Accelerated digital transformation since the pandemic has highlighted how lack of preparation can be just as detrimental to organizations as an actual cyberattack. Going forward into 2022 and beyond, the rapidly changing landscape continues to create significant new cyber threats that will increase cyber risks on multiple global fronts via numerous evolving threat vectors.
According to the Cyber security considerations 2022 report by KPMG, navigating this fluid environment will require a mindset shift towards one of enablement to focus on striking a balance and ensuring that “security is everyone’s job”, acknowledging its role in building and maintaining customer, client, and stakeholder trust.
From January to December 2021, a total of 10,016 cases of cyber incidents were reported to the Cyber999, the cyber security incident response center operated by MyCERT (Malaysia Computer Emergency Response Team)¹. According to a study referenced in the Malaysia Cyber Security Strategy 2020-2024, Malaysia has the potential to lose RM51 billion due to cyber security incidents, which accounts for more than 4% of the country’s total gross domestic product.²
Ubaid Mustafa Qadiri, Head of Technology Risk & Cyber Security at KPMG in Malaysia, commented, “Out of over 10,000 cyber security incidents reported to MyCERT last year, 71% were fraud related, while intrusion attempts and malicious codes make up the top three threats reported. Cybercrime is changing as criminals avail themselves to new technology, which means our approach to cyber security must evolve as well.
“Whether it’s advanced persistent threats, ransomware, backdoor attacks, or something we’ve yet to see, there will likely always be new perils with which to contend. We have found that a lack of preparation and being overly reactionary can be as detrimental as the actual cyber incident. That’s why it’s so important to have a plan, test your responses according to different scenarios, and understand the depth and breadth of potential cyber incidents to your business,” advised Ubaid.
KPMG’s report focuses on eight core areas to help business leaders better understand how cyber can support the business with a security plan based on shared accountability:
- Expanding the strategic security conversation
Change the conversation from cost and speed to effective security to help deliver enhanced business value and user experience.
Handling, and mitigating risk to help the strategic viability and operational sustainability of the entire organization is a shared responsibility that starts with the business., CISOs and their teams should help leadership across the business gain an appreciation for what goes into security and privacy by design to better align security with the organization’s strategic business objectives.
- Achieving the x-factor: Critical talent and skillsets
Transform the posture of CISOs and their teams from cyber security enforcers to influencers.
Modern security programs, led by forward-thinking security teams, empower organizations to move with agility, pursue growth and serve customers better. As the threat landscape evolves, CISOs need to change the narrative so developers and the business lines understand that cyber exists to support rather than hinder.
- Adapting security for the cloud
Enhance cloud security through automation — from deployment and monitoring to remediation.
While digital transformation propels cloud adoption and usage forward, it also puts institutions and businesses at greater cyber risk. Lack of cloud security skills means the business of protecting the organization operates at a distinct trust deficit. Organizations can start by promoting the view that all data sitting in the cloud is the responsibility of the organization and ensure everyone understands cloud-specific security requirements and collaborate with the provider to avoid misconfigurations.
- Placing identity at the heart of zero trust
Put IAM and zero-trust to work in today’s hyperconnected workplace.
In an environment where cybercriminals are often just a click away, organizations should adopt a zero-trust mindset and architecture, with identity and access management at the heart of it. Enterprises and institutions should consider new standards, tools and strategies to better secure their systems, data and infrastructure.
- Exploiting security automation
Use smart deployment of security automation to help realize business value.
As the threat landscape continues to expand and increase in complexity, companies are successfully automating the security function and freeing up resources by applying automation to routine, repetitive tasks. Start small; identify the use cases for automation that your organization truly needs and will be able to generate business value. Take a proactive approach to security automation by focusing on threats instead of incidents.
- Protecting the privacy frontier
Move to a multidisciplinary approach to privacy risk management that embeds privacy and security by design.
Keeping individuals’ data secure and taking data privacy seriously is more than just implementing new processes to satisfy regulatory requirements — it’s a cultural shift. This should start at the top; with C-suite recognizing that data belongs to their customers, clients and partners and they have a responsibility to collect and employ it legally and ethically.
- Securing beyond the boundaries
Transform supply chain security approaches — from manual and time consuming to automated and collaborative.
Becoming a digital-first organization implies a data-centric approach in which
data is shared on a near-constant basis throughout a complex and connected ecosystem of partners and suppliers. A strong risk management framework that looks both inward and outward is key especially for high-risk industries, such as financial services, energy and healthcare.
- Reframing the cyber resilience conversation
Broaden the ability to sustain operations, recover rapidly and mitigate the consequences when a cyberattack occurs.
In today’s volatile digital environment, resilience should include consideration of how well companies understand, anticipate, and are prepared to recover from the potential impact of a major cyber incident. It should be an organization-wide effort, and CISOs should educate leadership about the risk and consequences of a breach and why cyber resilience is so important.
The report also identifies several emerging cyber security challenges which could soon become major areas of focus for cyber professionals across virtually every industrial sector: Industrial Internet of Things (IIoT), 5G Networks and Artificial Intelligence (AI).
The Minister of Communications and Multimedia had last year announced the 5G Cyber Security Test Lab (My5G) in anticipation of the nation’s 5G rollout³. My5G will be Southeast Asia’s first specialist security evaluation and test facility testing for 5G products, devices and applications.
“The prospective capabilities of 5G will be game-changing but will also pose new security challenges. The Government will need to create an environment that is flexible and adaptable to address existing legacy issues and tackle new emerging threats. Meanwhile, organizations looking to capitalize on the benefits of 5G will also need to begin strengthening their security infrastructure in order to get ahead of the competition,” added Ubaid.
For more information, visit www.kpmg.com.my/cybersecurity.