Southeast Asia is hugely at risk of cyberattacks. It's not investing nearly enough in security, report says

  • The Association of Southeast Asian Nations need to significantly increase their spending on cybersecurity to protect the bloc's growing digital economy
  • A report from A.T. Kearney said the 10-member bloc needs to spend about $171 billion collectively on cybersecurity between 2017 and 2025
  • Not doing so can potentially cost the top 1,000 companies in ASEAN about $750 billion in market capitalization, the report noted

Member countries of the Association of Southeast Asian Nations need to significantly step up their spending on cybersecurity to tackle digital threats, according to a new report.

Not doing so can potentially cost the top 1,000 companies in the region about $750 billion in market capitalization, and derail digital innovation. Those were some of the findings presented in a report from global consulting firm A.T. Kearney on Tuesday.

Cyber-attacks tend to be very expensive for companies — not only do they have to spend money to fix the problem, but the fallout from such an event is usually long lasting and in many cases can involve lawsuits and regulatory fines.

"When you have a data breach, there's a significant loss of trust," Naveen Menon, president for Southeast Asia at Cisco, told CNBC's "Squawk Box" on Tuesday. "This loss of trust results in a direct implication on market capitalization." Menon explained that, on average, companies lose between 10 and 35 percent of their market cap.

In recent years, Southeast Asia has become a hotbed for digital growth and innovation, largely due to better internet connectivity and smartphone adoption. Last year, a study predicted the region's internet economy would reach $200 billion by 2025.

As more people connect to the internet, cybersecurity threats are also on the rise, according to various industry players. Those threats are becoming more complex in nature, requiring greater efforts from various stakeholders to tackle them.

"All of a sudden, you're starting to see economies going online and not enough spending being put in order to protect (them)," Menon said. "ASEAN, particularly, is under-spending relative to other countries worldwide."

In tandem with that user growth, the report said countries like Malaysia, Indonesia and Vietnam have become"global hotspots" for suspicious web activities. That, the reported suggested, meant hackers were using vulnerable, unsecure infrastructure in those countries to launch cyberattacks.

The report said that in 2017, countries on average were estimated to have spent 0.13 percent of their GDP on cybersecurity. On the other hand, ASEAN as a bloc only spent 0.06 percent, or $1.9 billion, collectively. The report noted that Singapore was the only country in the region that spent more than the global average.

To remedy the situation, the report recommended that ASEAN needed to increase spending on cybersecurity between 0.35 percent and 0.61 percent of its collective GDP — or about $171 billion — between 2017 and 2025.

"At a minimum, ASEAN should come close to the global average," Nikolai Dobberstein, head of communications, media and technology for Asia Pacific at A.T. Kearney, told CNBC.

That said, awareness of the cybersecurity challenges in the region is high, according to Yuh Woei Tan, a senior director at cybersecurity company FireEye. Tan explained that the absence of strong data breach notification laws in many ASEAN countries could explain why they tend to under-invest in cybersecurity.

"Elsewhere, this has spurred many firms to take action, generated greater awareness about the threats in the public's mind, and this is taking hold in ASEAN as well," Tan told CNBC.

At the same time, it's more important to observe where ASEAN governments are investing in cybersecurity, according to Dhanya Thakkar, managing director and vice president for Asia Pacific at cybersecurity company Trend Micro.

"Are they solving the right problems? Are they investing in the right technology? Are they forming the right partnerships? Thakkar told CNBC. "These are the more important questions to ask."

The A.T. Kearney report recommended that ASEAN member states work together more closely to establish a regional framework around cybersecurity, share threat intelligence and address the talent shortage in the industry. Member states also need to fund more research and development into cybersecurity, the report said.

There are already initiatives underway to foster greater collaboration in the region. In 2016, Singapore launched a program aimed to provide more cybersecurity resources to other member states. Last November, ASEAN also said it would work together to combat cybercrime.