Companies in Singapore and Malaysia pay ransoms due to cyber resilience and data recovery shortfalls

Companies in Singapore and Malaysia pay ransoms due to cyber resilience and data recovery shortfalls

Cohesity research shows most companies unable to recover their data and restore business processes within three days.

Research commissioned byCohesity shows increasingly sophisticated and voluminous cyberattacks are forcing most companies in Singapore and Malaysia to pay ransoms because they can’t recover their data and restore business processes.  

The research polled from 504 IT and Security decision-makers in Singapore (SG) and Malaysia (MY) shows that companies firmly operate in a ‘when’ not ‘if’ reality of cyberattacks, with the majority of respondents’ organisations falling victim to a ransomware attack in the last six months.  

Almost all say the threat of cyberattacks to their industry has or will increase in 2024 and most have paid a ransom in the past 12 months. 

Alarmingly, 7 in 10 (70%) respondents said their company had been the ‘victim of a ransomware attack’ in 2024, with close to 2 in 3 (65%) Singaporean respondents and over 3 in 4 (77%)  

Malaysian respondents saying their organisation had been victims. According to respondents, the cyber threat landscape is expected to get even worse in 2024, with more than 9 in 10 (SG: 91%, MY: 97%) respondents saying the threat of cyberattacks to their industry will increase or had increased this year – and almost 1 in 2 (47%) said it had or will increase by over 50%. 

Respondents also revealed keeping their organisations’ cyber resilience and data security strategies up to speed with the current threat landscape is challenging, with 2 in 5 (41%) respondents saying they do not have complete confidence in their company’s cyber resilience strategy and its ability to ‘address today’s escalating cyber challenges and threats’. 

Further demonstrating the arduous cyber threat landscape and need for cyber resilience, over 9 in 10 (SG: 92%, MY: 95%) said their company had stress-tested their ‘data security, data management, and data recovery processes or solutions’ in the past year, with 3 in 5 (SG: 56%, MY: 67%) testing their processes or solutions in the last six months. 

According to respondents: 

  • Only 3% of respondents said they could recover data & restore business processes within 24 hours 
  • Singapore: 5% | Malaysia: 1% 
  • 24% said their company could recover data and restore business processes within 1-3 days 
  • Singapore: 26% | Malaysia: 20% 
  • 34% said they could recover and restore in 4 to 6 days, while 25% need 1-2 weeks 
  • 4-6 Days – Singapore: 31% | Malaysia: 38% 
  • 1-2 Weeks –Singapore: 24% | Malaysia: 28% 
  • Alarmingly, almost 1 in 7 (13%) need over three weeks to recover data and restore business processes 
  • Singapore: 13% | Malaysia: 11% 

Conversely, when asked what their organisation’s ‘targeted optimum recovery time objectives (RTO) to minimise business impact in the event of a cyberattack or incident of compromise’ was, 97% of respondents said their targeted optimum recovery time was within a day despite only 3% saying they could recover data and restore business processes within this same period. 

Interestingly, over 1 in 3 (34%) said their targeted optimum RTO was within an hour (SG: 33%, MY: 36%).  

Yet, in what may be alarming for organisations’ customers and external constituents who expect consistent and constant continuity of operations or services, just 4% (SG: 5%, MY: 1%) said their organisations’ tolerance to disruption of business continuity and downtime due to a cyberattack or data breach was within 24 hours.  

In fact, 34% said their tolerance was 1-3 days, 53% said 4-6 days and 8% said more than a week. 

As a result, over 82% (SG: 80%, MY: 85%) of respondents said their company would pay a ransom to recover data and restore business processes, while 11%3 said ‘maybe, depending on the ransom amount.’  

Close to 3 in 5 (59%) Singaporean respondents and almost 3 in 4 (74%) Malaysian respondents said their company would be willing to pay over US$1 million to recover data and restore business processes – with 16% and 22% respectively saying their company would be willing to pay over US$5 million. 

Moreover, the importance of being able to respond and recover is underscored by 69% (SG: 64%, MY: 76%) of respondents revealing their organisation had paid a ransom in the last year, despite close to 3 in 4 (74%) respondents saying their company had a ‘do not pay’ policy.  

Of the 64% of Singaporean respondents who had paid a ransom in the last year, 36% paid US$500,000 or more in ransom payments, while 47% have paid a ransom(s) between US$100,000 – US$499,999. Comparatively, of the 76% of Malaysian respondents who had paid a ransom in the last year, 27% paid US$500,000 or more in ransom payments, while 54% have paid a ransom(s) between US$100,000 – US$499,999. 

“The unfortunate reality for organisations is that destructive cyberattacks, like ransomware or wiper attacks, are a largest threat to their business continuity. However, organisations can face this reality head-on by enhancing their cyber resilience – the ability to rapidly respond and recover from cyberattacks or traditional business continuity scenarios – by adopting modern data security, response, and recovery capabilities,” said James Blake, Global Cyber Resilience Strategist, Cohesity.  

“It’s not earth-shattering that organisations are being hit with cyberattacks. But what is of major concern is that 69% of respondents said their organisation had paid a ransom, with many breaking their ‘do not pay’ policies, because they either can’t recover their data and restore business processes or overestimate their cyber resilience capabilities.” 

Over 2 in 5 (42%) respondents said their centralised visibility of critical data between IT & Security could be improved (SG: 46%, MY: 35%).  

When asked about their data access control measures to align with zero trust security principles, 2 in 3 companies or less said they have deployed multi-factor authentication, separation of duty controls, or role-based access controls: 

  • Multi-factor Authentication (MFA): 66% 
  • Quorum Controls or Administrative Rules requiring multiple approvals: 57% 
  • Role Based Access Control (RBAC) - 55% 

“The first step in achieving cyber resilience is managing and securing access to the business-critical data that must be recovered from to restore business processes, when suffering a cyberattack. The fact that just over 2 in 3 have one of the three most important data access controls deployed, demonstrates the significant risk that Singaporean & Malaysian companies have in being able to recover as fast as possible,” said Sathish Murthy, Director of Systems Engineering, Cohesity ASEAN & India. 

Despite governments and public institutions going to great lengths to encourage more robust cybersecurity, data protection, and data privacy, only 56% (SG: 47%, MY: 69%) of respondents said they had all the IT & Security technology capabilities to identify sensitive data and comply with applicable data privacy laws and regulations.  

Respondents also revealed that the benefit of advanced threat detection, data isolation, and data classification stretches beyond capabilities – with 88% saying these are vital for cyber insurance qualification or securing discounts on policies. When asked ‘What, if any, industries and/or sectors do you think are most impacted by cyberattacks?’, respondents selected these industries and sectors as the ‘Top 7’: 

Singapore: 

  1. IT & Technology – 57% 
  1. Financial Services (including insurance companies) & – 36% 
  1. Telecommunications & Media (including streaming services) – 36% 
  1. Banking & Wealth Management – 35% 
  1. Government & Public Services – 32% 
  1. Hospitals & Healthcare – 28% 
  1. Utilities (including Water, Electricity, Gas, and other energy services companies) – 27% 
  1. Malaysia: 
  1. IT & Technology – 68% 
  1. Banking & Wealth Management – 37% 
  1. Financial Services (including insurance companies) – 34% 
  1. Telecommunications & Media (including streaming services) – 28% 
  1. Utilities (including Water, Electricity, Gas, and other energy services companies) – 26% 
  1. Government & Public Services – 25% 
  1. Real Estate & Property Development (residential & commercial) – 24% 

“This reality should keep business leaders, not just IT and Security leaders, awake at night. Regulation and legislation should not be the ‘ceiling’ but instead a high ‘floor’ in developing cyber resilience and adopting data security best practices or capabilities,” said Blake. 

The wide reach of AI extends to the cyber threat landscape, with 4 in 5 respondents (SG: 76%, MY: 85%) saying their organisation had responded to what they believe to be AI-based cyberattacks or cyber threats in the past 12 months.  

Despite being challenged by these attacks and threats that leverage AI, 89% (SG: 90%, MY: 88%) said they had the ‘necessary AI powered solutions to counter and respond to these attacks’. Of the 20% who said they had not responded to AI based cyberattacks or cyber threats in the past 12 months, over half (55%) said they have the ‘necessary AI powered solutions to counter and respond to these attacks’, close to 3 in 10 said they do not, and close to 1 in 6 (16%) said they were unsure. 

Browse our latest issue

Intelligent CISO

View Magazine Archive