Businesses in some developing economies are more adept at taking precautions to protect their most valuable data from cyber-criminals than those in developed, Western economies.

According to Grant Thornton’s recent International Business Report (IBR) on cybersecurity entitled “Locking down the value of data”, a greater proportion of businesses in the ASEAN (66%) and Asia Pacific (60%) regions, assign risk profiles to their data compared to businesses in regions such as the US (54%), the UK (50%) and France (40%). South Africa (52%) also lags its Asian counterparts in this regard.

The Grant Thornton IBR provides insight into the views and expectations of more than 10 000 listed and privately held businesses per year across 37 economies. The data for this release are drawn from interviews with more than 2 600 chief executive officers, managing directors, chairmen or other senior executives from all industry sectors conducted in October to December 2016.

According to Michiel Jonker, director: IT advisory at Grant Thornton, assigning data risk profiles helps businesses to identify where the most valuable or vulnerable data sits.

“The practice of identifying different types of data and information is crucial in the battle against cyber-crime. Some data is undoubtedly more important and sensitive than others; for example data about patients’ health records,” says Jonker, with reference to the recent attack on the UK’s National Health Service.

Businesses in countries such as Australia (80%), Malaysia (70%), the Philippines (78%) and Thailand (78%) are more likely to assign risk profiles to their data and information. Once risk profiles have been assigned to data, businesses can employ specific measures to protect the most vulnerable parts of their systems appropriately.

“Most businesses in the world are recognising the need for cyber security, but while this awareness is positive, organisations’ cyber-crime strategies are still leaving them vulnerable to attack.”

Jonker says businesses should go beyond merely following a broad strategy against the threat of cyber-crime.

“A blanket approach is not good enough, and businesses often end up spending more money by employing sophisticated systems to protect data that is not overly sensitive, while sometimes neglecting the information that is crucial to a business’ survival and longevity.”

The IBR data has previously found that more than one in five (21%) of business globally had faced a cyber-attack over the year from Q3 2016 (data drawn in August and September 2016, citing the percentage of businesses that faced a cyber-attack). Businesses in the EU (32%), G7 (26%) and North America (24%) were more vulnerable than those in the Asia-Pacific (13%) and ASEAN (7%) regions.

According to Jonker, the threat of cyber-crime has increased significantly, due, in part, to the increasingly complex nature of organisations and cyberspace, and the ease with which software used to commit cyber-attacks, can be obtained.

“To date, businesses have based their controls on the assumption that they will be successful in their attempts to prevent cyber-crime, but we believe this approach needs to change to one where businesses should assume they will fail,” says Jonker.

This would bring about a greater focus on detective and corrective (such as backup) controls, enabling an organisation to have a swift recovery in the event of its systems being compromised.

“The nature of the recent attacks targeting several countries should serve as a lesson to all organisations – including those responsible for national infrastructures such as dams and energy sites – that knowledge of their systems and differentiating the information within it, are crucial to providing effective protection against cyber-attacks,” says Jonker.