Cybercrime has been rising rapidly in Asia Pacific. What are the biggest threats looming ahead, and what should board members and CISOs do to strengthen their cybersecurity posture?

From state-aligned attacks in the South China Sea to recent headline-grabbing data breaches in the region that leaked both customer and employee data, organizations undoubtedly need to strengthen their cybersecurity posture.

However, Proofpoint’s new report found this difficult – since board members and CISOs do not seem to see eye to eye.

As a result, although themajority of CISOs in APAC think they have invested adequately in cybersecurity, yet these efforts appear insufficient as many of them still believe their organizations are unprepared to cope with a cyber-attack in 2023.

CybersecAsia discussed some of the findings of the report with Ryan Kalember, EVP, Cybersecurity Strategy, Proofpoint:

What are the biggest threats on the horizon for the APAC region?

Ryan Kalember (RK): In Asia, phishing seems to currently be the biggest threat, and that is unlikely to change anytime soon.

According to the Singapore Police Force’s mid-year crime statistics, phishing scams recorded the second highest number of reported cases among all scam types in the first half of 2022, with over 2,301 cases reported and $7.8 million lost.

Proofpoint’s 2022 State of the Phish report found that the occurrence and frequency of cyberattacks are also not consistent across the Asia Pacific landscape – with cyber-attacks in Australia and Japan seeing big differences:

  • 80% of organizations in Australia experienced high incidents of ransomware compared to the global average of 68%, whereas Japan saw lower-than-average effects for most threats
  • Additionally, 92% of Australian organizations dealt with cyber-attacks (highest of any region surveyed), while only 66% of Japanese organizations experienced successful phishing attacks (lowest of any region surveyed)
  • Phishing is also dangerous because compromised credentials could lead to a rise in supply chain attacks, which happens when one compromised organization reaches out to another and uses phishing attacks against them. This trend then continues until all organizations, vendors, partners, and customers are affected

Insider threats are another risk organizations also need to be prepared against. Though most organizations have decided to go hybrid (working from home some days and in the office some days), many have not updated their cybersecurity policies to change how and who can access sensitive information, especially as employees are working from home and effectively – anywhere.

These insider threats could either be malicious (when an employee knowingly steals data before leaving their job), negligent (when employees don’t know that they have leaked data), and compromised (when an employee unwittingly gives bad actors access to their account).

Failure to update these policies would lead to a loss of sensitive and critical data, resulting in financial losses and credential compromise.

Why is there a divide between board members and CISOs? How can they bridge the divide to ensure they are investing to protect their organizations the right way, and what are some ways CISOs can effectively help boards understand the evolving cyber risks? 

RK: According to both the 2022 Voice of the CISO report and recently released Cybersecurity: The 2022 Board Perspective report,  a divide between chief information security officers (CISOs) and board members exists because they do not see eye to eye on what the most concerning cybersecurity threats are.

Only Australian boards and CISOs are aligned on email fraud / business email compromise (BEC) being the most important.

CISOs and boards are also disconnected when it comes to the consequences of a cyber incident. Globally, internal data becoming public is at the top of the list of concerns for boards (37%), followed closely by reputational damage (34%) and revenue loss (33%).

Ryan Kalember, EVP, Cybersecurity Strategy, Proofpoint

These concerns are in sharp contrast with those of CISOs, who are more worried about significant downtime, disruption of operations, and impact on business valuations.

In APAC, impact on business valuations is at the top of the list of concerns for Japanese boards (40%), and reputational damage is at the top of the list of concerns for boards in Singapore (40%).

In contrast, disruption to operations is a top concern for Japanese CISOs while significant downtime is the top concern to CISOs in Singapore (36%).

Having said that, both board members and CISOs can help close this gap.

Boards must take steps to keep cybersecurity on the agenda, and also take CISOs’ recommendations in terms of where to invest in strengthening their cybersecurity posture.

On the other hand, CISOs must deliver concerns and recommendations in a business-first-manner. For example, board members are less interested in threat detection metrics than in how threat detection can affect revenues and reduce business risk.

CISOs should also avoid jargon and overly technical language and instead speak the language of the board and the business. This will position CISOs as business partners who understand the broader impact of their work and respected colleagues of their executive peers.

People are the weakest link and the biggest vulnerability in an organization’s cybersecurity; that’s why social engineering has been so effective for bad actors. What can be done to make it more difficult and expensive for cybercriminals and scammers?

RK: Social engineering is the preeminent component of the overwhelming majority of cyberattacks today. Its tactics are designed to provoke a response and prey on human nature, and it is only successful when people choose to act on them by doing something – such as clicking a link or disclosing sensitive information.              

The best way to defend against such attacks is to implement cybersecurity awareness training programs, and to do so in a way that highlights the importance of the human-element in protecting the organization rather than this being reduced to merely mandatory training.

The most impactful course of action in the long run will be to shift the organization towards a culture where identification of incoming threats is understood as both relevant and necessary day-to-day. Likely, this means encouraging familiarization with the wide array of content threat actors may leverage and imposing few obstacles to more regular flagging of content as potentially malicious

It is pivotal that organizations ingrain in their users the idea that malicious activity is regular, even inevitable. As this becomes more widely accepted and reporting/clearing pipelines for threats become more well-established within workflows, threat actors should have a progressively more difficult task in exploiting the human element.

Why must organizations invest in people – not just infrastructure – and why is the human factor critical in strengthening our cybersecurity postures?

RK: Organizational risk should be looked at in terms of people – who was targeted, how often they were targeted, whether these targets have access to critical info and sensitive data, and whether the targets fell victim to the attack.

According to our 2022 Cost of Insider Threats Global Report, 56% of incidents were linked to employee or contractor negligence, which occurs when employees forget to ensure devices are secured, when they don’t follow the company’s security policy, or forget to patch and upgrade.

This allows organizations to better mitigate risks by understanding why and how employees were attacked, and how re-training might be necessary to help them update their skills.

To combat this, organizations need to educate their employees on the importance of cyber preparedness and awareness, and let them know they have a part to play in cyber defense. In turn, employees should also realize that they have a role to play in protecting their organization from cyber-attacks, and are in essence the gatekeepers to sensitive company information Companies need to also realize that people – the human factor – need to be central to their cybersecurity strategy, and not just invest in security infrastructure alone. This is why Proofpoint takes a people-centric approach, and believes in the importance of investing in cyber awareness training.