Hang on to your hats: cyber security for 2022 will be a particularly challenging issue for companies in the Asia-Pacific (APAC) region.
Last year’s cyber-attacks – including ransomware attacks on a Singaporean eye clinic and AXA's Asia Division (covering Thailand, Malaysia, Hong Kong and the Philippines) – have put APAC companies on notice.
These companies have largely increased spending on cyber security, due to these attacks and a convergence of other trends that have impacted the APAC security landscape. Beyond the documented rise in cyber-attacks (a 168% year-on-year increase as of May 2021), the regional business sector also faces accelerated digitalisation, higher migration to the cloud, and the rapid transformation of security technologies and techniques.
An IDC study found regional investment in security-related products and services growing at a rate of 14.1% (CAGR), with spending expected to reach US$ 39 billion by 2025.
The lessons learned in 2020 and 2021’s “new normal” in cyber security will likely influence how businesses react to the coming year’s nascent trends. Some threats loom larger on the horizon than others; we’ve summarised the ones we feel most enterprises should prepare for, and explained how they may yet be mitigated or addressed through 2022.
The past few years have seen the increasing convergence of information technology (IT) and operational technology (OT) in heavy industry: for instance, edge computing that empowers automation on the factory floor; or digital twins that virtually recreate new products or processes.
This convergence has unfortunately opened gaps in cyber security that malicious actors have not hesitated to exploit. Blended IT/OT systems have widened the attack surface, with industrial control systems (ICS) being a favourite target by transnational hacker groups.
“Essential state infrastructures like power grids and nuclear reactors have been and will continue to be a target of cyber attacks because modernization allows internet connectivity, which makes them vulnerable,” Kim Seungjoo, a professor at Korea University’s School of cyber security, told Bloomberg. “It’s almost a natural instinct of hackers, especially the state-sponsored ones, to attack energy infrastructure because they can easily disrupt national security.”
To combat this threat, enterprises need to deploy a coordinated combination of tools and specialist teams, providing round-the-clock cyber defence that can immediately repel OT attacks.
T-Systems’ IT/OT SOC from Magenta Industrial Security, for instance, provides end-to-end security for IT and connected production systems, combining 24/7 value chain protection with advice from experienced IT and OT security experts.
As reliance on third-party vendors continues to grow, businesses now must also think about their partners’ cyber security vulnerabilities on top of their own. The alternative – avoiding all third-party relationships altogether – is completely impractical, given the substantial business value such partnerships often deliver.
According to a 2021 SecureLink / Ponemon Institute study, third-party contractors with remote, privileged access to organisational IT systems have inadvertently become a major cause of data breaches; 44% of organisations reported a third-party breach in the past 12 months, and 74% of these respondents confessed they had given up too much privileged access, leading to the breach.
For 2022 and beyond, organisations must put vendor assessment at the top of their cyber security priority list. Outside partners should be vetted according to their network access, security procedures, and interactions with the business. Companies lacking this risk visibility on current third-party ecosystems should expect to experience increased loss of productivity, monetary damages, and damages to one’s brand reputation.
Third-party partners’ identity and access can be managed by access management solutions like TeleSec One Time Pass that securely authenticate users; and zero trust" solutions like Private Access Protect Pro that allow applications in the cloud to be used individually by authorised users, without the need to grant access to the company network.
Google CEO Sundar Pichai has warned that quantum computers will be able to break standard encryption methods within as little as five years, a conclusion shared by over 70% of decision-makers in a recent DigiCert survey.
Much of the progress is happening within the APAC region, particularly in China, the front-runner in the “quantum race” based on recent research. Developing the world’s most powerful quantum computer, beating distance records for transmitting quantum data, and new techniques for solving problems using “qubits” (quantum bits) have put Chinese quantum research leaps and bounds ahead of their Western counterparts.
Cryptography for a post-quantum world is still a work in progress, far behind most developments in quantum computing. Among other developments, the U.S. National Institute of Standards and Technology (NIST) is expected to announce new post-quantum cryptography (PQC) algorithms to replace quantum-crackable RSA and ECC encryption algorithms – but this isn’t expected to be fully published till 2024.
Companies can’t wait till 2024 to assess their need and capacity for PQC and quantum-based tech that can minimise the possibility of security breaches. Regional researches are solving for this problem, too, including Singapore’s Quantum Engineering Programme (QEP), working with T-Systems as a partner to develop quantum-based cyber security solutions like quantum key distribution (QKD), which uses quantum physics to generate a cryptographic key that secures the transmission and retrieval of data.
The law is catching up on the protection of user data. In 2022, more jurisdictions worldwide are expected to pass privacy laws, following the example set by the European Union and its General Data Protection Regulation (GDPR).
Singapore’s Personal Data Protection Act (PDPA), Brazil’s General Personal Data Protection Law (LGPD), and the U.S.’s California Consumer Privacy Act (CCPA) have followed in quick succession. Gartner estimates that by the end of 2023, modern privacy laws like these will cover the personal information of 75% of the world’s population.
As 2022 gets going, companies will need to manage data protection legislation in their respective jurisdictions. If their operations cross borders, their company’s compliance will need to cover all the countries where they collect and use user data. The growing number of national privacy regulations will put multinational organisations under pressure to implement proactive data governance policies and infrastructure.
These companies can turn to trusted partners like T-Systems, who offer operations and performance advisory services that balance compliance with performance: supporting the establishment of regulatory frameworks and impact assessments, and disclosing their data collection and use to both government bodies and to their customers.
Many businesses expect 2022 to be a time for consolidation and implementation of the lessons of the past years. Hard-earned lessons about remote work, cloud security, access management and third-party security will be put into practice in the year ahead – even as new, unforeseen issues offer us new lessons to learn.
Barring unpredictable black swan events, 2022’s cyber security landscape can be anticipated and prepared for. You’ll be better off with the right advice (and the right cyber security partner) at your side; that way, 2022’s events may catch you by surprise, but never off your guard.
