APAC security chiefs expect imminent attack on critical systems

Most cyber security leaders in the Asia-Pacific (APAC) region believe that a major, successful cyber attack on critical infrastructure in their country, or multiple countries, is imminent, a survey has found.

According to the survey conducted ahead of Black Hat Asia in Singapore, 52% of nearly 100 respondents either “strongly agree” or “somewhat agree” that such an attack would happen in their own country in the next two years.

An even greater proportion (67%) believed that an attack affecting critical infrastructure across multiple Asian countries will happen in the same period.

As in Black Hat surveys conducted in the US and Europe, security professionals in the study were concerned that recent incidents in their region might indicate that a major breach of critical infrastructure is forthcoming.

Past attacks in the Middle East and Asia had spanned damage to industrial control systems, data theft for surveillance purposes, and hacking of computers used to support critical infrastructure in Asian countries.

APT37, the North Korean cyber espionage group, for example, had already expanded its operations beyond the Korean peninsula to include Japan, Vietnam and the Middle East, and to more industries including chemicals, electronics, manufacturing, aerospace, automotive and healthcare, according to research by FireEye.

Another campaign, reported by researchers at Nyotron, was focused on stealing data from industrial control systems in the Middle East for the purpose of conducting surveillance.

The gloomy threat landscape had led 23% of respondents to believe that cyber espionage by large nation states poses the greatest threat to APAC’s critical infrastructure, followed by potential attacks by organised crime groups (21%).

IT and cyber security managers in APAC were also more concerned about sophisticated attacks aimed at their organisations than any other threat, followed by social engineering exploits and polymorphic malware that evades signature-based defences.

The Black Hat Asia survey also threw up some surprises. For example, only 19% identified ransomware and other forms of online extortion as a top current concern in two years despite heightened publicity around the topic. Paradoxically, 38% of respondents pointed to the rapid increase in the use of ransomware as the top threat in the past year.

Like their counterparts in the US and Europe, APAC cyber security leaders were not confident of their ability to deal with looming threats. More than half of them said they were either a little under budget or severely ham­pered in their ability to fight threats because of a lack of funds.

The shortage of security staff had also made it harder to fend off current threats as reported by 58% of respondents. Out of those, 17% admitted they were completely underwater; 3% said they had no staff; and 38% said they could use a little additional help.

Exacerbating the skills shortage issue was the finding that security professionals in APAC were more willing to job-hop than their counterparts in the US and Europe. According to the survey, over half of cyber security professionals in the region said they were either actively looking for a new job or open to it.

Across the region, nearly 40% said users who violated security policies or fell prey to phishing and social engineering scams had kept them up at night. Compliance with privacy rules such as the Asia Pacific Economic Cooperation (APEC) Privacy Framework was also one of the top items in their security budgets and daily activity lists.

However, 30% of respondents viewed the APEC framework as having created more work for them. Only 16% thought the framework had improved consumer privacy, while 14% said it had not. Besides complying with local data protection laws, many respondents also have compliance obligations under the European Union’s General Data Protection Regulation.