Board level executives assume they’ll never be attacked, despite rising ransomware incidents, according to new Sophos survey.

Sophos’ third edition of The Future of Cybersecurity in Asia Pacific and Japan, developed in collaboration with Tech Research Asia (TRA), has revealed a lack of boardroom awareness of cybersecurity, and a broad assumption from executives that their company will never get attacked, despite rising ransomware incidences, impact and cost.

Drawn from a survey of 900 IT and cybersecurity decision makers in Australia, India, Japan, Malaysia, the Philippines and Singapore, the research revealed key findings such as:

  • On average, cybersecurity spending represents 11% of 2022 technology budgets, an increase from previous years
  • Cybersecurity maturity levels continue to rise, yet organizations continue to struggle with the same issues year on year
  • The cybersecurity skills shortage is here to stay, with 73% of companies expecting difficulty recruiting cybersecurity employees in the coming two years

Cybersecurity professionals’ top frustrations

The survey also highlighted that cybersecurity professionals face a variety of challenges and frustrations in their roles, most of which are related to awareness, perception, messaging, and education.

“Cybersecurity professionals continue to face many frustrations in their roles this year, with many feeling their warnings and messages fall on deaf ears,” said Bugal. “Apart from lacking skilled security specialists, many of the other frustrations are directly addressable through education and awareness programs, starting at the executive and board level. The challenge for cybersecurity professionals faced with low levels of security understanding among company boards is that many are unlikely to invest in the necessary programs to alleviate these frustrations.”

He added: “The issue isn’t technology, it’s education. Increasing spend on cybersecurity won’t help unless organizations understand from the top down the true nature and critical threat that cyberattacks constitute to their organizational capabilities, their customers, and their own existence.”

5-step approach to cybersecurity education

With cybersecurity education a focus, the following is a five-step approach to help bring organizations up to speed on cybersecurity education:

  1. Boards need help to understand it’s impossible to protect everything, and learn to prioritise the most critical information, data and systems to protect
  2. Education courses on basic principles, genuine likelihood of an attack, attack vectors, threat actors, and other terminology should be available to all staff
  3. Once basics are clearly defined, organizations need to develop strategy and integrate with digital transformation programs
  4. The focus then becomes more operational in nature: applying legislation, breach response protocol, ransom payment policy, gap assessments, and future roles and obligations
  5. Businesses need to clearly understand compliance, the regulatory environment under which the business operates, what’s legally required when breached and what are the appropriate controls around data security and management