PETALING JAYA: Cyber attacks will continue to be a threat in the foreseeable future, but there are ways to put in place an adequate defence system to mitigate the risks.

According to cyber security experts, among the steps that can be taken are to have a team of highly specialised IT experts in-house, ensure regular software updates and take out insurance policies to cover possible damage.

They were commenting on a report last week that about 60,000 Microsoft Exchange email accounts worldwide had been attacked.

US officials claimed that the attacks were carried out by a China-backed hacking group known as Hafnium.

The group had allegedly broken into private and government computer networks through the widely used Exchange.

Criminologist and academic Shankar Durairaja told theSun that the primary objective of a cyber attack is to “steal” information from organisations involved in various disciplines such as infectious disease research, law, higher education and policy making.

“Small and medium size businesses are the most vulnerable given that many do not have the budget to mount proper defences. Often, they are unable to attract and recruit IT specialists or highly specialised cyber security experts.”

Cyber attacks can lead to loss of or damage to electronic data, losses through extortion, legal consequences, loss in income, damage to reputation and leakage of customers’ data that may result in scams and identity theft.”

Shankar added that effective cyber security management is “tedious and often leads to burnout”. He said, such threats change continuously, so finding the best tools and expertise is an ongoing challenge and a drain on resources.

He advised businesses to take cyber security as well as cyber liability insurance to mitigate the risks by offsetting some of the costs incurred for recovery.

Cyber security testing firm LGMS group chief executive officer Fong Choong-Fook said the actual number of victims could be much higher than officially stated, given that many organisations might have neglected reporting to the relevant authorities.

“Businesses need to be proactive in updating software to reduce risks. Staff must also be trained to prepare for future attacks.”

Fong said the latest attack would prompt corporations into rethinking the option of an on-site mail server over a cloud-managed version.

Cyber security expert and associate professor at Universiti Sains Malaysia, Dr Selvakumar Manickam, said in the case of the Microsoft Exchange attack, the hackers could have targeted two significant vulnerabilities.

“The attacks went on for years without Microsoft realising it. This is known as a zero-day attack.”

He believes that such vulnerabilities are not confined to Microsoft. “Other organisations that provide similar services are equally vulnerable.”

Selvakumar said many commercial organisations offering such services do not give enough priority to security. “They are more concerned about getting their software or services out to market quickly because it has an impact on revenue stream.”

Another obstacle to ensuring a robust service from the security standpoint is that it is arduous and costly, he added.

He cited the hack on global cyber security solutions provider Solarwinds in December last year to illustrate the point that no organisation is impervious to cyber threats.

Selvakumar said to ensure a robust system, businesses could hire “white hats” (industry term for ethical hackers) to look for vulnerabilities so that they can be addressed before the “black hats” (cyber criminals) exploit them.

“Do it before the software or service goes public.”