Kenanga Research (Kenanga) recently invited Deloitte Malaysia’s Cyber Risk Team to understand key methodologies exercised on their end with regards to the issue of cybersecurity.
The team was developed during the early phases of internet banking and has observed several key developments in the domestic markets, particularly the establishment of the RMiT framework by Bank Negara Malaysia.
According to surveys conducted, Deloitte gathered that sources of cybersecurity threats mostly originate from external individuals and organised groups. While motivations may vary, such attacks could stem from monetary objectives or to sell private information for profit or purely for malicious intent. Internal parties do still pose a threat which could involve assailants with deep knowledge of the infrastructure or security systems within the organisation.
“The majority of materialised attacks appear in the form of phishing, malware or ransomware. These are a form of cyberattack typically disguised as a deceptive email or link that affects its targets by compromising its system integrity to extract data for unauthorised use or with threats to expose such data unless a ransom is paid. Denial of service is also one of the more common cyberattacks which disrupts access and functionality of a computer system or online service,” said Kenanga.
The ramifications of a successful attack may vary but it is found that disruption of service is the key concern as it could extend to material financial losses if a company is unable to execute and deliver on its key protocols, primarily those time-sensitive in nature. Greater safety concerns from customers could also undermine a company’s reputation and translate to longer term challenges.
It is fair to expect that the corporate strength in dealing with cybersecurity issues stem from the tone set by leaders, reliant on the focus and resources allocated. Corporates that do not view these concerns as serious are more likely to under-invest in cyber safety and hence rendering their organisation more vulnerable. There could also be the nuance that the corporates themselves, though keen in reinforcing their cybersecurity framework, may lack an in-depth understanding or knowledge on the thoroughness of the matter.
During their sharing, Deloitte presented its Cyber Capabilities Model in which it identified key considerations for financial institution in addressing its cybersecurity risks and framework. These are dubbed into four categories by Deloitte, being:
1/ Strategies to manage cyberthreat risks (Governance) to ensure that the organisation has a clear direction of travel with respect to cyber security, and that the necessary structures and rules are in place to maintain and enhance the organisation’s cyber security capabilities.
2/ Building preventative capabilities and processes (Secure) such as proactive protection against cyber-attacks before they occur by identifying, implementing and enhancing the controls that safeguard the organisation’s resources.
3/ Pro-active measures against transpiring cyberthreats (Vigilant) or the ability to discover internal and external threats by leveraging on threat intelligence and working pro-actively to mitigate and minimise any adverse impact to the organisation.
4/ Responsive, recovery and resolutive measures (Resilient) to minimise any adverse impact of occurred cyberthreats. This also extends to accepting that it is a question of when, not whether, organisations will be attacked.
On the other hand, there is the additional equity offered by having a matured foundation for cybersecurity. Kenanga opines that the value acquired could be more to do with instilling a stronger culture as merely investing into heavy capabilities does not guarantee an impenetrable framework. Greater confidence here is thought to also trickle to other aspects of a business as well, as what Deloitte’s recent survey has shown below.
“Given that cybersecurity is not a new issue, corporates have been able to progressively identify gaps in their operating framework as well as to allocate resources in tackling these issues. On that matter, we do understand that there could always be need to do more but a balance should be sought as to not “over-invest” into capabilities with fewer additional benefits,” said Kenanga.
