A Tenable study revealed alarming cybersecurity vulnerabilities within Southeast Asia’s banking, financial services, and insurance (BFSI) sector. The research identified over 26,500 internet-facing assets across the region’s top organisations, indicating significant exposure to potential cyberattacks.
The study examined the external attack surfaces of more than 90 BFSI companies, focusing on those with the largest market capitalisations in Indonesia, Malaysia, the Philippines, Singapore, Thailand, and Vietnam. Findings showed that the average institution has nearly 300 vulnerable assets, highlighting the pressing need for enhanced cybersecurity measures. Singapore topped the list with over 11,000 exposed assets, while Thailand followed with more than 5,000.
The study unveiled several critical cyber hygiene issues, including outdated software, weak encryption, and misconfigurations. One notable concern was the presence of nearly 2,500 assets still supporting TLS 1.0, a security protocol now considered obsolete. This underscores the challenges these organisations face in identifying and updating outdated technologies.
Additionally, more than 4,000 assets meant for internal use were inadvertently exposed to the internet, increasing the risk of unauthorised access. The lack of encryption on over 900 URLs further exacerbated security weaknesses, making sensitive data vulnerable to interception.
The research also highlighted risks associated with Application Programming Interfaces (APIs), with over 2,000 identified as vulnerable. Inadequate authentication and insufficient access controls within these APIs can create significant security gaps, allowing malicious actors to exploit weaknesses.
Nigel Ng, senior vice president at Tenable APJ, emphasised the urgency of addressing these vulnerabilities. He stated that effective exposure management is crucial for safeguarding digital assets and maintaining customer trust. As the cybersecurity landscape rapidly evolves, financial institutions must prioritise identifying and securing their exposed assets to mitigate the risks posed by increasing cyber threats.
- Editor's note: The report is not publicly available.