It is clear that data privacy, in Southeast Asia and the rest of the world, is not currently considered a fundamental right. Most businesses lack internal policies and frameworks for handling personal data, as well as adequate cybersecurity practices, leaving them vulnerable to data loss. With poor data visibility, lack of interoperability, excessive data retention, and new regulations, companies have experienced cyber fatigue, with some giving up on proactively defending against attacks.

But are we moving towards a solution or at least a better understand of the situation? To find out more, we spoke to Chua Chee Pin, Area Vice President of ASEAN, Hong Kong, Korea, Japan, and Taiwan at Commvault, about the current situation in Southeast Asia.

Commvault is a publicly traded data protection and data management software company based in the United States. They are primarily interested in enterprise software for data backup and recovery, cloud and infrastructure management, retention, and compliance.

Commvault has been trusted by over 100,000 organisations since its inception over 25 years ago. Around the world, the company employs over 2,700 people.

Could you give us an overview of the data breaches currently happening in Southeast Asia over the last 12 months?

While most of the region eased out of lockdown in early 2022, many companies opted to continue hybrid or remote work arrangements. However, the lack of proper investment in security infrastructure and suitable data platforms prevailed, allowing data breaches to skyrocket in Southeast Asia throughout the year.

As it stands, Singapore is ranked 6th for the most number of databases exposed, with about 33% of organisations suffering up to S$1.348 million in damage as a result of data breaches. Across the strait, recent breaches that have hit AirAsia, as well as Malaysia’s National Registration Department — which affected 22.5 million Malaysians — are also cause for concern. 

Furthermore, due to the lack of proper internal security frameworks and the fact that data security is still being seen as inconsequential for many businesses, this trend is expected to become more prevalent in near future. Today, it is not uncommon to see tactics such as phishing, malware, distributed denial-of-service, and ransomware attacks in these breaches, where hackers gain unauthorised access to private systems in order to view, modify, and destroy data. 

Several ransomware groups are now using a “Ransomware-as-a-Service” (RaaS) model to target Small and Medium Enterprises (SMEs). Without the need to learn from scratch for RaaS, almost anyone is now able to hack a system and distribute ransomware payloads. 

In light of the above, the question is no longer “how can I keep from getting hacked” but rather, “when will I be hacked and what can I do to mitigate the damage from such an attack?”. There is an increasing recognition that data security is no longer just the job of IT departments, but rather, it is everyone’s responsibility to ensure good digital habits, and Governments across the region are taking the lead. 

Singapore’s Inter-agency Counter Ransomware Task Force (CRTF) was set up in 2022 to protect the nation from attacks. The Philippines and Thailand have also issued harsher penalties for companies that have not adequately taken steps to secure their data and manage breaches. 

Ultimately, data privacy and its related skills must be the focus of any organisation’s security strategy. Today, hackers are becoming increasingly sophisticated with sudden and brutal attacks that can bring even the largest, most prepared organisations to their knees. So, we must keep up!

What are most organisations getting wrong when it comes to data protection and management in Southeast Asia?

One of the most challenging issues for data security is an ineffective workflow while migrating to the cloud. A common mistake many organisations make when moving their data into the cloud is not properly classifying data before moving it, or not setting up proper processes in the migration of the data. This leads to inadvertently replicating the issues that have existed on-premises straight onto the cloud. For data to be optimised securely, it is important for IT teams to understand the nature of the data that is being migrated. What the data is, and what it contains, will affect how it is classified and secured on the cloud — with sensitive, privacy-compliant data requiring a higher level of security. It is therefore essential for organisations to have a holistic view on their data, while adhering to data governance policies. 

Organisations also underestimate the need to have an intelligent cloud data management system as part of an overall cloud strategy. Having this in place helps to provide the agility to support multiple platforms, while — and most importantly — securing essential backups for rapid disaster recovery. As a best practice, IT teams should be mindful of any organisational data risks as cloud adoption takes place, and constantly seek to improve their data management protection approach along the way.

Companies also lack a Zero Loss Strategy that can provide data integrity and visibility to better plan, manage, and reduce the impact of a ransomware attack. A Zero Loss Strategy is built on Zero Trust Principles, which is to trust, but repeatedly verify. Building on this, Commvault implements its Zero Trust Strategy through a multi-layered security framework that includes securing user accounts, access controls, and leading key management systems integration. In addition, centralised management and monitoring of real-time events and activities and integration with leading security tools help provide complete ransomware protection and recovery. 

These multiple layers of authentication controls are ideal at stopping malicious actors, insider threats, and even unintentional accidents from deleting backup data. Multi-factor controls also restrict and block potentially dangerous actions and require elevated authorisation.

What is the biggest issue with getting organisations to realise the threat to them and their customers’ data?

The biggest issue is that organisations are unaware of the consequences of a data breach, and how their entire operations are mostly driven by data. 

These breaches can be brutal — with a full recovery taking months or even years. Furthermore, when an attack occurs, organisations suffer both short-term and long-term damage. At the start, employees and customers will not be able to access the data they need, and productivity will be affected. Attackers can also steal data and demand for ransom via digital extortion. In many cases, the data may not even be returned after the ransom is paid. 

Data breaches will also continue to impact a business in the long-term due to its reputational damage, which often leads to customers losing trust in a company and in turn, a fall in sales. This is not helped by the fact that 60% of breached business raised product prices post – incident, likely due to the expenses of recovering the data, implementing emergency measures, and paying off fines. 

To counter this, it is critical for companies to have a “when, not if” mentality when it comes to data protection. Any organisation can be hit, and being prepared for cyberattacks has become a priority that must be included in upper management discussions so as to ensure that policies, framework, and rules are taught and adhered to. 

Are the threats coming from within the region?

The threats coming from Asia are not unique to us. It is important to remember that many countries have observed the same types of data breaches, and one tactic that is popular in any region will soon spread to the next.

To manage the ever-evolving threats, organisations must have a strict protocol on data access. There is no such thing as a fool-proof data security strategy. It is therefore crucial that each company’s data security plan is constantly updated and tested to reduce the risk of a breach, as cybercriminals become increasingly shrewd with their methods. To bolster this strategy, it is also key to actively monitor for hidden threats. Sophisticated ransomware files can lie dormant until triggered, which means that the damage is already done. IT teams must catch these files while they are in hiding, through active monitoring for early warnings of suspicious and malicious activities.

Lastly, individuals and organisations must be educated on data privacy and the importance of maintaining good cyber hygiene. We all have to be equipped with the knowledge, skills, and technologies to thwart attacks. Since we have a shared responsibility when it comes to defending our cybersecurity systems, it is critical for us to always remain vigilant to any threats in the digital landscape and employ good cyber hygiene practices. 

What’s next for Commvault?

With cloud spending increasing 24.7% YoY to US$23.9 billion in the third quarter of 2022, Commvault is focused on continually adding new capabilities to our suite of products and services, including our latest enhancements to regional data sovereignty for backup snapshots, industry certifications, immutable storage capabilities, and more. 

The alarming pace of recent ransomware incidents has raised a series of red flags and sent a clear message to business leaders that data protection procedures must be overhauled. With our latest addition of ThreatWise to our Metallic portfolio, we take a comprehensive approach towards an integrated data protection strategy – boosting recoverability before encryption, leakage, exfiltration, or damage. Through Metallic Threatwise, the next generation of intelligent data services is ushered in with game-changing early warning signals and rapid response capabilities that enable clients to detect hidden threats and neutralize them before they cause harm.

This will be even more pivotal as companies increasingly understand the value simplified, modern data protection brings towards effective data security, increased collaborative programmes, and scalability without having to invest in expensive infrastructure. 

As a “Leader” and “Outperformer” in the GigaOm Radar for Kubernetes Data Protection report for the third year running, we also understand that the dynamism of the market requires us to continually review our technologies and strategies to ensure they are keeping up with cyber attackers, all while ensuring the rapid progress that we have made in expanding our leading data protection technology to support the widest range of workloads in the industry.