Their sentiments pointed to complacency and lack of awareness, especially at the Board level.

Based on a January 2022 survey of 900 respondents in the Asia Pacific and Japan region (APJ), a cybersecurity firm has released a report this month (April 2022) that concludes: there is a lack of boardroom awareness of cybersecurity, coupled with a broad assumption by executives in the region that their company will never get attacked, despite surges in ransomware attacks, impact and cost.

With recruiting continuing to pose issues in the region, organizations in the survey had identified the priority areas where skills and capabilities needed to be increased, which includes:

  • ‘Train the trainer’ employee and executive cybersecurity training skills
  • Staying up to date with the latest threats
  • Policy compliance and reporting

The report also highlights the challenges and frustrations faced by cybersecurity professionals in their roles, most of which are related to awareness, perception, messaging, and education.  

Key findings

The survey sample population included 100 employees each in Malaysia, Philippines and Singapore, and 200 each in Australia, India and Japan, with the largest group (34%) belonging to organizations with 2,500+ headcounts, followed by smaller firms of 500 to 999 employees (24%), 1,000 to 1,499 employees (22%) and those with 1,500 to 2,499 personnel (20%).

Divided into three aspects, the findings for APAC were:

1. Cyber strategy and execution

  • Spending on cybersecurity was slightly up. On average, cybersecurity spending in the data represented 11% of 2022 technology budgets, an increase from previous years.
  • Maturity does not equate to capability. Cybersecurity maturity levels continued to rise despite organizations struggling to cope with the same issues year on year. Either the self-assessed maturity levels were too optimistic or there were some serious systemic issues that have not been addressed.
  • There was a clear trend of organizations appointing dedicated security specialists rather than subsuming security responsibilities within the roles of current IT professionals.

2. Education and cyber skills

  • 73% of respondents expected to have difficulty recruiting cybersecurity employees in the coming two years.
  • 40% of respondents believed their board truly understand cybersecurity; the top frustration cybersecurity professionals experienced was that the Board and executive levels assumed that the firm will never get attacked.
  • 60% of respondents did not believe cybersecurity vendors fully provided them with the right information to help educate their boards and executive suites.
  • The need for outsourcing or maintain an in-house cyber defense team depended on corporate circumstances: Strategy development, data management and compliance, and PII management remained mostly in-house. Typically, operations such as threat hunting, remediation, incident response and penetration testing were outsourced or a blend of the two approaches.

3. Defenses against threats

  • 90% of respondents were using threat hunting as part of protecting their organization. Some 85% of current users rated it as ‘important’ or ‘critical’ to a successful cybersecurity capability.
  • Top attack vectors cited were: phishing, credentials, supply chain vulnerabilities, unpatched vulnerabilities, and malicious employees.
  • Top attack vectors predicted by respondents included: phishing, malware, poorly configured systems, corporate espionage and state-sponsored attacks (APTs).

Commenting on the APAC trends, Aaron Bugal, Global Solutions Engineer (APJ), Sophos, the firm that sponsored the report,said: “With ransomware attacks continuing to become more complex, organizations need a genuine, actionable cybersecurity education program. The current reactionary tendencies we’re seeing have created an ‘attack, change, attack, change …’ cycle regarding cybersecurity strategies, which is putting cybersecurity teams constantly on the back foot.”

Bugal was alluding to his opinion that “the issue isn’t technology, it’s education. Increasing spend on cybersecurity won’t help unless organizations understand from the top down the true nature and critical threat that cyberattacks constitute to their organizational capabilities, their customers and their own existence.”