As the world generates and transmits more data than ever, that information proves an irresistibly tempting target for bad actors, making cybercrime one of the most pressing international cyber trends of 2021.
But, as NetDiligence Chief Technology Officer Vinny Sakore stated during a recent panel with members of global law firm Baker McKenzie, no matter where a cyber incident occurs, there’s a good chance any money involved goes through the Asian market.
With 77 offices in more than 40 jurisdictions, Baker McKenzie, a NetDiligence Authorized Breach Coach® firm, is well-positioned to report on 2021 trends in cybersecurity. Sakore spoke with four of its members who did so from across Asia:
- Ken Chia, principal, in Singapore, is a member of the firm’s IP Tech, International Commercial & Trade, and Competition Practice Groups.
- Gillian Lam, senior associate, in Hong Kong, focuses on cyber fraud and recovery actions.
- Marcia Lee, special counsel, in Hong Kong, practices in privacy and data protection issues, technology, and e-commerce, among other specialties.
- Jo-Fan Yu, partner, in Taiwan, is a member of the firm’s Information, Technology, Communications and Telecoms, Media, and Technology groups in Taipei.
Jeremy Brown, the principal consultant with Unit 42, the global threat intelligence team at Palo Alto Networks, also joined the conversation, offering insight from his extensive experience in digital forensics and incident response.
What are your regulatory landscapes regarding data privacy, security, and breach notification?
Hong Kong data privacy law essentially “treats all categories of personal data the same,” says Lee.
Those who collect and process personal data must secure it, but the law doesn’t currently mandate they report data breaches, though amendments may be on the horizon.
Taiwan’s Personal Data Protection Act (PDPA) requires that companies notify people whose information is affected by data breaches, but, Yu points out, only after they’ve completed their investigation. Generally, the law doesn’t require companies to notify the government, although such infrastructure-critical companies as railways are subject to stricter rules.
Singapore has a Cybersecurity Act, which Chia says offers strong protection of critical information. An update to it this February mandates notification when a data breach could do significant harm to people—and, Chia adds, this obligation is triggered if even a single customer is affected.
In 2021 what information security trends do you see around email compromise?
Cybercriminals giving unsuspecting victims fraudulent financial instructions via email continues to be a major problem in Hong Kong. Lam notes three concerning trends:
- Hong Kong and China are “hot destinations” for fraudulent wire transfers.
Lam says fraudsters mislead people all around the world into sending funds to Hong Kong and China. Some cases she handles are worth €10-20 million (about $12-24 million US), involving multiple requests and transfers before the crime comes to light.Based on what she’s discovered when suing second-and third-tier fund recipients, many companies fraudulently receiving money in Hong Kong are actually set up by individuals in mainland China. - Cybercriminals have grown much more sophisticated in their methods.
Lam no longer sees only “spoofed” emails—messages from forged addresses. Instead, she sees emails sent from legitimate addresses, meaning the rightful owner of the sending account has been hacked.Lam also notes fraudsters fabricate much more elaborate “documentation” to make their instructions about sending money appear legitimate. No more “flimsy, one-page investment invoice with no signature whatsoever,” she says. “Now, we see sixty pages of legal documents as supporting evidence.” - The COVID-19 pandemic has increased people’s vulnerability to email compromise.
More people working from home was one of the cybersecurity trends in 2021 identified by Gartner, as demanding businesses’ attention. Lam recognizes the impact of remote work on cybersecurity, too.It’s easy, she says, for remote workers to click on phishing emails—messages designed to get people to give personal information—ostensibly from the World Health Organization or nonprofit organizations (NGOs.)Links in these emails lead to websites that “talk about COVID-19, but I think [are] actually where the compromise came from in the first place,” says Lam, “and how [cybercriminals] could socially engineer and trick people into sending money across.”
What are you seeing in the way of ransomware attacks?
Brown marvels at how brash and aggressive ransomware attacks have become. A rise in double extortion has proved one of the most significant international cyber trends of 2021. “Not only do they lock up your data,” says Brown, “they threaten to release your data” if not paid.
Chia agrees. He’s seen cases in Singapore in which threat actors release small pieces of information to the dark web at first, “then more and more, trying to up the ante.” But he cautions against companies paying the ransom, since “you don’t want to be paying cyberterrorists.”
Yu says cybercriminals have used ransomware to target manufacturing companies in Taiwan during the pandemic, including Apple supplier Quanta Computer. The hacker group REvil claimed it accessed not only personal data but also details about upcoming Apple products. The hackers demanded $50 million US and threatened to release the information publicly if not paid.
“Such a case presents a really complicated situation,” says Yu. She argues companies’ decisions—whether, when, and how to notify business partners—are crucial because the companies “might be considered as violating their confidential[ity] agreements.”
What can companies do to better manage cyber attacks?
Companies may feel helpless against the daunting international cyber trends of 2021. But, the experts say companies can take action in several ways.
- Investing in cybersecurity.
Deploying a strong cybersecurity defense of one’s own may seem an obvious measure, but a surprising amount of companies don’t take it. Brown notes many firms don’t even enable multi-factor authentication (MFA) for access to sensitive data. - Developing an incident response plan.
Knowing what to do should a data breach occur is crucial for mitigating damage to the affected individuals and the company. Don’t rely solely on government regulations to guide your notification decisions.And, approach legal help as quickly as possible. “When the clients come to us quickly enough,” says Lam, “we’re able to recover substantial amounts” of fraudulently transferred funds. - Train personnel in company policies.
“You can spend as much money as you want building a defense and theft security approach to your network,” says Brown, “as much money as you want to put in there. Somebody’s always going to click on something!”Develop clear policies for dealing with sensitive data. Ensure your personnel knows them. And, insist your policies are followed.
You can learn more about Baker McKenzie by visiting https://www.bakermckenzie.com/en.
If you have questions about developing and implementing a cyber-focused incident response plan, call NetDiligence at 610.525.6383 or contact us online.