In our recently launched study Digital Priorities in the New Normal, we find that 87% of organisations in the Asia Pacific have increased investments in one or more cybersecurity solutions. However, this has to be backed by a reassessment of organisations’ risk positions and a re-evaluation of data protection and compliance policies.
Get more insights on the adoption of key Cybersecurity solutions and investments through our “Market Insights and Vendor Selection” research module which is live and ongoing on the Ecosystm platform.
A complete Data Protection and Exposure Prevention suite, that works across locations, users and applications and ensures better compliance with regulations
A Unified Compliance Assurance platform that provides compliance visibility and breach mitigation across the multiple SaaS applications an organisation uses
Risk Reduction through automated remediations following both industry compliance laws and organisations’ own risk management program guidelines
Ecosystm research finds that organisations are struggling with their cybersecurity implementations, especially as the solutions get increasingly complicated to combat the complex and evolving threat environment (Figure 1). Integration with existing cybersecurity measures, and a lack of sufficiently skilled IT staff to handle the myriad needs of the multiple systems and applications, builds a strong case for automation in cybersecurity practices.
Ecosystm Principal Advisor, Alex Woerndle says, “Automation is critical in cybersecurity, given the volume of data, alerts and incidents that are being dealt with on a daily basis, globally. Automating recurrent and high-volume tasks is a critical step in getting on top of this challenge.”
Importance of Automating Cybersecurity Processes
Woerndle sees a growing role for CSPM providers for multiple reasons. “Firstly, a lot of companies are finding that they cannot be ‘fully cloud’ and as such, end up with a complex architecture spanning on-premise, private cloud environments and multiple public cloud tenancies. Secondly, due to poorly planned cloud migrations, changing priorities, differences in service requirements, cost differences and also personal preferences across multiple teams, a lot of companies end up consuming different services across multiple public cloud providers (Azure, AWS, GCP, and so on). IT teams are struggling to be experts in all aspects of the shared responsibility model and with the capabilities to secure the various services. Finally, there is a constant stream of upgrades and addition of new services team members, given the easy accessibility public cloud environments provide. CSPM solutions provide the ability to establish baselines, enforce security controls and run regular checks to ensure compliance. Doing this manually is time consuming, expensive and always three steps behind.”
Woerndle also sees further complications because of the COVID-19 crisis. “COVID-19 has shifted the world to remote working overnight. Once workers are outside of the trusted corporate network and have access to cloud resources from their home networks, additional complexity to the corporate security posture is highlighted. Depending on how organisations have prepared for this, they either maintain control of all services and applications, and the access into each, or if not prepared, open direct access to a lot of unsecured applications from potentially very unsecured networks.” In fact Zscaler has seen its stock prices rising in the aftermath of the global crisis.
However, Woerndle warns, “While the conversation certainly supports the use of CSPMs, there is a lot more to it in terms of securing home networks, identity and access management, and so on.”
Zscaler’s acquisition of CloudNeeti certainly appears to be a timely move, in the current environment when organisations are struggling with a lack of resources with the extensive knowledge to understand all private and public cloud environments. There are controls required to secure each application, resource and system within an organisation – along with the time and effort required to implement, monitor, audit and improve cybersecurity measures over time.
The Malaysia Digital Economy Corporation (MDEC) has estimated that the country’s Digital Economy is worth USD3 trillion. Several initiatives have been introduced to promote the vision of a Digital Economy including: creating the Malaysia Tech Entrepreneur Programme (MTEP) aimed at tech founders who want to make Malaysia their base; the Malaysia Innovation Policy Council for industry collaboration on digital technology initiatives and streamlining policy/regulatory issues to support innovation; and the National eCommerce Roadmap aimed at small and medium enterprises (SMEs) to promote cross-border eCommerce.
Data Protection Laws for a Digital Economy
However, any country that aspires to be a Digital Economy, must have robust data protection laws that safeguards its citizens’ data. Malaysia’s Personal Data Protection Act 2010 (PDPA), was passed by the Malaysian Parliament in 2010 and came into force in late 2013. While the PDPA does provide guidelines for personal data protection to some extent, in light of technological advances, newer laws such as GDPR that are shaping the industry, and to keep up with the aspirations of creating a Digital Economy, there is a need for more comprehensive privacy laws.
“Growing the Digital Economy is a key agenda for Malaysia and a revised PDPA is a key component in ensuring trust and transparency,” says Shamir Amanullah, Principal Advisor Ecosystm. “The increasing and complex use of data and the proliferation of devices pose serious challenges which the data protection laws have to address. The recent US Federal Trade Commission’s hefty fines on Facebook and Equifax highlight the need to protect data of consumers and businesses alike.”
The PDPA is clearly a work in progress where while fast-growing areas such as electronic marketing and online privacy are mentioned in the act, there are no specific provisions to deal with breaches in these areas.
Updating the PDPA
In the last few years, Malaysia has realised that the PDPA fails to cover some areas. As an example, it does not take into consideration the proliferation of biometric data. The national ID card (MyKad) stores data using biometrics (thumbprints) and there is a clear rise in use of facial recognition technology in the country. Grab partnered with the Ministry of Transport last year, to use facial recognition technology to protect their drivers.
Malaysia is committed to their Digital Economy vision and is looking to update the PDPA, to make it more appropriate for contemporary needs and technology. The Government is consulting its citizens on possible ways to improve the PDPA. Between 14-28 February, the public can provide feedback on their thoughts and requirements on data privacy, through the Ministry of Communications and Multimedia’s web portal.
Some of the areas that have been found lacking and where feedback is being sought are expanding applications of the PDPA to data processors, making it compulsory to notify data breaches and simplifying cross-border personal data transfer.
Speaking about the areas that are likely to be addressed, Amanullah notes, “The review of the PDPA and the ongoing public consultation will deliberate extending the PDPA to non-commercial transactions. The existing PDPA does not cover non-commercial transactions involving charities, religious activities and even social media. The EU, Japan and – closer home – the Philippines have data protection acts which regulate both commercial and non-commercial transactions.”
Malaysia’s Communications & Multimedia Minister, Gobind Singh Deo, has from the start spoken about the need to update and bring the PDPA up to speed. “The goal of the Digital Economy is to take Malaysian enterprises beyond the country to Southeast Asian and global markets,” says Amanullah. “The EU GDPR is recognised as a leading global framework for data protection and is set to play a big role in the revised PDPA, to ensure that Malaysian companies adhere to the same data protection standards as global organisations.”
“The appointment of Data Protection Officers will be a major move to ensure that companies that hold sensitive private data have the necessary skills, processes and technology in place to comply with data protection laws.”
For more insights on global Compliance and Data Protection trends, please create your account on the Ecosystm platform.