Ransomware, regulatory pressure, and three other Rs will be worrying CISOs this year, and here is how they can cope …

Despite the best efforts of cybersecurity teams across the Asia Pacific region, the threat landscape was more treacherous in 2022 than ever before.

Remote-working, the relentless shift to the cloud computing, and increasingly damaging ransomware attacks all demand stronger cybersecurity in 2023 and beyond.

So, what are the biggest issues keeping the Chief Information Security Officer (CISO) up at night? And how should firms respond to the heightened cyber threats?

Success in the cybersecurity space is best measured when nothing happens. In the past, this had made it difficult for the CISO to make the case for massive investment. However, this is changing rapidly as some firm across the region discover too late and at too great a cost: that the job of protecting an organization from cyber threats is never done.

Jeremy Pizzala, Cybersecurity Consulting Leader (Asia Pacific), EY

To help IT defenders and CISOs keep their sights on the cyber threat radar, here are the five R’s that EY’s experts have curated:

    1. Reduce ransomware risks
      2022 was undoubtedly the year of the data breach. Hackers penetrated cyber defenses and stole customer data across the region, but data breaches in Australia captured the most headlines and political headspace.

      Up to 12m Australians had their data exposed last year, and a treasure trove of personal information — including login credentials for government services — are now being sold on the Dark Web for as little as US$1. The real damage will unfold in 2023. Even more worrying: the success of cybercriminals in 2022 may encourage even less resourced amateurs to step into the ring.

      How do organizations respond? They start by simulating cyber incidents to investigate the effects of a real-world attack. Find out what happens if your critical systems are out of service or key data is locked up through ransomware. Are you investing enough to safeguard your systems and data?

    2. Ramp up regulatory measures
      Regulators across APAC continue to ramp up cybersecurity measures that place the onus on businesses to invest and comply.

      For instance, the Australian Government is considering tougher financial penalties for “serious or repeated privacy breaches” with fines up to AU$50m. Japan’s data protection laws have been bolstered to match Europe’s GDPR. China’s Personal Information Protection Law has been in effect since November 2021 and organizations need to comply with the law when using the data of Chinese citizens. In Singapore, from 1 October 2022, firms that breach the Personal Data Protection Act may face fines of up to SG$1m or, in the case of large firms, 10% of their annual turnover in Singapore.

      In response to this policy tightening, firms across the region can take their cues from the financial services sector. Regulation has driven 15-plus years of investment in robust cyber defenses, and the financial services sector has withstood cyber threats better than other industries.

    3. Reposition the role of the CISO
      In the past, CISOs have sometimes struggled to make themselves heard, because their cybersecurity teams were often (around 56% of the time, according to 2021 data) not consulted at all, or until it was too late.

      The lessons of 2022 will encourage boards to see cybersecurity not as a technical issue — as it has been viewed historically — but as a business opportunity.

      Firms that can bake security into every aspect of their business will be safer and can offer better user experiences.

    4. Rethink resilience
      The pandemic has sharpened the world’s focus on economic, supply chain and national resilience — and cyber resilience should be no different.

      How organizations sustain operations and survive in the face of a concerted cyber incident is a huge challenge — but the bigger picture is national security.

      What happens when, without safeguards in place to protect critical infrastructure, the lights go out or the power grids go down?

      With everything from telecommunications to air traffic control and border security to banking exposed to cyber risk, APAC countries must start to look at cybersecurity through a national capability lens.

      This is a whole-of-business, whole-of-economy, whole-of-society problem — and it needs to be led by a whole-of-government response.

    5. Reframe security systems
      Quantum computing is possibly the world’s new Y2K crisis, as it has the potential to crack the encryption keys that much of the world’s online commerce relies on for security today.

      This may be five or 10 years away, but it certainly demands a fundamental rethink of how we approach encryption, including the use of quantum computing itself as a defense.

Similarly, the metaverse is generating a lot of buzz, but few businesses are considering the cybersecurity implications. A new set of hardware and software is required to power the metaverse. As we move away from keyboards and towards haptics, goggles and headsets, we are opening businesses up to a whole new set of vulnerabilities. The message for APAC organizations clear: If you are considering the metaverse, also consider how you secure it.