Kuala Lumpur, Malaysia – Whether you’re a homemaker or a CEO – you are a possible target of an increasingly sophisticated and indiscriminate breed of cybercriminals.
That’s the message from the head of a company advising prominent firms in Asia on how to protect themselves from online attacks. The warning by the Kuala Lumpur-based Asia Cybersecurity Exchange coincides with the release of a global report on Wednesday by Aon, a large risk consultancy firm, showing how emerging technologies such as the so-called Internet of Things and even a company’s own employees are proving to be vulnerabilities around the world.
Analysts say Asia is particularly prone to attacks and stands to lose hundreds of billions of dollars.
“In 2019, the greatest challenge organisations will face is simply keeping up with and staying informed about the evolving cyber risk landscape,” Aon said in its report.
“Organised crime now uses former intelligence members for more sophisticated attacks and state actors are both broadening the nature of their attacks and increasing their frequency,” it added.
The scale of damage that cybercriminals can inflict is also growing. A study by computer giant IBM, conducted by the Ponemon Institute, found the average cost of a data breach in 2018 was $3.86m, a 6.4 percent increase from 2017.
In some cases, cybertheft can be many times more costly. Internet giant Yahoo had to shave $350m off the offer price of its core business when it sold the venture to Verizon in 2017. After the deal was first announced, Yahoo disclosed that it had discovered data breaches in 2013 and 2014 affecting billions of user accounts.
The perpetrators of the attacks on Yahoo sent users emails encouraging them to click on links that opened the door to names, dates of birth, passwords and other confidential data. Such so-called phishing attacks have successfully targeted online users for more than a decade, and continue to be used.
The nature of cybercrime is changing, as well.
High-profile attacks using the WannaCry and NotPetya viruses in 2017 resulted in hundreds of thousands of users being locked out of their own computers. The perpetrators demanded financial payments in return for unscrambling hard drives. Organisations like the UK’s National Health Service and US logistics group FedEx reported hundreds of millions of dollars in lost productivity or damages as a result of the attacks.
But accurately quantifying the full impact of such events can be hard.
“I’d say we’re moving to a place where more companies are aware that they can be hit and accept the risk but find it difficult to quantify what that risk means to them,” Andrew Mahony, Aon’s Asia regional director for commercial risk solutions, told Al Jazeera.
Often companies lose business because potential customers worry about the safety of their data after an attack, something analysts call reputational damage.
Fong Choong Fook, CEO of the Asia Cybersecurity Exchange, an incubator for startups in the specialised field, says many firms underreport the full impact of cyberattacks.
“A lot of the time, the client’s main concern is not so much on just financial losses,” Fong told Al Jazeera. “If they make certain announcements about their losses, they incur more losses in terms of their image and trust from their customers.”
And he says cybercriminals are becoming indiscriminate.
“Hackers used to be very targeted. But today hackers are just basically leveraging off ransomware, and from housewives to corporate CEOs, all of them are just targets,” Fong said.
Aon’s report says the growth in the number of connected conferencing systems, printers, security cameras and other objects – the Internet of Things – has created more ways for hackers to access sensitive data. These devices tend to be less secure than the servers and computers that form the backbone of a firm’s IT infrastructure.
Another weakness can be a company’s own employees. Aon cites a recent survey of cybersecurity professionals which found that 53 percent reported their organisation had experienced an insider-related attack within the past year, either accidentally by clicking on phishing links or through malevolent behaviour.
Companies and governments in the US and Europe have spent billions of dollars on boosting their cyberdefences. But analysts say Asia remains a global weak spot in terms of implementing and coordinating legislation among countries. Corporate investment is also below Western levels.
Taiwan Semiconductor Manufacturing, a supplier of chips for Apple’s iPhones, suffered an attack in August by a variant of the WannaCry virus, while dozens of Asian hospitals were also hit.
A survey of 1,300 businesses across Asia last year by consultancy firm Frost & Sullivan for Microsoft suggested that the potential losses from cybersecurity breaches could reach $1.75 trillion, or around seven percent of the total size of the region’s economy.
Even critical infrastructure such as power plants, transport and water systems in parts of Southeast Asia could be vulnerable to cyberattacks, according to one study.
But Asia is also increasingly being used to launch attacks elsewhere. A report by US consulting firm AT Kearney points to Malaysia, Indonesia and Vietnam as global hotspots.