Maybe, maybe not, because methodologies and parameters are outpaced by highly-liquid cybercriminal and state-sponsored agenda.

How do you rank countries for their annual cybersecurity performance? One research firm used seven criteria deemed to represent a good cross-section of cyber threats.

Here are the criteria used by Comparitech for their March 2020 list, in no particular order, to rank 60 countries in 2019, and subsequently, an additional 16 countries for 2020:

  • The percentage of mobile devices infected with malware
  • The percentage of computers infected with malware
  • The number of financial malware attacks
  • The percentage of all telnet attacks by originating country
  • The percentage of users attacked by cryptominers
  • The best-prepared countries for cyber attacks
  • The countries with the most up-to-date cybersecurity legislation

For the Southeast Asia region, the following changes in ranking occurred:

Country2019 ranking2020 rankingRanking Delta
Indonesia2 (54.89)21 (31.33)19 places down
Singapore 51 (15.13)61 (15.29)10 places down
Malaysia35 (31.79)49 (19.94)14 places down
Thailand34 (32.42)43 (21.87)9 places down
Philippines24 (36.79)29 (26.87)5 places down
Vietnam3 (52.44)14 (35.83)11 places down

The general trend of adding 16 countries (Bosnia & Herzegovina, Chile, Estonia, Finland, Jordan, Kazakhstan, Kyrgyzstan, Lithuania, Moldova, Norway, Oman, Serbia, Switzerland, Syria, Tajikistan, and Turkmenistan) to the list for the advance 2020 rankings was a drop for all SE Asian countries.

The top ranking went to Denmark, taking over from Japan which dropped four places. Other top-scorers were Sweden, Germany and Ireland. France, Canada, and the United States were all pushed out of the top five most cyber-secure countries and into ninth, sixth, and 17th place, respectively.

One surprise was Singapore, arguably the region’s most cyber-agile country due to its small size and tight governance. It dropped 10 places within just a year, and that was in spite of various data privacy protection legislations, tech initiatives and high cyberhygiene-awareness. CybersecAsia had the opportunity to dig the mind of Check Point Software’s chief technology offier, Tony Jarvis, for some insights on this trend. 

He noted: “The initiatives being rolled out in Singapore are commendable and will go a long way to improve the cybersecurity performance and awareness at a personal level. However, it should be noted that these are long term strategies. They will take time to yield significant results as businesses and government work towards implementing the measures and entrenching them as part of business processes.”

Also, there are a number of other factors that must be considered when interpreting the study’s findings. Singapore is of particular interest to attackers as it serves a prominent role in the region, and it is the regional headquarters for many multinational organisations within Asia Pacific. “There is a greater appetite for hackers to target victims here than in other parts of the world.”

Readers will note that this insight takes into account the many high-profile breaches that occurred in the country last year, but at the same time, the ranking base of 60 countries was changed drastically with the inclusion of 16 countries.

CybersecAsia also posed this question to Jarvis (no, not the natural language interface in Iron Man): We note that 9.97% of mobile phones and 6.67% of computers were found to be infected with malware, while 0.5% saw financial malware attacks. About 0.35% of users saw attacks by crypto miner—what should enterprises be aware of, and how can they protect themselves?

According to Jarvis, today’s cyberattacks are increasingly targeting mobile devices as a primary entry point into organizations, and then moving from the compromised mobiles into the corporate network once users connect to the office Wi-Fi. “More can certainly be done in terms of protecting smartphones as they are often employee-owned personal devices without employers requiring security tools to be installed. Enterprises must recognize the risk that personal devices pose when connecting to corporate resources. For too long, many have held the view of ‘not our device, not our problem.’ Ensuring that adequate security is protecting the applications and the networks these devices are connecting to should be high on every organization’s list of priorities.”

Overall, with the ranking system still evolving, and the fact that the addition of new countries makes comparisons less meaningful statistically, we can use such research as a basis for gleaning learning points. Insights from Jarvis and other analysts are always useful for such edification, but ultimately, we should all bear in mind: just one single novel coordinated global attack can change everything. As long as every organization and government keeps striving for the most fuzzy, zero-trust approaches to cyber hygiene, the world will be better for it.