been said about the lack of cybersecurity talent globally and the critical skills gap that persists. The latest research puts the current shortage at 2.14 million in the APAC region, according to the (ISC)² 2018 Cybersecurity Workforce Study, making this region likely to be the worst affected.
The demand for cybersecurity will continue outstripping the supply until there is a fundamental shift in mindset. Two complementary approaches will be required to address this challenge: the adoption of automation and exploring alternative sources of talent.
Automation is going to be a key element in the future of cybersecurity because human operators should not be required – and expected – to do everything. Instead, they need to harness skill sets that cannot be automated and focus on higher-order tasks, such as problem-solving, communication and collaboration. This will necessitate a reexamination of today’s security operating centre (SOC) structure, and a corresponding change in the types of professionals needed for these new roles, in order to accurately identify and fill some of these gaps. Companies and recruiters need to stop searching for unicorns (they don’t exist!) and start looking in the right wells for talent.
In 2020, we expect to see greater evaluation of EQ rather than IQ to find curious minds with problem-solving skills, be they engineers, analysts or even communications specialists. Investments need to be made to upskill and cross-skill these overlooked sources and groom these capable individuals into the talent we need.
Asia Pacific is projected to be the global IoT-spending leader in 2019, accounting for approximately 36.9% of worldwide spending, according to IDC. Yet even today, security can come as an afterthought in product development. Some connected devices continue to be shipped out with no viable means of receiving software updates and security patches, leading to common vulnerabilities that can be exploited easily. This issue will be further exacerbated by the growing number of potential threats to IoT security, such as DDoS attacks, in 2020.
In 2020, we will see the evolution of IoT security play out in two key spheres: personal and industrial IoT. From connected doorbell cameras to wireless speaker systems, we will see a growth in attack modes coming in via unsecured apps or weak login credentials. This threat is further complicated by the emergence of accessible deepfake technology, which can pose a threat for voice- or biometric-controlled connected devices. The mimicry of what were once the strongest biological identifiers to access and control connected systems will have an impact beyond the homes of individuals and into the enterprise environment.
For enterprises, one sector in which we expect to see significant changes take effect is manufacturing, a key pillar of many Asian economies. Manufacturers are looking to deploy sensors, wearables and automated systems as a way to streamline production, logistics and employee management via data collection and analytics. Organisations will need to ensure that these connected devices can leverage automated features, such as built-in diagnostics, continuous vulnerability scanning and advanced analytics in order to remain on top of threats.
Connected devices will need to be continuously retrofitted and updated in order to remain secure. There also is a growing trend among governments globally - including those in Asia Pacific- to issue guidance or regulations related to IoT device security. Further, efforts also are ongoing in industry standards groups to develop relevant security standards for IoT devices, such as the draft ISO/IEC 27037 standard. We also expect prioritisation of public education to accompany the rapid growth and adoption of connected devices.
The Internet Society’s 2018 survey on Policy Issues in APAC found over 70% of respondents would like to be given more control over the collection and use of their personal information. However, most people don’t think twice about trading personal information for short-term benefits, such as trending apps, mobile gaming or online contests. Such behaviour is echoed by both a low awareness of cybersecurity hygiene in some emerging markets and a perceived complacency in others, such as Singapore.
To help address this growing problem and protect citizen data, regulatory momentum is building around the implementation of more stringent local data privacy laws. Some countries, including Thailand, have passed new laws to govern the protection of data, pressuring businesses to pay closer attention to the data they collect, along with how it’s shared and used. While some efforts – such as Japan’s recent updates of its data privacy law – have been spearheaded by compliance with the European Union’s GDPR, it is important for enterprises to note the varying states of maturity and local nuances.
We expect additional data privacy legislation to emerge in the region. Both Indonesia and India have been working on personal data protection bills for the last few years, although the timing for if and when these become final is unclear. A growing number of proposals in the region also would require housing data in its country of origin; these tend to be driven by privacy and security concerns. The latest draft of Indonesia’s Government Regulation No. 71 of 2019 would mandate that public agencies must manage, process and store data within Indonesia (according to unofficial translations). We expect more regulatory proposals that regulate or restrict the movement of data across borders, particularly public sector information. In response, it is likely that companies may look to build more data centres locally to support in-market customers better.
However, it is important to note that establishing localised data centres does not necessarily result in data being more secure. Individual end users or corporations are increasingly connected and vulnerable to global incidents, as cyberthreats do not respect national borders. To manage this effectively, companies will need to regularly evaluate the value of the information they collect and control its access.
We foresee that enterprises will need to pay even closer attention to their data flows in a highly interconnected region like ASEAN. Despite efforts to create a regionally harmonized approach to personal data protection—such as via the voluntary APEC Cross-Border Privacy Rules—there is no true harmonization. To create a framework that best serves the region, close collaboration between the private and public sectors will be needed to evaluate how breaches are identified and defined in the face of continuously emerging threats.
There is a complicated mix of attitudes and degrees of cloud adoption across the region. To add to the complexity, misunderstandings still persist around the benefits of virtual versus physical.
All things said, the forecast for cloud adoption shows clear skies ahead. For CIOs in Asia, the cloud journey will boil down to enterprise maturity and having a clear understanding of what a move to the cloud should mean for their digital transformation strategy. We’ve also started to see governments in ASEAN take small steps towards this transformation; agencies in Singapore, Thailand and Malaysia have all announced ventures in the public cloud space, while Indonesia is expected to be Asia's next big data centre hub.
Commissioned by Palo Alto Networks, Ovum’s Asia-Pacific Cloud Security Study has found that 80% of large organisations view security and privacy as key challenges to cloud adoption.
Key findings include:
More companies are moving towards a DevSecOps approach, integrating both security processes and tools into the development lifecycle of new products. This will be the way forward for integrating cloud and containers successfully.
This analysis of cybersecurity issues in the Asia-Pacific region grows from our efforts to ensure each day is safer and more secure than the one before. Read more of our thought leaders’ perspectives on cybersecurity and policy.