Streamlining your business

Global digital business is the future – but at what cost?

A conversation with Dominic Wai, Partner, ONC Lawyers, Hong Kong & China, on the cyber security risks when doing online business across the Asia Pacific borders.

Q: No matter where we operate in the world today we are encouraged to broaden our business horizons and develop a global footprint with digital technologies if we want to remain competitive in the marketplace. The Asia Pacific region is of particular interest to Australia and its neighbours.

However, having an Asia Pacific presence and an ever-evolving digital business landscape, does this mean organisations will be faced with more complex cyber risks?

Unfortunately, I think that is correct. Digital business is done online but the internet was not created or designed with security in mind. Many of the systems and programs that have allowed digital transformation also have vulnerabilities and weaknesses that can be exploited, not just by professional hackers but even by people who are not tech-savvy. 

As organisations transact more and more business and payments through the internet and mobile devices and collect personal data from customers (which is a valuable commodity), syndicated and opportunistic criminals are always eyeing on the chance to steal data and money. Strong cyber security is now a must for all businesses.

Q: Among many other security issues, you have advised companies in data leakage and assisted clients on urgent asset freezing injunctions and liaising with law enforcement agencies for fraudulent fund transfers due to business email scams and hacked email systems.

Can you explain how these types of cyber security threats present themselves in a business and the damage they can do?

For data leakage, it could be an outside threat – hacking, or an inside threat – rogue employees stealing customer data or IP rights to start own company, loss of storage devices containing customer data or exposing customer data to the internet without proper protection or encryption. 

As the leakage involves personal data leakage, if the Privacy Commissioner (PC) knew about that, an investigation would be conducted. If it is found that data protection principles are breached, the PC may issue an enforcement notice for the company to comply. If the company does not comply it would be a criminal offence. So the company may need to incur costs to instruct lawyers and IT forensic experts to deal with such incidents. The company may also face claims from affected customers whose personal data was leaked, and there may be reputational damage given that the media likes to report privacy infringement cases.

For business email scam cases, the usual modus operandi is that the fraudster will use an email that has been spoofed to look like an email from the CEO or CFO (or anyone with authority in the company to authorise fund transfer), or a business partner of the company. It would ask the company employee to wire transfer funds to a new bank account because of a change in operations, or there is a secret deal that needs funding. A lot of such transfers go to bank accounts in China and Hong Kong.

The damage to the company would be the loss of funds, and there have been cases where it has been millions of dollars.

The other damage is that the actual business partner might not have been paid under the contract, and so apart from losing the money that has been scammed, the company would still need to pay the business partner under the contract as the funds have not gone to the right party.

Q: What are some of the most serious breaches of security you have seen and how did this affect the organisation?

Some companies have been affected by what is known as ransomware – malicious software that would attack a system and encrypt the data. It would only be decrypted if the victim pays a ransom such as bitcoin (cryptocurrencies). The company’s business operation could come to a complete halt because no data could be accessed for business operations.

Another type of serious breach involves business disruptions such as a Distributed Denial of Service (DDos) attack where a company’s online systems are disabled due to a flood of incoming data messages. Again, this could cause long hours of computer outage, loss of business and revenues. 

Other cases involve a huge volume of customer data being stolen by hackers that led to the loss of trust in customers who discontinue any further business with the company.


Explore our next-gen cyber training and resources to defend against online threats to your business. Plans start from only $10/month.

Q: What cyber security threats can businesses expect in the future?

Businesses could expect data theft and leakage threats as data (personal data or other data) continues to be valuable. As businesses use more internet-connected devices (Internet of Things or IoT), there could be unexpected threats from devices that businesses have not thought of before, such as cars and vehicles.

Q: Are cyber risks a threat no matter how big or small the business, what industry or sector it is in, or whether the internet only plays a small role in their operations?

It does not matter because the threat could be from the outside or inside. If the threat is from inside, even if the operations are not internet-based, there would still be risks. Even small companies have valuable data, such as personal or credit card data, so security awareness is key for all businesses.

Q: What cyber security best practices should businesses implement to help protect their data, assets, and network?

Cyber security involves everyone in the company, and it’s not just for the IT people who should deal with cyber resilience. Accordingly, from C-suite to messengers, everyone would need to be trained and knowledgeable about the cyber security policy and process of the company. The IT people would deal with the technical side of things such as regular patching of computer programs and making sure that firewall and antivirus programs are up to date.

Companies should also consider doing a cyber audit to see what are their valuable ‘crown jewels’ – what are their most important and valuable data and the location. It may also be worth considering buying cyber insurance to have compensation if there was a cyber attack that caused loss to the company and costs to deal with the incident.

Q: Should information security form an integral part of a business strategy?

Definitely, given that businesses today rely on emails and the internet, and people can be the ‘weakest link’ – there will always be people who do not follow policies or may have forgotten about it.

Q: What is intelligence sharing and how important is it?

A lot of cyber incidents happen under the radar because, in many places, there is no requirement for mandatory notification. But if companies know about an attack or its modus operandi, they may be able to prevent it from happening. Hence, it is important that if intelligence about cyber attacks and risks could be shared, then it would be easier for companies and businesses to stay on top of such attacks by taking preventive or remedial measures.

Q: Is there an international policy, or technology underway to protect business from cyber threats?

I am not aware of any international policy or technology. Some software companies have advocated that there should be some international arrangement or treaties like the United Nations. This would help nations and businesses counter these threats, given that some countries might not have the resources or technological capabilities to fend off cyber attacks. Currently, the main protections are a nation and local legal based.

Found this useful?

Subscribe to our newsletter and receive the best business tips and articles straight to your inbox.

Please enter the thanks you text here.

We take your privacy seriously and by subscribing to our newsletter you agree to the terms of our Privacy Policy available below.