By Muhammad Azhaqraa Sagir
8 December 2023
The Jakarta Post - Globally, major data breaches are not just increasing in number and scale, but are also becoming more costly.
According to the PwC “2024 Global Digital Trust Insights” report, a data breach incident costs an average of Rp 15 billion for companies in the following sectors: health care; tech media and telecom; financial services; energy, utilities and resources; industry and auto; and retail and consumer, ranked from most to least costly.
Published in October 2023, the report is based on a survey of over 3,876 businesses and tech executives from the largest companies across the globe.
The report also highlighted the rising cost of data breaches, with the percentage of companies reporting costs of US$1 million or more for their worst breach in the past three years increasing from 27 percent in 2023 to 36 percent.
What does this mean for Indonesian companies, particularly with the implementation of the 2022 Indonesian Personal Data Protection (PDP) Law next year?
The Jakarta Post sat down with PwC Indonesia’s chief digital and technology officer, Subianto, to discuss the PwC report findings, exploring how they can provide deeper insights into how companies in Indonesia are facing the growing cybersecurity threat.
Most vulnerable sectors
Subianto said the PwC report’s findings indicated which sectors in Indonesia could be most vulnerable to costly data breaches.
Some 47 percent of breaches were reported in the healthcare sector, with an average cost of $5.3 million (equal to Rp 80 billion). This was followed by 43 percent of breaches occurring in the tech media and telecom sector, where each breach averaged Rp 75 billion. Some 38 percent of breaches occurred in the financial services sector, where the average cost of a breach amounted to Rp 78 billion.
“Health care in Indonesia has to be addressed more carefully given the sensitivity of medical information, which is very personal. It is not always banking or financial services that are attractive for hackers to breach. Over the past nine to 10 months, we have been seeing an increase in attacks in the manufacturing sector in Indonesia.” Subianto explained.
Human aspect
He added that the environment in Indonesia is quite unique, as the human aspect or social engineering is commonly being exploited by hackers for malicious purposes.
“Fake wedding invitations, random Android Application Package [APK] files being sent through messaging apps, these are often seen here, and industry players know this too,” he said.
“This is why we can tangibly see an increase in the educational material to inform users to be wary and preemptively recognize these threats, especially from banks.”
These threats have prompted a number of Indonesian companies to invest in cybersecurity, given the risk and potential losses businesses can suffer due to a massive data breach. “We are seeing an increase in awareness regarding the gravity of cybersecurity attacks.
We can see this in the financial sector for example, where more and more banks are providing education through multiple channels, including social media and emails, to help people be more careful regarding online information, never sharing One Time Passwords [OTP] and such,” Subianto said.
Regulators response
At the same time, Subianto noted that regulators are increasingly regulating cybersecurity in response to the growing threat. For example, the Financial Services Authority (OJK) has imposed more stringent requirements with the release of a circular letter No. 29/2022 regarding cyber security and resilience for commercial banks.
“Now banks are actually subject to annual cybersecurity assessments and need to enforce effective cybersecurity risk management including incident management. This regulation will help the Indonesian banking industry to improve overall cybersecurity maturity.” he added.
After the PDP Law’s two-year grace period ends in October 2024, it will allow the government to start imposing sanctions on organizations that fail to protect the personal data under their control.
“Under the new law, companies can face administrative sanctions for failing to protect the personal data of its users in the case of a data breach for example. And this fine can cost up to 2 percent of a company’s revenue. Abuse of personal data from said breaches can lead to fines on individuals and companies of up to Rp 6 billion and Rp 60 billion, respectively,” he added.
This is generally in line with data protection developments across the world, Subianto said, as the Indonesian PDP law closely resembles the EU General Data Protection Regulation, which is considered the gold standard in data protection regulations.
Investing in cybersecurity
Across various industries, there is an increase in awareness about the importance of cybersecurity and a growing demand for cybersecurity technologies to detect threats early and protect the companies’ operations.
PwC’s “2024 Global Digital Trust Insights” report found that cybersecurity is a rising priority within the operations of the world’s largest corporations. Cyber investments are also accounting for a bigger share of the budget for information technology (IT), operational technology (OT) and automation. The average annual growth rate will rise to 14 percent in 2024 from 11 percent in 2023.
The advent of ground-breaking new technology, generative artificial intelligence, also brings new threats as well as new defense tools for companies in the coming year.
Subianto emphasized, however, that cybersecurity investment does not necessarily mean acquiring more technology. Instead, investing in cybersecurity encompasses people, processes and technology. While cybersecurity investment in Indonesia is increasing across the board, he said it was the mix of technology and people upskilling that was important.
Preemptive measures are also crucial in dealing with the threat of cybersecurity, he said, especially after the introduction of the 2022 PDP Law, which makes companies responsible for protecting the personal data they collect.
“Even though the PDP Law encompasses personal data protection and the entire data lifecycle, I think this law will increase awareness of and compliance with cybersecurity measures. This, in turn, will enhance how future cybersecurity risks in Indonesia will be addressed,” he concluded.