In today's capricious digital world, cybersecurity is more important than ever. In an exclusive interview with Telecom Review Asia, Ng Hoo Ming, President, ASEAN Chief Information Officer Association, CEO BSL Technologies Pte Ltd, highlighted the urgent cybersecurity issues facing ASEAN countries on the sidelines of GovWare 2024.
As digital transformation accelerates across the region, threats like ransomware attacks, fraud, and cloud security vulnerabilities are on the rise. Consequently, Ng Hoo Ming is encouraging ASEAN member states to work together to boost cybersecurity defenses and improve governance practices. Chief Information Officers (CIOs) can lead the way in promoting cybersecurity within their organizations through strong leadership and strategic planning.
Interesting Read: AI Threats Outpacing Cybersecurity Teams
What are the most pressing cybersecurity issues that ASEAN countries are facing today, particularly from your perspective within the Cybersecurity & Governance Chapter at ACIOA?
Digital technology adoption is a global trend, but it has been particularly accelerated in Southeast Asia due to government policies promoting digital transformation on a national scale. Additionally, businesses have had to embrace digital technology as a strategic necessity, especially during the pandemic, when it became less of a choice and more of a survival instinct. The lockdowns and restrictions on physical movement forced companies to adopt digital technologies to maintain operations. Digital transformation has become unavoidable for enterprises to remain competitive and continue operating in the post-pandemic new normal.
Several key trends are driving this transformation, whether it is initiated internally or influenced by external factors. Firstly, there is a significant shift toward cloud computing, primarily for cost efficiency. Secondly, e-platforms are being widely adopted to reach business partners, customers, and even government agencies. Thirdly, e-payment has become the standard mode of transaction. Finally, automation through AI and other technologies is increasingly being integrated into business processes.
Southeast Asia's digital economy has already surpassed initial projections of USD 300 billion by 2025. The updated forecast now suggests that the region’s digital economy could reach USD 1 trillion by 2030. This presents a massive growth opportunity, positioning ASEAN as a significant player in the global digital economy. With over 600 million young and dynamic people, ASEAN is uniquely positioned to leverage digital technology to drive economic progress and enhance the living standards of its population.
However, with digitalization comes new risks. While the region embraces digital technology, it also faces heightened cybersecurity threats. Malicious actors are constantly seeking vulnerabilities in our systems for their gain. The top four cybersecurity challenges in ASEAN include financial losses from fraud and online scams, which amount to hundreds of millions of dollars annually. Ransomware attacks also pose a significant threat to both government agencies and private institutions, regardless of their size. Deepfakes are another rising concern, undermining trust in digital platforms. Lastly, cloud security remains a major concern for enterprises as they increasingly adopt cloud-based strategies.
How can regional collaboration among ASEAN member states improve collective cybersecurity defenses?
Cybersecurity is a major focus area that the ASEAN region is seriously addressing. The ASEAN Digital Master Plan 2025 highlights several key areas for enhancing cybersecurity. Firstly, there is a focus on delivering trusted digital services and preventing consumer harm. To encourage the adoption of digital services, particularly in sectors like health and finance, consumers need to trust these services. This applies to new and emerging technologies as well. A crucial part of this is ensuring that best practices in cybersecurity and digital data governance are widely adopted to mitigate the impact of breaches on businesses and consumers, and to build trust.
Secondly, enabling trust through broader use of online security technologies is essential. ASEAN Member States (AMS) could establish a program to measure and improve the use of secure networking technologies by creating a reliable index and measurement system for critical online security technologies and ensuring their deployment across the region.
Additionally, AMS should build trust by enhancing security in key sectors like finance, healthcare, education, and government. Building on frameworks like the ASEAN Framework on Personal Data Protection (2016) and the ASEAN Framework on Digital Data Governance, AMS can develop harmonized, principle-based regulations for data protection and privacy, including data management and cross-border data flows. This will facilitate cross-border digital trade by fostering user trust in sharing personal data. ASEAN should also build on the 2021 Implementing Guidelines for the ASEAN Cross-Border Data Flows Mechanism to develop and implement a suite of data transfer mechanisms. This would improve the region’s ability to ensure the interoperability of standards with frameworks like APEC CBPR and the European Union's GDPR. Moreover, ASEAN could create a framework for common policies on handling large data collections and using AI and machine learning (ML) with these datasets.
Improved coordination and cooperation among regional Computer Incident Response Teams (CIRTs) is also a priority. ASEAN should expand the coordination between individual country CIRTs and fully establish a regional CSIRT (Computer Security Incident Response Team) for better response to cybersecurity threats.
Finally, promoting consumer protection and rights in relation to e-commerce is crucial. Moving towards convergence on consumer rights and protection will facilitate cross-border trade and give consumers confidence that products are safe, and their rights are recognized across member states. Building on the progress made so far, ASEAN could strengthen collaboration with relevant sectoral bodies to create pan-ASEAN arrangements for recognizing and enforcing cross-border judgments for both private and public actions, further fostering trade and consumer trust.
What role do CISOs play in promoting cybersecurity governance within organizations, and how can they enhance their influence in this area?
CISOs ensure that organizations recognize cybersecurity as the responsibility of the entire senior executive team and the Board. A cyber incident affects the whole organization, not just the IT department. It can disrupt online sales, impact contractual relationships, or result in legal and regulatory consequences. Therefore, senior executives and the Board must possess sufficient expertise to guide cybersecurity strategy and hold decision-makers accountable. Every leader needs to understand how cybersecurity impacts their specific areas and the organization as a whole. When cybersecurity is a priority for the Board, it will naturally trickle down through the organization. Interestingly, while two-thirds of C-suite executives view cybersecurity as a top concern, outstripping even financial risks, fewer than 20% demonstrate a high level of cybersecurity preparedness. Leaders must not be content with having just a plan on paper; they must actively work toward improving cybersecurity governance.
Cybersecurity governance should not be viewed as an obstruction to operations but as an enabler that allows businesses to continue operating despite increasing cyber threats and attacks. Every organization, whether it be individual, business, or government, shares the responsibility of enhancing cybersecurity. It should be seen as an investment, not a cost. Any company undergoing digital transformation needs to consider cybersecurity seriously to ensure its operations are faster, better, and, most importantly, secure and resilient. Cybersecure organizations not only survive but thrive, scaling up as they continue to ensure their systems remain protected. Cybersecurity must be managed at a higher level to align with business imperatives and industry best practices while adhering to national regulatory frameworks. Business leaders need to understand cybersecurity to make informed decisions on risk management because it directly impacts the bottom line.
To improve cybersecurity governance, leaders should ask themselves key questions: Is the organization investing enough in cybersecurity? Do we know the effectiveness of our security investments? Do we have the means to continuously validate the effectiveness of our defenses beyond simply passing audits? Do we have a cybersecurity governance program with actionable procedures and contingency plans? Are these plans practiced and understood by the organization?
Implementing a strong cybersecurity governance framework requires organizations to identify which systems and data are critical, who has access to them, how well they are protected, and how to enhance their protection. Most importantly, developing a Cybersecurity Readiness Maturity Index will help assess the organization’s cybersecurity maturity in key areas: risk mitigation, early detection, robust response, and rapid recovery. This will guide efforts to manage cyber risks effectively and develop systematic action plans to improve governance and security protocols.
What best practices would you recommend to ASEAN organizations to effectively manage their cybersecurity risks?
In terms of technical control measures, organizations in ASEAN should adopt the mindset that a security breach is inevitable and, as such, should lock down their networks. This does not mean physically isolating the network from the rest of the world, but rather ensuring that there are no open paths for hackers to exploit internal systems. Additional security measures should also be implemented to address insider threats. Full visibility and continuous monitoring are crucial, especially in accounting for all privileged access, privilege escalation, and the creation of administrator accounts.
Application security is also of paramount importance. Weak software coding, such as embedded administrator passwords, poses significant risks. Organizations must ensure the secure storage of encryption keys and avoid the sharing of administrator accounts. It is recommended to use dedicated machines for administrative tasks and implement network segmentation to create separate network segments for administrative work. If remote access is allowed, strong two-factor authentication (2FA) and time-based access control should be applied.
Additionally, a zero-trust approach should be adopted to counter today's sophisticated cyber attacks. This approach operates on the assumption that user identities or the network itself may already be compromised and relies on AI and analytics to continuously validate connections between users, data, and resources, including devices, applications, and backend servers.
These critical defensive measures can significantly reduce an organization’s cyber risk, but it is impossible to guarantee 100% cybersecurity. In the unfortunate circumstances that an attacker penetrates the defenses, strong data encryption, including post-quantum computing proof, should be deployed to protect sensitive data. Additionally, a robust data backup system should be in place to ensure that business operations can be recovered in a timely manner.
Continue Reading:
Enhancing Cybersecurity: Protecting People, Data and Services
Balancing Data and Security: The Road to Sustainability for Asian Companies