Indonesia was hit by a record 12.9 million cyberattacks last year, according to official data, and experts agree that such attacks will increase in 2019 as businesses and other institutions go through a process of digital transformation.
“Cyberattacks grow by an average 15 percent every year,” Sulistyo, director of threat detection at the Cyber Body and National Encryption Agency (BSSN), said in Jakarta recently.
The agency found that last year’s cyberattacks varied from phishing to denial of service (DoS), but the bulk of them were from malware – a contraction of ‘malicious software’ – at 3.9 percent or more than 500,000 cases.
Indonesia’s most notorious malware attack to date was that using the WannaCry malware, which infected dozens of computers at the Harapan Kita and Dharmais hospitals in Jakarta for two days in May 2017.
The attack rendered much of patients’ online information inaccessible to hospital staff.
Such cyberattacks cause direct and indirect losses of up to US$6.7 million for large companies and $33,500 for mid-sized companies in Indonesia, according to a Frost & Sullivan study released last year.
Media commentators said the hospital attacks were unsurprising, as companies in the healthcare, finance, hospitality, retail (particularly e-commerce) and aviation industries were among those most prone to attacks.
“We’re looking at companies that collect large amounts of personal customer data and risk suffering significant losses if their systems go offline,” said Andrew Mahony, regional director for commercial risk solutions at Aon Asia.
Aon, a global business consultancy, recently released its 2019 Cyber Security Risk report that includes an eight-point risk paradigm to evaluate a company’s cybersecurity: technology, internet-of-things (IoT), supply chain, business operations, mergers and acquisitions, regulations, board of directors and employees.
Employees, the report notes, remain the most common cause of data breaches through either reckless or malicious acts.
The report’s essential message is that cyberattacks are inevitable and thus, companies should invest in both preventative and remedial security measures to lessen and minimize successful attacks.
"In 2019, the greatest challenge organizations will face is simply keeping up with and staying informed about the evolving cyber risk landscape," says the report.
Three other pieces of insight from the report are: Hackers frequently attack during an acquisition period; data protection regulations favor holding breached companies responsible even if third-party vendors are at fault; and cloud computing is intensifying shadow IT activity, whereby a company’s employees adopt certain technologies without informing the IT department.
In Indonesia’s case, Mahony pointed out that the IoT factor was of particular concern because of the country’s high smartphone penetration rate at 98 percent of all internet users.
“Indonesia will see waves of vulnerabilities and exploits directed at smartphones instead of traditional desktop computers,” he said.
Dony Koesmandarin, territory channel manager of Kaspersky Indonesia, also predicted that smartphones would become soft targets for cyberattacks this year.
Mahony’s advice for companies was to catalog their existing IT systems with an emphasis on the distribution of administrative privileges, then hire a professional hacker to run a risk assessment as the basis for a cybersecurity roadmap.
In terms of budgeting, research firm Gartner found that cybersecurity spending averaged 5.6 percent of a company’s IT budget in 2016 but may range from 1 percent to 13 percent depending on individual businesses.
Soegiharto Santoso, chairman of the Indonesian ICT Business Association (APTIKNAS), concurred on the urgency of cybersecurity measures, saying it was due to a lack of awareness on corporate security and individual data privacy.
He listed ten pressing cyberattack concerns for this year: man-in-the-middle, drive-by, structured query language (SQL) injection, cross-site scripting, eavesdropping, birthday (cryptographic) attacks, password attacks and the three types mentioned by the BSSN.
“Companies need to consider appointing a specialized cybersecurity officer and educating their users on personal data privacy,” he said.