– Potential US$145 billion in GDP growth for Asia in the next decade with effective management of cyber risks
– Singapore tops list of 11 other Asian economies as the most prepared country on the Cyber Smart Index despite being most exposed to cyber risks
Asia’s thriving digital economy and the recent surge in workforce mobility across the region are exposing businesses to an increasingly ‘perfect storm’ for cyber-attacks, according to the Deloitte Cyber Smart: Enabling APAC businesses report, commissioned by VMware, a leading innovator in enterprise software. Analyzing cyber exposure, preparedness and economic opportunity across 12 economies in Asia Pacific (APAC), the report found that there is opportunity to grow GDP by US$145 billion for the entire region over the next 10 years if enterprises adopt an intrinsic security approach that ensures business continuity while driving greater adoption of new technologies.
According to other reports, cybersecurity expenditure in Southeast Asia was estimated at US$1.9 billion in 2017 and is projected to grow to US$5.5 billion by 2025. Yet, cyber-attacks remain a key threat to organizations in the region. Further, almost half of the businesses in APAC experienced security attacks in the past 12 months2. A study noted that 63 percent of organizations suffered from business disruption due to a security breach3.
Companies are paying the price too, with the report4 indicating effects of cyberattacks are becoming more expensive – large organizations with more than 500 employees in APAC may stand to lose as much as US$30 million in the event of a cyber breach; for mid-sized organizations with 250 – 500 employees, the cost is at least US$96,000.
“As the digital economy continues to grow in each country, so too does the exposure to cyberattacks. Being appropriately prepared can mitigate the risks to organizations and minimize the potential costs of an attack. Based on what we have seen in the region, businesses with an established cyber security strategy in place have confidence to invest in new technologies which can lead to higher levels of capital investment and productivity growth,” said Duncan Hewett, Senior Vice President and General Manager of Asia Pacific and Japan at VMware.
“The challenge for policy makers is to build a comprehensive legislative framework and environment that protects businesses from cybersecurity risks whilst allowing them to innovate and maximize the potential of digital technologies. We see interest from government, business owners, and vertical experts in building a cyber smart Asia Pacific that we estimate can unlock as much as 0.7 percent or US$145 billion additional GDP growth for the region over the next ten years,5” said John O’Mahony, Partner and lead author of the research from Deloitte Access Economics in Australia.
VMware-Deloitte Cyber Smart Index 20206
The VMware-Deloitte Cyber Smart Index 2020 examines the level of cyber risk exposure faced by countries in the region, and the degree of cyber preparedness. Focusing on the inherent exposure to cyberattacks, the Index looks at the size of attack surface, the frequency of attack and value that is at risk.
Within the preparedness measure, the Index looks beyond legal and policy environment to examine what businesses can do to be better prepared for the growing cyber risks. Key findings include:
- Singapore tops the Index as the most prepared country in APAC, scoring consistently high across all measures of preparedness, with sound legal and organizational awareness despite being the most exposed country in APAC with the highest rate of ICT penetration.
- Japan has the 3rd highest exposure to cyber risk and 2nd highest preparedness in APAC. However, anecdotal industry perspective is that organizational preparedness could be improved.
- Australia ranked as the 3rd most prepared, and 4th most exposed to risk in the region. Australia particularly has strong cyber legislation, education and R&D.
- South Korea performs relatively well in preparedness, with high rates of R&D and response time for cyber threats. The pervasive use of technology by business and government exposes the country to substantial cyber risks.
- Malaysia is ahead of its peers with similarly low level of exposure due to strong regulatory cooperation and a comprehensive privacy regime despite less impressive relative organizational capability.
- Thailand ranks 8th in preparedness and 9th in exposure, but the country has one of the highest cyber-attack rates in APAC, driven in part by the growing use of online devices and interest in cryptocurrencies which has increased Thailand’s exposure to risks.
- Indonesia ranks lower than its ASEAN counterparts despite its large economy and increasing digitalization, largely because of its small services sector. The country’s exposure is likely to grow in the coming years.
- Vietnam despite a low ranking in exposure (11th), experiences the highest frequency of cyberattacks. The lack of comprehensive legislation to deal with data security and privacy means the country is underprepared for cyberattacks.
The role of governments
Cyber security executives currently spend 7 percent of their time on regulatory and compliance, and twice the amount of time on cyber monitoring and operations7. A safer and low risk cyber environment can help to redirect their attention to more critical cyber domains. Governments across the region have a range of tools to help organizations better prepare for cyber threats and get their digitalization projects back on track:
- Leading by example
Governments are the fastest growing spenders on security in the region8. With critical digital services increasingly central to governments around the region, spending alone is not sufficient. Lawmakers should consider broader governance structures that support any cyber strategy from transformation to compliance to talent recruitment.
- Regulatory harmonization
Cybercrimes can originate from any part of the world and are often difficult to investigate and prosecute. Regulatory harmonization between sectors facilitates proactive cyber security strategies that contribute to stronger preparedness across the region, and ultimately lead to greater enforcement of local laws—even in foreign jurisdictions.
Government procurement practices have an influence on the broader private sector. By implementing minimum cyber security criteria, there is an opportunity to identify potential flaws in the sourcing process and reduce overall costs of responding to a cyberattack.
Regional variation increases the regulatory burden on businesses operating in the region. Reporting regulation must ensure companies operate under the best standards of data protection without imposing burdensome restrictions on their day-to-day operations.
- Developing skills
APAC represents the largest regional skills shortage in the world with 2.6 million fewer workers than required9. In comparison the second largest shortage found in Latin America which requires another 600,000 workers. This presents tremendous opportunity to implement specialized cyber security training, both those entering higher education and those retraining or upskilling.
Intrinsic security, a must-have for a progressive society
A secure digital economy is a joint responsibility between private and public sectors. For enterprises, this means that the traditional approach of bolted on security is no longer enough, especially when applications are now deployed across multiple clouds and accessed from many different devices across various locations.
“The unprecedented demand for a mobile workforce set against the backdrop of Southeast Asia’s fast-growing digital economy marks a key turning point for organizations in the region. In this new paradigm, organizations must make security intrinsic to the enterprise to enable business continuity and success,” said Sanjay K. Deshmukh, vice president and managing director, Southeast Asia and Korea, VMware. “To this end, VMware is delivering intrinsic security that covers all the critical control points of the modern enterprise, making security more automated, proactive and pervasive. This helps safeguard organizations from threats and disruptions, giving them the confidence to drive their business forward into the digital future.”
By making security intrinsic, organizations will be able to shrink the attack surface, instead of chasing threats, gaining an advantage over potential attackers. This is also in line with VMware’s intrinsic security vision which harnesses VMware technology that resides in the infrastructure stack to deliver security across any app, on any cloud and through any device. With intrinsic security, VMware can reduce the risk to critical applications, sensitive data, and users by shrinking the attack surface across clouds, data centers, end users, and the enterprise edge, allowing organizations to put in place more effective cyber security strategies to support their growth in the region’s fast-expanding digital economy.