Malaysia - Critical protection

Survey shows Malaysian critical infrastructure providers need to be more aware and engaged in government protection programmes.

MOST of us today have our whole lives in our handphone or that thumbdrive.

This, says security firm Symantec, does not only make us vulnerable to cyber attack, but it also leaves our employer and the company we work for open to danger.

Information now is the main target of cyber attacks, says Ilias Chantzos, Symantec’s senior director of government affairs (Asia Pacific & Japan, and Europe, Middle-East & Africa).

“The purpose of most cyber attacks now is to collect intelligence, so being able to protect information, and its interactions, is key for any organisation,” he highlights.

Unfortunately, he adds, “What we do in our private lives is merging with corporate lives.

“It is now getting more difficult to separate the personal and professional digital zones – we keep our valuable personal information and important work data in the same place or device.

“Someone targeting a corporation may choose to target a staff who has a lot of personal information online as well as access to a lot of important corporate information.”

Data security is most relevant to Malaysia, which like many countries in the Asia-Pacific region, is rapidly and aggressively adopting technology, Chantzos points out.

It is especially important for companies in the critical infrastructure sectors such as finance, telecommunications, public services, energy, healthcare, manufacturing and transportation, he adds.

According to Symantec’s 2011 Critical Infrastructure Protection (CIP) Survey, Malaysia has a high participation index in CIP programmes at 83%.

However, only 52-61% of the critical infrastructure companies in Malaysia feel ready to withstand cyber attacks.

Government responsibility

CIP is a nation’s preparedness to respond to serious incidents involving its critical infrastructure, and a disruption to one of the systems in the different sectors can seriously impact the other sectors.

As CIP programmes are policy-based, it is the Government who is responsible for ensuring that the providers of critical infrastructure are educated about the CIP programmes conducted and are prepared to respond in the event of an emergency.

In Malaysia, the CIP programmes are under the purview of CyberSecurity Malaysia.

The survey nonetheless shows that many (34% of respondents) do not feel engaged with the government’s CIP programs, while 36% said they were “neutral” or “had no opinion” on such initiatives.

As it indicates, government CIP programmes are also relatively new to many companies in Malaysia, with only 17% responding that their company has been engaged with their country’s critical infrastructure plans for one to two years and 11% responding that their engagement has lasted more than two years.

The findings were part of Symantec’s annual global survey which polled 3,525 enterprises in some 37 countries worldwide – 1,900 small to midsize businesses and 1,625 enterprises – out of which 150 respondents were from Malaysia.

This is the first time the survey was conducted in Malaysia.

Less prepared

The Malaysian findings were consistent with the global findings, says Chantzos, which revealed that 36% of the respondents were less aware and not as engaged with their respective national CIP programs compared with 55% last year.

Another 26% said they were “neutral” or had “no opinion” of their government’s CIP programmes, compared with 42% last year.

Organisations also felt less prepared and indicated that their readiness to respond in an emergency had dropped by 8% compared with last year.

Chantzos feels the decline in awareness indicates a worrying trend, particularly in light of the recent ‘Stuxnex’ and ‘Duqu’ virus attacks on critical infrastructures.

It has the potential to do very real harm, he warns.

Chantzos believes the rise of information security attacks in 2011 has caused the decline as companies struggle to deal with these attacks instead of focusing more on CIP programmes.

Also, companies are now slightly less willing to cooperate with CIP programmes than they were one year ago (57% versus 66%), he adds. Similarly, Malaysian companies showed less willingness (54%) to cooperate.

Chantzos opines that this is due to the constant fire-fighting they have been forced to undertake, which has inadvertently diverted their resources toward the management of the threats and dealing with day-to-day operational issues, rather than focusing on more strategic, long-term objectives in securing their infrastructure and working with their respective governments.

“Still, it’s understandable that every critical infrastructure provider has finite resources, limited manpower and money, especially in today’s economic environment, so they are limited to what they can use to solve the problem,” he notes.

Standalone systems

To ensure that they can remain resilient against cyber attacks, the critical infrastructure providers need to develop and enforce IT policies as well as automate all compliance and processes.

“They should also manage systems by implementing secure operating environments,” he adds.

“This includes having standalone systems free from any connectivity to the Internet, and the isolation of systems from any portable memory or disk devices.”

As for governments, Chantzos says, it is also crucial that they continue putting forth the resources to establish CIP programmes as well foster better partnership with industry associations and private enterprise groups to raise the awareness of CIP plans.

Ultimately, adds Chantzos, governments also need to stress that security is not enough to stay resilient in the face of today’s cyber attacks.

Governments should encourage the companies to take a more information-centred approach to protect itself against cyber attacks.

“They should emphasise to critical infrastructure providers and enterprises that their information be stored, backed up, organised, prioritised, and that proper identity and access control processes are in place,” he says.

HARIATI AZIZAN

sunday@thestar.com.my

Business & Investment Opportunities

YourVietnamExpert is a division of Saigon Business Corporation Pte Ltd, Incorporated in Singapore since 1994. As Your Business Companion, we propose a range of services in Consulting, Investment and Management, focusing three main economic sectors: International PR; Healthcare & Wellness;and Tourism & Hospitality. We also propose Higher Education, as a bridge between educational structures and industries, by supporting international programs. Sign up with twitter to get news updates with @SaigonBusinessC. Thanks.