Prudential revealed in June that two of its businesses, Prudential Assurance Malaysia Bhd and Prudential BSN Takaful Bhd, were among the global firms impacted by the MOVEit cyberattack.

According to Prudential, it was “very likely” that the incident affected the data of personal agents and customers.

“The risk of unauthorised transactions is reduced as only partial credit card information is included. Our investigation is still ongoing,” the company said in a June 14 statement.

Companies use the file transfer programme MOVEit, created by Progress, to transmit large files.

A zero-day vulnerability was discovered and flagged on June 1 by security researchers and the US government, but not before it was exploited.

Clop, a ransomware group, claimed responsibility and threatened to release the data in an attempt to extort millions of dollars.

CyberSecurity Malaysia CEO Datuk Dr Amirudin Abdul Wahab discouraged companies hit by ransomware from giving in to demands from hackers and instead urged companies to seek assistance from authorities.

Paying the price

According to a Palo Alto Networks’ report, the highest ransomware demand last year was US$50mil (RM226.4mil), while the highest amount paid for ransom was US$7mil (RM31.7mil).

The report, Unit 42 Incident Response, also revealed that ransomware and extortion cases in Malaysia increased by 37.5% from 2021 to 2022, with 11 reported cases across key sectors.

Meanwhile, the State Of Data Security: The Hard Truth report found that 72% of organisations paid ransomware demands in 2022.

Yeong highlights that, in addition to potential financial and data losses, ransomware also has a ‘human cost’. — YEONG CHEE WAI

Data security company Rubrik Zero Lab commissioned Wakefield Research to conduct the survey, which involved over 1,600 IT and security leaders across 10 countries, including the United States, Japan, Singapore, and India.For most companies, paying the ransom and patching the vulnerabilities is not the end of their troubles.

“Apart from the possible financial and data losses, there’s also the human cost of ransomware,” said Yeong Chee Wai, Rubrik Systems Engineering area vice president for Asia Pacific and Japan, at Cyber Security Asia 2023.

“People who suffered from a cyberattack are reporting significant emotional stress.”

He said Wakefield Research showed that 93% of organisations that encountered a cyberattack in 2022 had to deal with negative impacts, which included loss of customers (49%), decline in revenue (45%), negative press or reputational damage (44%), a forced change of leadership (42%), and stock negatively impacted (5%).

Ninety-eight percent of IT and security leaders reported significant emotional and psychological impacts from the cyberattacks.

According to the survey, 53% reported increased anxiety in relation to their duties while also being concerned about job security (46%), loss of trust among colleagues and team members (43%), and having trouble sleeping (41%).

The majority of respondents (96%) were also concerned that their companies would fail to recover from a cyberattack and maintain business continuity, and 39% believed that their board of directors or C-level leaders would have little to no confidence in the organisation’s ability to recover critical data and business applications.

Reducing risks

An Australia-based expert and speaker on cybersecurity, Abhijitt Mukharjji, said poor privilege management is one of the key factors that make companies vulnerable to attacks.

“What I’m seeing here is how most companies or organisations issue computers, such as laptops, to staff without restricting admin privileges.

“If the staff has the comfort of downloading anything and everything, from phishing emails to suspicious messages on WhatsApp, then it’s possible for ransomware to easily proliferate, attack, and encrypt their systems,” he said.

Mukharjji says poor privilege management is one of the factors that make companies vulnerable to attacks. — ABHIJITT MUKHARJJI

He attributed the issue of poor privilege management to a lack of awareness.

“Companies and organisations should start assessing their preventive capability.

“They can start by looking into how staff using work devices should only use apps or software that are approved for work purposes,” he said.

Meanwhile, Dr Marhaini Mohd Noor, senior lecturer at Universiti Malaysia Terengganu, who has conducted research on strengthening cybersecurity policy, said one of the issues is the lack of a mandatory framework.

“Effective mechanisms and institutional structures at the national level are necessary to reliably prepare for and respond to cyber threats and incidents. “The absence of such institutions poses challenges in terms of how to adequately and effectively respond to cyberattacks,” she added.

Prime Minister Anwar Ibrahim has announced that a new cybersecurity Bill will be drawn up by the National Cyber Security Agency (Nacsa).

The upcoming bill will give Nacsa more legal authority to regulate and enforce laws related to cybersecurity.

Marhaini said that as the impact of cybersecurity incidents like ransomware can be severe and long-lasting, proactive measures are crucial.

“The organisations need clear policies and procedures for handling incidents, which include actions like establishing an incident response team with experts and providing regular training on awareness to employees,” she said.

She added that it’s important to emphasise that cybersecurity “is the responsibility of all people”, not just IT personnel.

According to Marhaini, institutional structures at the national level are necessary to reliably prepare for and respond to cyber threats. — MARHAINI MOHD NOOR

According to Abhijitt, there is also value in companies making voluntary declarations on cybersecurity incidents, adding that “it will pave the way for other companies to do the same”.

“Other companies that may not be affected will start looking into their own IT systems as well and asking questions about whether they are prepared to handle such situations if they occur to them,” he said.