Asia (Other)

Published in Asian-mena Counsel: Cyber Crime & Data Protection Special Report 2018

Screen Shot 2018-10-23 at 12.10.34 PMOrganisations need to recognise that information security is a question of risk and step up defences now.


Attend just about any information security conference these days and you will see a huge array of security products, each promising to solve your data protection issues and keep the hackers at bay.

Yet, the breaches continue. Where are we going wrong?

Kroll investigates numerous security incidents each year, and contrary to what is passing for conventional wisdom these days, the vast majority were preventable. Certainly, the use of sophisticated software products, when correctly selected and implemented, can add a heightened level of protection. But when it comes to data loss prevention, a leadership-driven security culture is imperative.


Asian jurisdictions upping the ante for data breaches

Authorities around the globe are no longer accepting the “it’s not if, but when” defeatist culture that pervades in respect of being hacked. Inspired by the European Union General Data Protection Regulation (GDPR) that recently came into effect with its frightening penalties, Asian jurisdictions are also upping the ante. Data protection laws in Australia and the Philippines are just the beginning as many others are looking to follow suit. Now, concerns are no longer restricted to reputation and business disruption; but now potentially also heavy fines, the requirement for thorough investigation, notifications to customers (and the associated costs therewith) and the threat of class actions loom in the future.


Strong top-down governance strengthens data security throughout organisation

The good news, though, is that there are steps that drastically reduce the risk of a data breach. From the outset, organisations must address the issue of information security as they would any other mission-critical aspect of their business, and this means direct leadership involvement via top-down governance. By continually focusing on and raising cyber security awareness throughout the organisation, leaders can help provide a mature, defensible and flexible structure for protecting sensitive data, eliminating many of the most common threats. This can also help to ensure compliance and encourage good cyber security hygiene among employees, partners and suppliers.

Screen Shot 2018-10-23 at 12.14.42 PM

This approach need not be prohibitively expensive, especially when security measures are considered within the context of how the organisation conducts its business and particularly how its employees work. Ultimately, an organisation must answer four questions:

  1. What data do we have and what are the risks of exposure for each?
  2. Do we have a security framework (people, processes and technology) in place that protects the data and is it commensurate with our risk tolerance and provides meaningful metrics?
  3. Are there well-thought-out plans in place for responding to and remediating a cyber security incident?
  4. Lastly and perhaps most importantly, have we tested all of our assumptions and plans, and do we have a roadmap for continuous testing and monitoring in light of an ever-shifting threat landscape?

Role of virtual chief information security officers and data protection officers

The basics of information security are remarkably straightforward to implement, but very often, the devil is in the detail, and unfortunately, organisations find their strategies and plans to be inadequate or flawed at the worst possible time, ie, in the midst of a data breach or cyber crime crisis.

We increasingly see organisations engaging services from a virtual chief information security officer (vCISO) to complement their existing resources and to help ensure all gaps are plugged. Likewise, legislation in many jurisdictions is mandating that organisations identify and assign a designated individual with Data Protection Officer (DPO) responsibilities. However, when this additional burden proves too time-consuming or difficult for the employee to effectively carry out, turning to external DPO services can be the better option.

Many organisations find it eminently logical to engage an adviser with the global reach and credibility to help guide it on the path to cyber security maturity. In reality, few companies have the scale to hire such capabilities in-house. Independence is also key — security advisers should not be aligned with specific products or services because each environment is unique. By applying the most appropriate and cost-effective tools for the organisation’s needs and risk appetite, the vCISO or vDPO can promote better security at a lower cost.

Ultimately, information security is a question of risk. The stakes are getting higher and the question of whether to accept the risk, reduce the risk or transfer the risk (via cyber insurance) is a business decision — and organisations need advice that they can trust. The journey to resilience in the context of cyber security is a daunting one, but the consequences of failure are starkly exposed in the all-too-regular news headlines. More importantly, our experience shows that with a combination of leadership, carefully selected resources and best practices, organisations can prevent a critical number of breaches, which is good news indeed!


By Paul Jackson, Managing Director, APAC Leader, Cyber Risk, Kroll


Kroll is the leading global provider of risk solutions with more than 45 years of experience in helping clients make confident risk management decisions about people, assets, operations and security. For more information, visit

Screen Shot 2018-07-20 at 1.08.23 PM






Click Here to read the full issue of Asian-mena Counsel: Cyber Crime & Data Protection Special Report 2018.

Official Publication: Asian-mena Counsel

Tags: Cybersecurity
Related Articles by Firm
Physical security key to data centre protection
Controls that prevent physical access to servers must be a fundamental component of any information security programme ...
Combating private sector corruption in Indonesia: A challenge to address in 2019
With elections just around the corner, corruption involving government and public service agencies will likely be a top issue ...
Infrastructure investment in emerging markets — mitigating the risks
Infrastructure projects in emerging markets attract investors on the back of potential returns that can outstrip yields in mature markets ...
Innovating internal investigations in today’s hyperconnected world
Data visualisation tools have emerged as a powerful resource for internal investigations ...
Why asset searches are increasing in Singapore
Parties choose to resolve their disputes in Singapore for the relative ease of enforcement of awards and judgments.
New ultimate beneficial ownership disclosure requirements: An important step in combating financial crime in Indonesia
The requirement will strengthen and amplify the anti-corruption, anti-money laundering, anti-tax avoidance/evasion and anti-monopolism efforts.
Kroll: Opaque ownership fastest-growing concern for compliance professionals
Less than 25 percent feel highly confident in their program’s ability to address these risks.
Singapore gets serious in fight against bribery and corruption
Conducting joint investigations and joint enforcement actions with foreign authorities may become a new norm ...
Global Fraud & Risk Report – 2017/18
Forging New Paths in Times of Uncertainty ...
Law firms play a critical role in the new Indian Insolvency & Bankruptcy Code
Many new reforms and regulations have been introduced to support economic growth. However, one area that was always neglected was bankruptcy law ...
Risks for investors ahead of 2018 Malaysia elections
Investors should be aware of elevated fraud and corruption risks in the lead-up to the election ...
Forensic accounting to assist asset search
There are endless ways to identify assets, but it can be a costly exercise ...
Buyer, beware!
The final of four reports from Kroll and Liberty Asia on how to mitigate any hidden compliance and reputational risks relating to human trafficking issues …
Forewarned is forearmed
The third of four reports from Kroll and Liberty Asia on how to mitigate any hidden compliance and reputational risks relating to human trafficking issues …
Crime vs. Ethics: Changing corporate culture to reduce modern slavery
The second of four reports from Kroll and Liberty Asia on how to mitigate any hidden compliance and reputational risks relating to human trafficking issues …
Reducing and removing involvement in modern slavery
The first of four reports from Kroll and Liberty Asia on how to mitigate any hidden compliance and reputational risks relating to human trafficking issues ...
Related Articles
Related Articles by Jurisdiction
Taylor Root & Asian-mena Counsel Market Update and Salary Guide 2018
Asian-mena Counsel is delighted to partner with Taylor Root once again for their 12th annual report for the in-house legal and compliance sector ...
A crisis of compliance
Investigating allegations of compliance breaches is an expensive affair. Employee and third-party malfeasance remain a costly budget item on P&Ls across Asia ...
Latest Articles