KUCHING: While a majority of the surveyed Malaysian companies believe that cyber security is important and seek guidance from IT security experts, almost all (96 per cent) of them are only in the early stages of security preparedness, according to a survey jointly conducted by Quann, a leading Managed Security Services Provider in Asia Pacific, and research firm IDC.
The survey identified significant gaps in security device deployment, cyber awareness, resources and preparedness for attacks, making these companies vulnerable to cyber attacks.
The inaugural Quann IT Security End User Study 2017, covering 150 senior IT professionals from medium-to-large companies based in Singapore, Hong Kong and Malaysia, aims to understand the cyber security strategies of these organisations as well as their preparedness and vulnerability to cyber attacks.
In a press statement, Quann managing director, Foo Siang-tse, said: “The findings are worrying but they don’t come as a surprise.
“Many companies are simply not investing enough in IT security, despite the obvious threats.
“The lack of investment in security infrastructure, professional services and employee training makes them extremely vulnerable. The recent WannaCry and Petya ransomware incidents are just the tip of the iceberg.
“Companies need to recognise that having a comprehensive security plan, comprising detection systems, robust processes and equipped individuals are critical in enabling them to detect threats early and mitigate their impact.”
While basic IT security features such as firewall and antivirus are widely deployed by the Malaysian companies surveyed, almost half (46 per cent) of them do not have Security Intelligence and Event Management Systems to correlate and raise alerts for any anomalies.
Also, the survey pointed out that 52 per cent of the Malaysian respondents do not have a Security Operations Centre (SOC) or a dedicated team to proactively monitor, analyse and respond to cyber security incidents that are flagged by the systems.
The lack of proper monitoring systems and processes means that anomalies picked up by security devices might go unattended and malware might reside and cause damage within corporate networks for long periods.
“Companies may consider working with an experienced cyber security partner to design, build and manage a 24/7 on premise SOC that can quickly detect threats. Another option is to engage a Managed Security Services Provider (MSSP) that can provide a comprehensive suite of services, including 24/7 monitoring, regular vulnerability assessment and penetration testing and incident response and forensics,” Foo added.
The survey also finds that 38 per cent of Malaysian respondents either do not have any incident response plans to protect the companies’ networks and critical data in the event of a cyber attack or only react when a breach occurs.
It said, only one third (33 per cent) of them practise their incident response plans.
“Cyber criminals usually target non-IT employees who are seen as the weakest link in cyber security. However, only 31 per cent of the Malaysian companies require all members of the organisation – from the CEO down – to take part in IT security awareness training,” Quann stated.
The survey further showed that many Malaysian respondents (71 per cent) do not have a dedicated IT security budget and planning process.
“Most Malaysian respondents have a security lead but he/she is not a dedicated resource and has other responsibilities at the same time.
“They also do not have round-the-clock security support, with 40 per cent having security support only during work hours, and 21 per cent only during the work week,” it said.
“With cyber attacks evolving at an unprecedented speed, there is a need for organisations to invest in security resources, increase the frequency and expand the audience of IT security training to keep pace with the cyber threats,” it highlighted.
The survey also reveals a low level of engagement from senior leadership in formulating IT security strategies which is critical.
“A majority (86 per cent) of Malaysian respondents consult security executives, but only 17 per cent of them will invite the executives to board meetings and involve them in risk assessment,” it said.
IDC Asia/Pacific’s IT Security Practice vice president, Simon Piff, said: “Not all C-Suites in Asia are fully conversant with the fundamentals required to develop a robust cyber-security strategy, with the appropriate cyber security investments.
“Cyber security investments are akin to military spending – we do it in the hope that we would never have to use the tools. They need to understand that this is not a business ROI with immediate, visible returns.
“However, the consequences of not taking a proactive approach now could lead to legal disputes, customer dissatisfaction, and even loss of jobs and careers at all levels in the organisation.”