[Co-Author: Shanty Priya]

As we live and work in an increasingly globalized and computerized world, data, privacy and security (DPS) issues will converge across regions. Asia, however, has some of its own unique challenges trending as we discuss below.

As we are aware, in an interconnected world, powered by digital technology, it is imperative that organizations put security measures in place to prevent or reduce the likelihood of cyber-attacks. This is even more so for organizations operating in Asia, as Asia emerged as the most targeted region for cyber-attacks last year and continues to face cybersecurity challenges in 2022.¹ This reflects some of the region’s comparative weakness by global standards in the areas of cybersecurity and data protection. Consequently, there is an increasing need to raise awareness for organizations to prioritize cybersecurity. In doing so, organizations should keep up to date on the key challenges faced with cybersecurity and data protection.

We look below at four trending issues in the DPS space in Asia today:

I. Data Privacy Challenges Across the Region

Many companies now regularly use data such as personal details and electronic transactions to provide personalized digital services. This creates an opportunity for hackers to steal an individual’s private data when organizations fail to properly secure such data. As a result, many countries have legislated protection of personal data. In Asia, the differences in the application of privacy laws pose difficulties for businesses, especially when they operate in multiple markets/jurisdictions (which is increasingly common).

While this is a complex and everchanging landscape, some of the key topics can be summarized below. A few differing points in data privacy laws across Asia are:

• Scope: Only 5 countries in the region presently have extraterritorial provisions in their privacy laws: Australia, Japan, New Zealand, Philippines and Thailand.

• Cross Border: 70% of countries in the region impose restrictions on cross-border transfer of personal data. However, the restrictions differ depending on consent, adequacy, and binding corporate rules. Countries that presently do not restrict cross-border transfer of personal data are Hong Kong, Nepal, Indonesia, Nepal, and Taiwan. Notably, the only country that has been found to be adequate by the EU with respect to cross-border transfer of personal data to date is Japan.

• Breach notification: 10 countries in the region presently require notification to be made when there is a breach. Some countries require the notification to be made “without delay” or “promptly”, whilst others set a specific timeline (i.e., within 72 hours in the case of the Philippines, Singapore, and Thailand).

• Registration: Though the trend across the world is to minimize registration requirements, there are still five countries in Asia that require businesses to register processing activities with a data protection authority (Malaysia, Philippines, Macao, Uzbekistan and Kyrgyzstan).

• Enforcement: Enforcement is key in ensuring that privacy laws are regulated. Without enforcement, the privacy laws enacted are often deemed as just a paper-exercise. Yet, only two countries in the region, Korea and Japan, presently have been visibly aggressive in carrying out inspections and prosecuting businesses that fail to implement proper security measures, often resulting in fines and/or corrective measures.

II. Phishing Attacks on the Rise

Phishing attacks are the most common type of cyber-attack, as humans are commonly considered the “weakest link” when it comes to cyberattacks or breaches. Attackers exploit the human vulnerabilities through a variety of scams, including automated phone calls, social networks, SMS messages and email links. It was reported by Kaspersky, that a total of 11,260,643 phishing links were blocked by its Anti-Phishing system in a year in Southeast Asia.² Most of the phishing emails were blocked on devices of Kaspersky users in Vietnam, Indonesia and Malaysia. These numbers are likely far from the reality of the actual landscape, as it only relates to emails picked up by a particular system across a few countries in Asia.

The General Manager for Southeast Asia at Kaspersky, Mr. Yeo Siang Tiong, considers that the approximately 11 million phishing attempts in a year in Southeast Asia is just the tip of the iceberg, especially with email being the main form of communication at workplaces. Mr. Yeo explained that with all the critical data being sent via email, it is expected for cybercriminals to see it as an effective and lucrative entry point:³

“An unfortunate example is the $81M Bangladesh Bank Heist in 2016 which was made possible by a single, successful targeted phishing attack. Enterprises in the region should carefully look into holistic and in-depth cybersecurity technologies to beef up the security of their highly critical mail servers.”

There are many ways in which organizations can protect themselves from the increasing occurrence of such attacks. While beyond the scope of this article, employees play a vital part in ensuring that an organization’s data privacy and cybersecurity is safeguarded. Employees are the first line of defense in preventing cybersecurity threats. Thus, it is crucial for employees to be well-informed and educated about potential cyber threats so that they are able to make the right decisions when faced with a phishing scam.

III. Quicker Detection of Data Breaches

The time taken to detect a data breach is imperative to minimize loss of data. The longer a breach goes undetected in an organization, the more time hackers have to move across the system and steal data, as well as implement potential follow-up attacks.

It has been reported by M-Trends, that the time taken to detect a threat has accelerated over the past year.⁴ This acceleration was mainly driven by the Asia Pacific region, which saw the median time taken to detect a cyberattack drop significantly from 76 days to 21 days. A majority of these cyberattacks were detected by third-party sources. This shows that detection of data breaches may be swifter if an organization hires a third party provider who has the resources and knowledge to manage cybersecurity and information sharing between organizations.

IV. Cybersecurity Challenges Arising From Remote Working

The shift to remote working – which has endured beyond the peak of the pandemic – has significantly increased cybersecurity incidences. Due to the sudden shift towards remote working, which was driven by the pandemic, many organizations were not prepared for cyberthreats in this online work landscape. Hackers saw this as a window of opportunity, where there was lowered or no cybersecurity protocols.

With a distributed workforce working remotely, employees have to pay more attention to cybersecurity threats themselves. Employees tend to use their mobile devices to carry out work and these devices often do not offer the same level of protection against cyberattacks as compared, for example, to a work issued computer or laptop. As a result, sensitive company data that is being carried on these devices may be more susceptible to attack. Organizations need to educate staff of the importance of following good cybersecurity practices and the common types of threats.

Some tips to ensure that employees work from home safely:

• Only use a home network, which is secured by a password to carry out work;

• Avoid using public Wi-Fi to carry out work;

• Use a VPN;

• Be well informed on the different forms of social engineering and phishing;

• Use secured collaboration tools; and

• Be familiar with the organization’s security protocols.

It is evident from the four trending issues above that, although we live and work in an increasingly globalized and computerized world, Asia has some of its own unique challenges in the DPS space today. These will present new challenges for clients across the spectrum of business activities.

¹ According to IBM Security – with financial services and manufacturing organizations experiencing nearly 60% of attacks; see, “IBM Security lists Asia as most attacked region”, TechWire Asia, 28 February 2022, Rebecca Oi.

² See, “Over 11 million phishing emails blocked in Southeast Asia”, TechWire Asia, 9 June 2022, Aaron Raj.

³ See above.

⁴ See, “M-Trends 2022: Cyber Security Metrics, Insights and Guidance From the Frontlines”.