Underinvestment in tackling cybersecurity threat is aggravating risk across the region
The Philippines needs to spend US$22.8 billion between 2017 and 2025 to be in line with global best-in-class countries and stay ahead of the curve
Companies across the Association of Southeast Asian Nations (ASEAN) bloc face growing risk of cyberattacks, which could expose the region’s top listed firms to a $750 billion erosion in current market capitalization, according to new research commissioned by Cisco.
The research, conducted by global management consulting firm A.T. Kearney, stresses that ASEAN’s growing strategic relevance, driven by economic expansion and ongoing digital adoption, make it a prime target for cyberattacks.
A combination of nascent policy preparedness, absence of a unifying regional governance framework, shortage of skilled talent, underestimation of risk and lack of adequate investment are among the factors that are contributing to the heightened risk.
The research report, titled Cybersecurity in ASEAN: An Urgent Call to Action, emphasises that cybersecurity risk across the bloc will continue to escalate as the bloc gets more digitally interconnected. Diverging National priorities across ASEAN countries and varying paces of digital evolution will foster a pattern of sustained underinvestment.
ASEAN countries are underspending on cybersecurity. The region currently spends an average of 0.07% of its collective GDP on cybersecurity annually. It would need to increase the spending to between 0.35 and 0.61% of GDP between 2017 and 2025, to be in line with the best in class benchmark The research estimates that this translates to $171 billion in collective spend needed across ASEAN countries during the period. Limited sharing of threat intelligence, often because of mistrust and a lack of transparency, will lead to even more porous cyber defence mechanisms.
Naveen Menon, President ASEAN at Cisco said: “Digital innovation and adoption are central pillars of economic growth for ASEAN. Its success hinges in large part on the bloc’s ability to combat the cyber threats. Cybersecurity needs to be an integral part of policy discussions at the semi-annual ASEAN Summit, with the aim of developing a unified policy framework for the region. The corporate sector also needs to start treating cybersecurity as a business-wide issue that can only be tackled by adopting a risk-centric approach to building resilience, rather than just an IT problem.”
The Philippines only spent approximately 0.04% of its collective GDP on cybersecurity in 2017, lacking behind global standards and best in class markets. It needs to spend $8.8 billion between now and 2025 to be in line with the average benchmark for mature markets like the US, UK and Germany. To match the global best-in-class, Philippines needs to spend $22.8 billion during that period.
Enri Rodriguez, Country Manager for Philippines at Cisco, said: “the Philippines is among the countries most prone to cyberattacks in Southeast Asia. The country’s ability to tackle these threats will be a crucial factor in safeguarding its future economic growth. The government has outlined its approach in the recently released National Cybersecurity Plan 2022. What is needed now is for all stakeholders to work together and build the country’s cybersecurity capabilities. This includes strengthening infrastructure, fostering R&D capabilities, boosting local cybersecurity industry and developing a pool of cybersecurity professionals.”
The cybersecurity threat landscape is evolving rapidly due to the following additional factors:
Emergence of new technologies such as the Internet of Things (IoT). The end points in an IoT network often tend to be unsophisticated devices such as household gadgets, making it easier for attackers to hack the network. IoT attacks are already prevalent in Asia.
In 2016, 60% of all IoT-based attacks originated from Asia, most likely because of the historically vulnerable profile of products in Asian markets.
A global trend of shortage of skilled and qualified cybersecurity professionals is mirrored across ASEAN. This is particularly true in the Philippines, where there is a significant shortage of Certified Information Systems Security Professionals (CISSP). According to (ISC)2, the administering body of the (CISSP) certification, the Philippines has 84 certified professionals compared to 107 in Indonesia, 189 in Thailand and 275 in Malaysia. The number is significantly lower than the US, which has around 67,000 certified security professionals.
Inadequate expertise in cybersecurity support sectors, such as cyber insurance, where effective frameworks and knowledge are needed to accurately assess the value at risk. Nikolai Dobberstein, Partner at A.T. Kearney and lead author of the report, said: “As our technological landscape changes and new threats emerge, it’s never been more important for countries, governments, and the public and private sectors to come together and collaborate to share best practices. Cybersecurity is something that impacts us all, and particularly in ASEAN, where countries have strong ties to one another. We can only be as strong as our weakest link.”