How international businesses in Asia can respond to the rising threat of cybercrime

Digital transformation and the proliferation of cloud computing and connected devices are driving enduring gains in productivity and growth. But these shifts have also resulted in a significant increase in vulnerability to cybercrime by creating more devices and systems that are possible entry points for unauthorised access to an organisation’s network. Even a Wi-Fi enabled coffee maker can be hacked to gain access to the network to which it is connected.¹

The Computer Crime Research Centre predicts that the annual cost of cybercrime will reach USD12 trillion globally by next year² – a four-fold increase from the USD3 trillion estimate for 2015 and more than the annual economic damage caused by natural disasters³. Losses can stem from the direct theft of money, data and intellectual property, service disruption and lost productivity, reputational damage and loss of customer trust, and the need to repair and restore compromised systems.

In Asia Pacific – home to more than half the world’s internet users⁴ – these threats to business growth are proliferating with the spread of digital transactions and connectivity. According to the IBM X-Force Threat Intelligence Index, Asia Pacific accounted for 23% of global cyber-attacks in 2023 and 31% in 2022.⁵

Moreover, the attacks are becoming more sophisticated with artificial intelligence increasing the potential threat. This technology can be used to automate attacks, launch them on a much larger scale, and generate deepfakes that can get around voice and face authentication.⁶

Cybercriminals use a range of methods to gain access to victims’ networks or infrastructures – known as attack vectors. In addition to installing security software, one of the ways businesses could protect themselves is by raising awareness of the risks and educating employees to prevent them from becoming unsuspecting victims.

Sophisticated criminals can passively monitor a victim’s systems for vulnerabilities that can be used to gain access to data and other sensitive information, ranging from compromised and weak user IDs and passwords, to software applications with known vulnerabilities that have yet to be addressed through updates or patches.

Criminals also use social engineering – which exploits human emotions, such as our inclination to help others – to trick people into giving away sensitive information through a tactic known as phishing. Often, scammers do this by baiting users with false promises of prizes or tempting offers, or by playing on a victim’s emotions by fabricating an urgent request for help from a colleague or relative.⁷ Phishing accounted for 36% of cyber incidents globally in 2023, according to IBM X-Force.⁸

Social engineering attacks are especially troubling for companies because, regardless of the strength of an organisation’s security stack and policies, users can still be fooled into granting access to a malicious actor. They can also be used to trick victims to installing malware on a system. This makes training employees about cybersecurity risks integral to companies’ efforts to counter digital criminals.

Threats can also come from insiders – employees, contractors, or business partners – who intentionally or accidentally misuse their legitimate access.

One of the first steps for companies in addressing cybercrime risks is to acknowledge the need to invest time and resources in doing so. Businesses spend around USD150 billion a year to protect themselves from cyberattacks but should be spending closer to USD1.5 trillion to USD2 trillion to cover all their vulnerabilities, according to consultancy McKinsey.¹⁰

In Asia Pacific, technology market intelligence provider IDC expects spending on security hardware, services, and software to reach USD36 billion in 2024 and US52 billion in 2027 – growing at a compound annual rate of 12.8%.¹¹ This is against a backdrop of a big increase in the number of large-scale breaches in the region, with over a third of Asia Pacific organisations having experienced data hacks costing between USD1 million and USD20 million over the last three years, according to consultancy PwC.¹²

The rising threat level has triggered a response. PwC’s survey of Asia Pacific business and tech executives found that 84% of respondents reported plans to increase their cybersecurity budgets in 2024.¹³ And 95% of organisations said they are bringing reporting on cyber risk exposure and mitigation measures to their boards.¹⁴

So, what can international businesses in Asia Pacific do to protect themselves? Here are some tips from our experience working with leading businesses in the region:

1. Enhance operational safeguards. Ensure all staff are aware of the various threats and on watch for increasingly sophisticated scams. Other measures businesses can take include routinely backing up their data and reviewing policies that allow employees to use their own laptops or mobile devices for work and to access the company network.¹⁵ Additional information and resources are available on HSBCnet here.
2. Take a layered approach. Rather than relying on a single piece of software, running advanced threat detection and response systems in parallel could help mitigate the fallout from phishing, ransomware, and wiper attacks.¹⁶
3. Understand the risks.Enterprise-wide risk assessments can help to identify weaknesses. Businesses should pay particular attention to monitoring and controlling access and ensure they consistently enforce security policies and controls. Businesses could also step-up surveillance, requiring authorisation from more than one user for critical data functions, and implement enhanced physical security measures at their premises.¹⁷
4. Keep up with regulation. Businesses operating in Asia Pacific need to be particularly aware of the differences in data protection and cybersecurity laws across the region and keep track of changes,¹⁸ like updating their legal agreements and privacy policies accordingly. In some cases, companies may also be required to store sensitive consumer data physically within a country’s borders, or there may be separate cloud storage regulations in cross-border public or private clouds.¹⁹
5. Consider payment cards for procurement to add an extra layer of protection. HSBC’s Commercial Cards programme²⁰ channels payments through the bank’s risk control systems, provides insurance against fraud, and allows for charge-back procedures in case of disputes.
6. Take advantage of ISO 20022 payments standards. Upgraded messaging infrastructure could allow corporate finance and treasury teams to use richer and structured data to accelerate reconciliation of payments and spot erroneous or fraudulent instructions. HSBC has successfully enabled its global network to handle the new payment standard, helping to facilitate the seamless migration of payments systems²¹ in the US and Hong Kong in April 2024.

Containing the cyber threat increasingly requires companies to take a top-down approach to ensure the right policies and safeguards are in place. They could further shore up their defences by working with their financial services providers and independent cybersecurity experts to identify and address vulnerabilities and mitigate risks. Cybercrime is a serious threat to international businesses across Asia Pacific – and collaboration will be critical to a successful response.