Organized cybercrime is becoming more organized: the threat cannot be understated, so who’re you gonna call?

According to recent report by Kroll on the state of incident response in APAC, 36% of businesses in APAC did not have an incident response playbook, a plan or policies in place, while 38% did not have an appointed data protection officer or access to cyber security specialists on a retainer in Asia Pacific.

These findings are of concern given that cyber incidents have caused tangible impacts on organizations, with data loss (51%) and business interruption (49%) constituting the two most cited impacts of an incident.

CybersecAsiahad the opportunity to gain some insights from Paul Jackson, Regional Managing Director of Asia Pacific, Cyber Risk, Kroll, on developing response plans against cyber-attacks:


Based on trends, is ransomware a ‘strike-anywhere, hit-anyone’ kind of attack, meaning attackers do not choose victims whether they are large organizations or small businesses?

Paul Jackson (PJ): Generally speaking, yes. To the threat actor, businesses large and small alike are just an IP address, each with differing levels of security. These threat actors will normally infiltrate, carry out reconnaissance, and then when they get the measure of their victim, craft a ransom (and concomitant amount) appropriately.

They may also exfiltrate data ahead of making themselves known – we call this “double extortion”; not only do they demand a ransom from the company to access their own data, but also another amount to prevent it from being released and/or sold on the dark web.


We can see from trends that businesses that are more likely to pay are being increasingly selected as targets. This includes:

    • Healthcare – for obvious reasons, any disruption in service and/or access to records could have life or death impact. Also, medical related records are some of the most sensitive types of data, so threats of exposure are more likely to be taken seriously by the victims
    • Manufacturing/supply chain – for many companies, a single day of downtime could cost millions of dollars. Hence, they are likely to weigh the cost of extortion balanced with the cost of downtime – a business decision.
    • Professional Services – the sensitive nature of the data (such as law firms etc.) that they hold means that any exposure could be devastating to reputation and trust in their businesses. Hence, companies are more likely to pay to prevent this from happening.

What may be the reasons why many businesses in APAC have yet to build appropriate response plans against such attacks?

PJ: Developing appropriate response plans and scaling these up are critical in an era of evolving cyber threats. But not many businesses are doing so yet.

Various factors are impinging on this, many related to development – the maturity of Asian corporates in matters of risk and cybersecurity, a less developed (but rapidly maturing) regulatory landscape in APAC, and challenges in resource allocation to various operational demands – particularly in the aftermath of a pandemic-affected economy.

Additionally, while many jurisdictions are bringing in new laws and regulations aimed at protecting personally identifiable information, there is a lack of the ‘stick’ and/or capability to enforce these. Hence there is less incentive to invest in better security and response capabilities.

This has a knock-on effect that there is a serious lack of good cyber security leadership in the region as not enough practitioners are gaining the necessary experience and competence through developing effective programs and dealing with breaches via incident response.

Is the cyber expertise accessible, but businesses simply remain passive to the threat; or is the concern not big enough to invest in countering cyberthreats?

PJ: The cyber expertise is there to find but the hard part is often in validating that new cyber security hires have the requisite skills and experience. This is why it is often important to involve reputable external expertise to provide that validation.

There’s always a conversation to be had, and we engage with corporates across APAC – indeed, across the globe. It can seem daunting in the face of all the threats faced, but working with a cybersecurity consulting firm can result in the development of a plan appropriate to the resources of any firm.

We can help companies determine what has to be prioritized – whether it is mandated by a government or regulator, or investors or shareholders – or just a matter of good practice. While one corporate might benefit from penetration testing as a matter of urgency, another might require an incident response plan, or responders on standby.

The cost to the business is what can be properly formulated in conjunction with the advice provided by a trusted and experienced security consultant. A mature risk management program should be able to address the risk/reward nature of managing cyber resilience. It is a fallacy that security costs are exorbitant; particularly compared to the likely cost of a breach.