Cybercrime expert Foo Siang-tse is under no illusions as to the size of the challenge ahead for global businesses as the crypto-jackers, phishers and malware trojans refine their art and mount ever more brutal attacks to steal data, gain intelligence or paralyze entire networks.
“The threats are only moving in one direction,” Foo tells The CEO Magazine from the Singapore office of South-East Asia’s leading IT services provider NCS, where he heads up the Asia–Pacific cybersecurity division.
“They’re getting more sophisticated and more dangerous. The criminals are no different from what you see on The Godfather – they’re extremely well organized and very commercially driven.”
So driven, in fact, that cybercrime will be a US$10.5 trillion a year industry by 2025, according to Cybersecurity Ventures. That’s US$333,000 per second – triple its value in 2015 – and greater than the gross domestic products of Germany, Japan, India and the United Kingdom.
“The criminals are no different from what you see on ‘The Godfather’ – they’re extremely well organized and very commercially driven.”
According to a survey by CyberEdge Group last year, 84.7 percent of organizations had been victims of a successful attack during the previous 12 months, despite spiralling IT security budgets.
Meanwhile, the number of extortion attempts emanating from the dark web doubled between 2022 and 2024, and the number of malware infections rose by a third. One worrying development is that nine in 10 of them are polymorphic, meaning they’re able to alter their coding to avoid detection.
To better understand the location of the perpetrators, an international group of academics launched the world’s first cybercrime index in April this year, ranking the countries most responsible for the threats. Russia was way out in front, followed by Ukraine, China, the United States, Nigeria, Romania and North Korea.
Co-author of the report Miranda Bruce sees it as a key first step in understanding why some regions become hotspots.
“There are existing theories, such as where there’s a technically skilled workforce with few employment opportunities [who] may turn to illicit activity to make ends meet,” Bruce said.
Despite the scale of the problem, business leaders are still underinvesting in protections from companies like NCS due to ignorance, overconfidence or reliance on outdated methods. A recent report by cybersecurity firm, Sophos, found that most small and medium-sized businesses have insufficient security and are therefore fuelling the rise in malware attacks.
“Unfortunately, when many organizations embark on their digitalization journey from pen and paper toward cloud computing, they underestimate the additional risks involved,” says Foo, a former senior policy advisor in the Singapore Home Affairs Ministry.
In the rush to introduce automation or machine learning, cyber defenses are often an afterthought, adds Foo. “So, when they get breached, it’s like ‘Oops, maybe we should have thought more about that’ and they’re scrambling to put out fires. They find out the hard way that integrating it upfront is a lot cheaper than dealing with a ransomware attack.
“We’ve had clients come to us after they’ve suffered a phishing attack through a lack of proper precautions, and it’s been a big eye-opener for the C-suite executives.”
He believes strongly that all large organizations need an in-house cybersecurity department to integrate safeguards into every stage of the digital journey and manage the approach to what constitutes an acceptable risk.
But, no matter how advanced the anti-cybercrime technology, one serious problem is likely to remain the same.
“Humans are still the weakest link. The biggest root cause of most cyberattacks is still an employee clicking on a nefarious link that a firewall has failed to spot. That’s why we always bring the entire organization on the cyber hygiene journey with us and give them the training they need to understand the protocols and password conventions that will keep them safe,” Foo says.
“Humans are still the weakest link. The biggest root cause of most cyberattacks is still an employee clicking on a nefarious link that a firewall has failed to spot.”
“The cost to a criminal gang of sending out millions of emails is very low so very few need to be successful to make it worthwhile. All you need are online tools and a bunch of smart kids.”
And soon, you may not even need the kids because generative AI has opened up a whole new front for the forces of destruction.
“It changes everything because stealing an identity is becoming much, much easier,” he warns. “A while back, it involved getting hold of a user ID and password, then there was facial recognition as an added line of defense. But, today, deepfakes are cloning physical appearances and voices so convincingly that we need even more in place to remain safe.
“For staff involved with highly confidential or sensitive data, hardware tokens are becoming widespread. They’re physical objects required to access secure online locations, so are harder to fake.”
In the next five years, however, cybercriminals may have yet another weapon in their arsenal in the shape of quantum computing. The vastly more powerful processing capabilities that the emerging technology is predicted to unleash could mean that safely encrypted data isn’t so safe anymore.
“When you watch a Mission Impossible movie, you might hear one of Tom Cruise’s team shout out that it’ll take them three hours or so to break a 10-digit code, but with quantum computing, it might take just three seconds,” Foo says.
“It’ll herald a new paradigm in cyberthreats so the industry needs to have a new generation of solutions ready in time.”
It could also bring dire consequences for companies who have already had data stolen and assumed they’d gotten away with it because it was encrypted so useless to the thieves.
“They might think that their highly complex encryption technology kept them safe, but what will happen when the criminal gets his hands on a supercharged computer that can unravel the codes and read all the data that was stolen years earlier?” he says.
“Think of it like a massive house that has hundreds of doors and windows. All it takes for your crown jewels to be stolen is for one of them to be left unlocked.”
It’s a daunting prospect, but Foo remains optimistic that those same quantum innovations will also bring benefits for the cybersecurity industry.
“I’m confident the good guys can stay ahead, but it’ll always be a challenge,” he says. “The key to keeping them at bay is simplicity.
“Think of it like a massive house that has hundreds of doors and windows. All it takes for your crown jewels to be stolen is for one of them to be left unlocked. As companies grow and embrace digitalization, they inevitably end up with more windows and doors that have to be checked every single day.”
However, a simple, unified approach to security together with comprehensive training can build sufficient resilience, and ensure no one accidentally leaves a side door unlocked.
That way, it’s no longer about being lucky. It’s about being prepared.