Challenges remain for local companies when improving cybersecurity protection – Deloitte

Deloitte cybersecurity experts told Macau News Agency (MNA) that even though the level of cyberattacks has increased in recent years, the local private sector still faces challenges in implementing adequate cybersecurity measures included in the new cybersecurity law, particularly in terms of available human resources, awareness or incident response.

The Macau Cybersecurity Law was enforced in late December 2019 to establish a more complete preventive cyber-risk-management framework for critical local infrastructure.

The new law demands that public and private critical infrastructure operators across various industries meet obligations aimed at protecting the information network and computer systems of critical infrastructure, and Deloitte has provided consultancy services in this field to both private and public operators to help them meet these obligations.

According to Eva Kwok, a Risk Advisory Partner at Deloitte, by “forcing” hundreds of companies to move their operations online, the Covid-19 pandemic has led to an increase in cyber attacks.

Citing a cybersecurity research paper released by Check Point Software Technologies Ltd in July 2020, coronavirus-related attacks worldwide increased exponentially from under 5,000 per week in February to over 200,000 per week in late April.

Data compiled by Check Point

“These include spreading malware via malicious emails, fake invoices through phishing attacks, money frauds through fake websites, stealing personal data through SMS scams. Each enterprise is facing these attacks every single day,” Eva indicated to MNA.

The most common cyber attacks reported in the Asia Pacific region included:

  • Crypto mining – malware that hides on a computer or mobile device and uses the machine’s resources to “mine” forms of cryptocurrency
  • Mobile malware – malicious software that targets mobile phones
  • Botnets – a network of private computers infected with malicious software and controlled as a group without the owners’ knowledge and then used for activities such as spam messaging

According to the cybersecurity expert, local private companies have been “very pro-active” in trying to understand the laws and regulations, with Deloitte assisting some in the assessment and improvement roadmap necessary to increase their cybersecurity defense capabilities and compliance status.

“Deloitte is also working closely with the local regulators, the Monetary Authority of Macau (AMCM) and Gaming Inspection and Co-ordination Bureau (DICJ). They are communicating with these companies and driving this assessment work,’ Eva noted

“Some of the companies are also revamping their infrastructure in terms of increasing network security and security monitoring capabilities through security events and incidence management solutions”

The new cybersecurity law has several compliance requirements, including appointing a competent officer and setting up a cybersecurity management unit; developing policies and procedures; monitor, respond and report on the security incident and breaches; and conducting and submit the security assessment on annual basis.

Local companies have also had to introduce cyber awareness training both at the management and operational levels while following the law’s guidelines cyber incidence response requirements.

According to Deloitte’s Macau Office Managing Director, Sidney Cheng, the consultancy group has also assisted the local main gaming operators as visitor numbers – prior to the pandemic – were expected to gradually increase.

“Generally speaking the level of cyber-attacks has increased in recent years […] With the diversification from gaming to non-gaming, companies have more leisure-focused tourist initiatives and they are attracting more people,” Sidney told MNA.

The increase in mainland visitors more adept in using mobile payment platforms and with local use of internet shopping and online payment tools, cybersecurity challenges also increased.

“We are serving millions of tourists every year, mainly from Mainland China where they are a bit ahead in terms of digitalization […] Because of that the Macau government has been looking at the cybersecurity side,” the Macau Office Managing Director added.

However, many challenges persist and finding qualified cybersecurity experts to assist in these efforts remains one of them.

“There can be insufficient talent in terms of cyber expertise but this is a global challenge because cybersecurity was not a traditional career path but it has become in more high demand,” Eva noted.

This led Deloitte to partner with Macau Young Entrepreneur Incubation Centre, a local government run startup and entrepreneurship center, and with Chinese tech giant Alibaba to co-organise cybersecurity workshops and training to promote cybersecurity expertise and awareness in the region.

The company has also set up a Greater Bay Area Center in Shenzhen to provide resources and support to the region.

Other challenges facing the local private sector when ramping up cybersecurity capabilities is the sometimes overwhelming amount of cybersecurity technical product or solution available in the market, and a lack of fully established incident response protocols.

“This is also something new compared to traditional infrastructure security. Companies are actually putting more focus on planning and designing an incidence response plan, layout the roles and responsibilities, how to actually phase the escalation procedures when they are in attack,” Eva noted.