KUALA LUMPUR: Businesses are still not prepared for rapid recovery after a cyber-attack despite making good progress in developing prevention and response programmes, said KPMG.
The professional financial services firm stressed the need for appropriate recovery capabilities after every attack to minimise the disruption to the business.
“When an attack strikes, the initial 72 hours are critical to grasp the scope of the attack. Businesses tend to underestimate the effort it takes to address the initial impact on operations and costs immediately after a cyber-attack.
“Too many organisations wrongly assume that recovery will require several weeks to return to business as usual when the reality is that it may take several months or more,’’ said Ubaid Mustafa Qadiri, the head of technology risk and cyber security at KPMG Malaysia, in a statement.
Ubaid said recovery measures to restore operations also require a precise assessment to determine that the initial underlying threat has been eliminated.
“This can become a complex task amid the immediate need for response measures that include shutting down internal systems and key elements of the business network, along with rushed policy changes,” he advised.
He said this is particularly critical in the operational technology (OT) domain, where physical processes are typically involved.
“Businesses engaged in manufacturing, mining, oil and gas, utilities, and transportation rely heavily on OT to connect, monitor, manage and secure their industrial operations.
“OT security is becoming vital today as OT is integrated with information technology (IT) to create IT/OT convergence. Because IT and OT networks can no longer be separated, attacks on IT affect OT and vice versa,’’ he noted.
He highlighted that the KPMG Cyber Trust Insights 2022 report, which surveyed 1,881 executives globally, also revealed that “chief information and security officers (CISOs) are optimally placed to help their organisations navigate these challenges.”
“However, many are struggling to fulfill them as they still lack a clear mandate to protect their organisations and data,” KPMG said.
About 73 per cent of businesses in the Asia-Pacific said their CISOs do not have the influence they need to protect their firms fully, while 63 per cent from the region said that information security is seen by their organisations as a risk-reduction activity, rather than a business enabler.
Fifty-five per cent said that senior leaders do not understand the competitive benefits that are possible due to enhanced trust that is enabled by better information security.
“Investing in appropriate protection is the cost of doing business today,’’ he said.
There were high-profile cyber incidents reported in Malaysia last year involving large-scale data thefts and leaks, including the theft of the personal data of 22.5 million people from the National Registration Department (NRD) and the illegal extraction of nearly two million pay slips and tax forms from the civil servants’ e-pay slip system.
According to the Communications and Digital Ministry, almost RM600 million in losses were recorded throughout 2022 as a result of cybercrime in the country.
The 2023 Regulatory Framework on Technology Risk Management is expected to be released by the Securities Commission Malaysia this year. -Bernama