As Cambodia continues to embrace significant technological advances, it also leaves itself open to a new breed of threats, dealing with which may require advanced professional skills and equipment. Such threats include “cyberattacks”, generally defined as the unauthorised access, use, manipulation, interruption or destruction of electronic information. Some of the most common cyberattacks affecting the Kingdom include phishing scams and ransomware infections.
Although potentially devastating for any company, cybersecurity threats are rarely at the top of the agenda of many corporations, particularly in Cambodia. “Company executives need to treat cybersecurity as a critical component of the running of their organisations,” says Ashish Fitkariwala, the country manager for Thakral Group (Cambodia). “Cybersecurity affects us all, in part because even attackers with only basic skills have the potential to cause real harm,” he adds.
Common cybersecurity threats
Herman Groeneveld, a freelance cybersecurity analyst based in Phnom Penh, notes that over the past few years an increase has been seen in “business email scams” (a type of phishing scam) targeting various Cambodian businesses. The schemers try to deceive staff into transferring money to them, and the criminals will go to great lengths to create fake company emails. Sometimes they use social engineering to assume the identity of the CEO, a company attorney or a trusted vendor.
“Ransomware infections are also on the rise,” says Groeneveld. “These consist of malware that uses encryption to make your files inaccessible.” Once the infection has taken hold and the files are rendered unusable, the hacker contacts the victim to demand a ransom in exchange for allowing access to the compromised files.
The use of pirated software poses another major threat, and one that companies often fail to pay attention to. “There is a lack of understanding of the need for genuine software use,“ says Ashish. There are several risks associated with the use of counterfeit software. The first risk that you run is infecting your computer, as sometimes bootleg programmes are poorly disguised malware.
Secondly, users risk that the programme might not actually work. Most software companies have implemented a way of checking the registration – the programme might work for a while, but receive an update at some point in time which renders it unusable unless the user make a purchase.
However, according to Groeneveld, none of these threats match the potential for mayhem of another hazard: “I think the biggest threat to companies operating in Cambodia is the lack of skilled cybersecurity personnel.” According to the Dutch freelance cybersecurity expert, many companies delegate cybersecurity to their IT departments, as cyberthreats are usually perceived as problems that can be solved through technology.
Groeneveld discourages companies from entrusting their cybersecurity solely to their IT departments, advising instead to adopt a more holistic approach, one that “relies on processes, technology and, most importantly, people.”
Protecting your company
Groeneveld and Ashish both note that cyberthreats are usually “opportunistic” in nature, and insist that companies need to be proactive when it comes to cybersecurity. Groeneveld recommends following best practices (such as installing updates) and raising security awareness among staff. Meanwhile, Ashish urges companies to identify the systems, assets and data that require protection and putting the necessary safeguards into place.
It is also important to prepare for a possible security breach. Groeneveld advises companies to ensure they have a working backup and other contingency measures in place. He also advises companies to know where to find cybersecurity expertise to help with complex issues.
Government and cybersecurity
The Cambodian Criminal Code already covers various cybercrime offenses. However, a cybersecurity law is currently in the draft stages, the goals of which are to combat digital crimes, intercept data and prevent fraud and pornography.
Besides the new Cambodian cybercrime law many international companies already have to ensure a decent level of cybersecurity. They are often required to comply with specific EU and USA cybersecurity/privacy laws and regulations (such as the European Data Protection Directive or PCI-DSS). However, Groeneveld isn’t sure whether Cambodia has the know-how to tackle these issues in court: “Do Cambodian judges possess the cybersecurity knowledge they need to handle these type of cases?” he asks.
In addition to the upcoming law, Groeneveld believes the government should publish more information on their cybersecurity strategy. The more information the public has, the easier it would be for people to report cybercrimes and get investigations underway. Ashish, meanwhile, says the government should establish a Cyber Incident Response Center to monitor breaches, provide advice to victims, and coordinate the national response to any incident.
On a final note, Ashish tells us that a successful digital economy encompasses the following elements: a digitally aware and capable government; a digitally confident, innovative and skilled industry; and, finally, a digitally literate and empowered community.