China Money Network’s Special Situations Team brings you the latest installment in our “Industry Specialist” series, sitting down with Bill Sims, a Managing Director for Cybersecurity, Investigations & Business Intelligence Asia Pacific Stroz Friedberg to discuss the current cybersecurity challenges facing Chinese companies and foreign investors in the country.
China is home to the world’s largest group of Internet users. However, the country is behind the curve in terms of cybersecurity. The number of cyber attacks on Chinese and Hong Kong companies soared 969% from 2014 to 2016, compared with a 3% drop globally during the same time period, according to a PwC survey.
Pirated software may be one reason for the reach of so-called ransomware attacks in China, according to researchers. Another reason may simply be complacency, suggests Mr. Sims, as fast-growing tech companies have been overly focused on building their businesses than protecting themselves against cyber threats.
Whatever the reasons, it raises troubling questions as China rapidly adopt financial technology for everything from buying groceries to insurance, and increasingly depends on drones and other AI-based transportation technology. Meanwhile, China’s recently passed cybersecurity law has received mixed reviews, especially from international companies, and seems to have raised more questions than it has answered.
Q: What major trends are you seeing in China’s cybersecurity market?
A: I think the major trend in China is similar to what is happening in the rest of Asia. The frequency and extent of cyber-attacks are increasing rapidly. Asian and Chinese firms have been behind the curve compared to US and European organizations, previously not believing they would be targeted. Over the past couple of years, we have seen a massive rise of Asian and Chinese organizations being hit, so that perception is now changing.
Q: What Chinese business sectors are most vulnerable, or need to do more to protect themselves?
A: Tech companies with lots of portals to its websites, especially like peer-to-peer lending, or any tech companies with valuable intellectual property are prime targets of cyber attacks. China is now arguably the leading player in terms of cutting-edge technologies, innovation and IP, and the country has taken enormous strides in a cross section of industries from renewable energy to genomics. Not only do those organizations need to ensure themselves that they are adequately protected, but foreign firms entering into relationships with those companies need to ensure that they have conducted their own cyber due diligence on the prospective partner.
Q: What should Chinese tech companies be doing to defend themselves, or at least reduce the damage done by cyber attacks?
A: Firstly, employee education is important. Over 90% of hacking is conducted through phishing and spear phishing. We have worked with a Chinese company with 20,000 employees, and we sent 20,000 emails to them with a link offering a chance to win iPhone. 30% of the staff clicked on the link, which actually is a quite regular percentage. In a real-life scenario, if 30% of your 9000 staff were to click, that’s 3000 cases of malware potentially downloaded into your systems. But after phishing training, finishing the exercises, the number was reduced to 5%.
I also found that the problems were caused by the way companies backed up their data. In the old days, companies backed up their systems to separate drives, which built up over time, like a time stamped library; these were known as cold back-ups. If a company was infected, once we identified the specific date the infection took place, at least we knew that any data backed-up prior to that would be free of that attack. Nowadays, we find that companies use ‘hot back-ups’ where the data is backed-up on a rolling basis, often to the cloud. It is far more challenging to solve the problem when the infection is automatically copied to the backup.
Q: Last December, Intel issued a report saying drone hacking may be the latest cyber threat. This is a big deal for companies like JD.com, that plan to do much of their business using drones. What do you think Chinese companies should do to defend such attacks?
A: What they should do is the same as other innovative companies developing valuable IP. The most important thing, in my opinion, is for those companies to have the mindset of having cybersecurity as an essential part of their overall strategy, rather than considering as just an expense they would rather not have.
My suggestion is to be proactive. Conduct penetration testing; not just of your systems, but also for weaknesses in your IP – you wouldn’t want hackers taking control of your drones the same way you wouldn’t want them in your company systems. At the same time, these companies should consider cyber insurance, through a reputable broker. This is a relatively new and still developing form of insurance, but those brokers working closely with a cybersecurity company, can help mitigate a lot of cyber risks and help to solve problems as quickly as possible.
Q: China has passed a new cybersecurity law. But it has received mixed reviews, especially from international companies. Why is that?
A: Of course, with the new cybersecurity law, there is great deal of opposition from overseas. The U.S. made some comments on the law quite recently. Earlier this week, there was news about Amazon Inc. selling part of its cloud business in China to Beijing Sinnet Technology Co., Ltd. and it seems that Amazon is trying to potentially avoid problems from the China cybersecurity law.
I could see overseas companies looking seriously about how they structure their operations and data control in China and whether they need to do something similar. But we are still in the very early stages, and the law is quite general and arguably open to interpretation. Overseas companies in China are watching closely how the law actually enacts, so that they can become clearer on how the requirements are interpreted and what they will need to do to avoid problems.
Q: There are reports saying cyber security experts “cyber bodyguards” is one of the hottest jobs in China. What particular specialty expertise faces the greatest shortage?
The “cyber bodyguards” are in a booming industry, particular for providing preventative measures. Firstly, there are the penetration testers; also known as ethical hackers or white hat hackers. They replicate what a real hacker would do; not stealing any data or doing anything bad, but will scan systems for any gaps and weaknesses in the company’s defenses that may be exploitable during a cyber attack. They will then advise on remediation measures.
Another aspect of this, is what we call cyber due diligence and is most often conducted from an M&A perspective. Companies frequently conduct integrity due diligence into the background and reputation on their prospective partners prior to an investment or joint venture for instance. Increasingly, this goes hand-in hand with cyber due diligence where the targets’ systems are tested; those conducting the due diligence will also look for any evidence that security breaches have taken place – frequently scanning the dark-web for evidence of a company’s data or credentials being offered for sale. In many cases, the target company doesn’t even know itself that it has been breached or has problems. Although the general reputation of the target company may be sound, imagine the potential liability for the acquiring company if it was subsequently found after the transaction took place, that the target had suffered a potentially enterprise destroying data breach!
Q: There’s a lot of discussion about the use of deep learning technology in digital forensics. In which aspects do you think that those technologies could improve the efficiency of digital forensics?
A: Already AI and deep learning are entering the digital forensics and cyber security field, and this will no doubt accelerate exponentially as time goes on. The first areas are where a great deal of human analysis has traditionally taken place, particularly in the areas of electronic discovery and computer forensics. For example, in large litigation scenarios, you may have 20 young lawyers reviewing tens of thousands of documents for potential case relevance; these may have already been filtered through technology from hundreds of thousands or even millions of documents and emails. Increasingly, deep learning and AI will improve the reliability and speed of the automation process and reduce the need for large groups of people to have to review this data.