Safeguarding against the race for data
As digital platforms take over every sphere of modern existence, stakeholders are increasingly vulnerable to cybersecurity violations, especially given the void in protective infrastructure and legislation, write Suchit Leesa-nguansuk and Somruedi Banchon
Putting Thailand 4.0 and a cashless society in place seems to be the dream of Thai policymakers and business tycoons, but the recent data leakage by two of the country’s major financial institutions has left many wondering whether the virtual dream is in fact a nightmare in the making.
Cyber-attackers this month stole data belonging t o 123,000 customers from Kasikornbank (KBank) and Krungthai Bank (KTB) in what appears to be the first massive data leak to hit local financial institutions.
KBank, the country’s third-largest bank by assets, told the Bank of Thailand that some corporate customer information had been breached but it was all general data, while KTB said most of the stolen data involved lending applications from retail customers, along with some corporate client data.
Both banks said that the leaked information was not financial transaction data and that they had already stemmed unauthorised access.
According to a preliminary investigation, no customers have suffered any damage as a result of the incident, KBank said, but officials will monitor any customer account irregularities.
Kasikorn Business Technology Group chairman Somkid Jiranuntarat said the attacks may have originated from outside Thailand.
Surangkana Wayuparb, executive director and chief executive at the Electronic Transactions Development Agency, said: “Data leakage generally can stem from malware, computer viruses, vulnerability of software during the development process or even user error. Organisations in the spotlight are targeted by cybercriminals, who look for fragility or loopholes in the system. Hackers might steal credentials from authorised users to access the organisation’s system.”
To strengthen cybersecurity in preparation for a full-fledged digital economy, Thailand needs to improve cybersecurity awareness and ensure that all stakeholders are alert, Mrs Surangkana said.
IMMEDIATE RESPONSE
KTB president Payong Srivanich said his bank set up a war room and was inspecting the data breach within 12 hours of detecting the cyber-attack.
By taking immediate action, the bank managed to handle the problem and no financial losses to customers were reported, Mr Payong said.
Despite the data leak, the bank has not needed to allocate more funds to the cybersecurity budget, he said.
KTB already has a large budget for IT investment, 10 billion baht this year, which includes the cybersecurity system.
After the KTB and KBank customer data breaches, the Thailand Banking Sector Computer Emergency Response Team (TB-CERT), a unit under the Thai Bankers’ Association (TBA), vowed to strengthen its cybersecurity system.
One executive at another local bank said the bank employs a “white hat” hacker, referring to an ethical computer hacker or IT security expert specialising in cybersecurity testing methodologies. The idea is to attack the bank’s cybersecurity system to test its impregnability.
If any loophole or weakness is found, the bank will solve such problems immediately to prevent cybersecurity risk, the executive said, adding that the bank spends a relatively large amount of budget on cybersecurity upgrades annually.
Cyber-attacks aimed at obtaining online data from the outside are more difficult to deal with than internal hacking, the executive said.
Hackers will pose as customers and embed a computer virus into the cybersecurity system in an attempt to steal genuine customers’ data. It is quite difficult to prevent this type of cyber-attack, so banks must invest heavily to always ensure and strengthen cybersecurity on a regular basis.
“Inside-to-outside data leaks largely come from former staff, which is a key concern that banks need to monitor,” the executive said.
This particular bank has methods to prevent cyber-attacks and manage cyber-risks under a business continuity plan, which also
covers assistance measures and compensation offered to clients who are victimised by cyber-attacks.
MUCH LEFT TO DO
Security experts have urgently warned about increasing Thailand’s readiness in cybersecurity, as the country still lacks a cybersecurity workforce, law enforcement and national cybersecurity strategies to strengthen information systems and proper incident response in the digital economy landscape.
Thailand had an estimated 37.1 internet users per 100 people in 2017, which was above the rate for regional neighbours such as India (36.5) and Indonesia (27.7) but below that of Malaysia (81.2), according to the Economist Intelligence Unit (EIU).
The country placed 49th out of 82 countries surveyed in the Technological Readiness Ranking for 2018-22 recently released by the EIU. Within the Asia-Pacific region, Thailand scores above average in subcategories such as mobile-phone subscriptions, scope of e-government and the quality of the e-commerce business environment.
Nakrop Niamnamtham, managing director of nForce Secure Co, a leading cybersecurity tech distributor and cybersecurity expert, said Thailand’s
cybersecurity infrastructure is not ready for the digital economy.
“Overall, there have been investments in cybersecurity in the public and private sectors, as well as the availability of advanced technologies, so products and technology are well-equipped, but cybersecurity professionals are a key shortage,” Mr Nakrop said.
“This is similar to having a fully furnished car without airbags to protect the driver if he or she is drunk,” he mused.
The shortage of cybersecurity experts
has lingered for a decade, and today it’s estimated that only 20% of IT graduates can fulfil the role, while the rest are unqualified, Mr Nakrop said.
In other countries, cybersecurity staffers who work for the government have a salary gap of 10-15% compared with those employed in the private sector. In Thailand, the salary gap is multiplied, resulting in a greater scarcity of cybersecurity personnel.
Moreover, the lack of cybersecurity and data protection laws means that when service providers experience data breaches they remain unaccountable in Thailand.
“In Europe and the US, consumers sue service providers or operators who leak their data, but nothing has been done for the many data leaks in Thailand,” Mr Nakrop said.
Another missing piece is universities, where there are no modules or special courses on cybersecurity systems, along with a lack of teaching staff, he said. The high cost of cybersecurity equipment means fewer opportunities for handson experience.
Mr Nakrop said the National Cybersecurity Agency must be independent so it can use government funding to protect, detect and provide proper incident response at the national level.
In other countries, such agencies are also responsible for training the workforce, with investment in high-cost equipment for training programmes.
“If we have laws that create demand for professional cybersecurity staff, this might attract students, while academics should improve the quality of students and not just focus on the salaries students earn,” Mr Nakrop said.
WEAK STRATEGIES
Prinya Hom-anek, secretary-general of the Thailand Information Security Authority (TISA), said cybercriminals have shifted their target to data held by organisations.
Government and critical digital infrastructure should have resilient cybersecurity with mandatory risk acceptance levels, Mr Prinya said.
Similar to corporate fire drills, there needs to be a routine of cyberdrills and incident response to handle possible cyberattacks, he said. Standardised technology necessary for internet infrastructure resilience, software-testing quality, technical security controls and cryptographic controls must also be in place to ensure maximum cybersecurity.
As Thailand winds into the digital realm, a cyberculture needs to be built to raise awareness of a security mindset while equipping citizens with education and training at a professional level.
“Regulators should draft cybersecurity legislation for a public hearing with the cybersecurity expert community,” Mr Prinya said.
Though it’s difficult to provide full protection against cyber-attacks, responses should be employed rapidly and with fast recovery, he said.
With no punishment in place because of an absence in cybersecurity and data protection laws, service operators may not make a huge effort to enhance cybersecurity and instead invest at their will, Mr Prinya said.
While IT teams in organisations are aware of the importance of cybersecurity, the issue is still secondary for management executives, he said.
“Business operators have increased spending on sales and marketing, while considering cybersecurity a cost and compliance issue,” Mr Prinya said. “In fact, if there is any attack, reputation and customer confidence will be ruined, resulting in loss of capital and data recovery.”
In Thailand, there are fewer than 2,000 workers sufficiently equipped with cybersecurity skills.
“We have to train more vocational school students to be cybersecurity engineers and staff,” Mr Prinya said.
PROTECTIVE MEASURES
Digital banking services have been growing in terms of both users and transactions, mainly due to convenience. In addition, the rising trend of digital banking transactions comes with financial fraud on the digital channel.
Although the digital banking security system is quite strong, users need to secure themselves with regard to digital transactions.
According to Citibank, cybercriminals often infiltrate computers or devices by exploiting vulnerabilities in software. The more up to date the software is, the fewer known vulnerabilities systems will have and the harder it will be for cybercriminals to infect them.
Therefore, making sure that operating systems, applications and devices are enabled to automatically install updates and security patches is a key step in warding off breaches.
Citibank also advises using a standard account that has limited privileges rather than privileged accounts such as “administrator” or “root”.
This can provide additional protection by preventing many types of malware from being able to install themselves.
Furthermore, unsolicited attachments should be avoided. Cybercriminals often trick people into installing malware for them. Vigilance is recommended before opening email attachments or clicking on links, as is ensuring that anti-virus software is updated.
Citibank says files should be backed up regularly and recent backups kept off-site. Backups should be automated and verified that they are restorable. When rebuilding a system from backup, the latest security patches should be applied before being used again.
This is similar to having a fully furnished car without airbags to protect the driver if he or she is drunk.
NAKROP NIAMNAMTHAM Managing director, nForce Secure Co