Lack of cybersecurity awareness in Asia Pacific and Japan still persists: Sophos survey
There is a lack of boardroom awareness of cybersecurity, and a broad assumption from executives that their company will never get attacked, despite rising ransomware incidences, impact, and cost, according to the findings of the third edition of Sophosâ survey report, The Future of Cybersecurity in Asia Pacific and Japan in collaboration with Tech Research Asia.
Cybersecurity education is an issue, and it starts at the top
Despite cybersecurity expenditure and self-assessed maturity increasing in Asia Pacific and Japan (APJ) organisations over the past 12 months, only 52% of Australian companies surveyed believe their board truly understands cybersecurity.
In addition, the top frustration expressed by cybersecurity professionals in Australia is that cybersecurity is frequently relegated in priority.
Eighty percent of Australian respondents also believe cybersecurity vendors do not provide them with the information they need to help educate executives and 95% of Australian companies agree their biggest security challenge in the next 24 months will be the awareness and education of employees and leadership.
|
|
The top two threats of concern for APJ organisations are addressable by ongoing education and awareness campaigns: phishing or whaling attacks, and weak or compromised employee credentials.
âWith ransomware attacks continuing to become more complex, organisations need a genuine, actionable cybersecurity education program. The current reactionary tendencies weâre seeing have created an âattack, change, attack, change âŚâ cycle regarding cybersecurity strategies, which is putting cybersecurity teams constantly on the backfoot. Shifting priorities to become more proactive must start at the top and requires direction from executives, including investments in awareness and education across entire organisations,â says Sophos global solutions engineer APJ Aaron Bugal.
The skills shortage continues to wreak havoc
Sixty-nine percent of Australian firms surveyed expect to have some problems with recruiting cybersecurity employees over the coming 24 months. Fifteen percent expect to face a major challenge.
With recruiting continuing to pose issues, companies have identified the priority areas they feel skills and capabilities need to be increased for internal security specialists. These include:
Cloud security policies and architecture
âTrain the trainerâ employee and executive cybersecurity training skills
Software vulnerability testing
Staying up to date with the latest threats
Policy compliance and reporting
Cybersecurity professionalsâ top frustrations
The survey also highlights that cybersecurity professionals face challenges and frustrations in their roles, most of which are related to awareness, perception, messaging, and education. The top three frustrations in Australia are:
1. Cybersecurity is frequently relegated in priority
2. There is not enough budget for security
3. Executives assume cybersecurity is easy and cybersecurity personnel over exaggerate threats and issues
Additional frustrations experienced by cybersecurity professionals across the region include:
1. Executives thinking there is nothing that can be done to stop attacks
2. Inability to keep up with pace of security threats
3. Not enough investment and time into training general staff
âCybersecurity professionals continue to face many frustrations in their roles this year, with many feeling their warnings and messages fall on deaf ears. Apart from lacking skilled security specialists, many of the other frustrations are directly addressable through education and awareness programs, starting at the executive and board level. The challenge for cybersecurity professionals faced with low levels of security understanding among company boards is that many are unlikely to invest in the necessary programs to alleviate these frustrations,â says Bugal.
Bugal says the issue isnât technology, itâs education.
âIncreasing spend on cybersecurity wonât help unless organisations understand from the top down the true nature and critical threat that cyberattacks constitute to their organisational capabilities, their customers and their own existence.â
Sophos says cybersecurity education must become a focus. The following is a five-step approach to help bring organisations up to speed on cybersecurity education:
1. Boards need help to understand itâs impossible to protect everything, and learn to prioritise the most critical information, data and systems to protect.
2. Education courses on basic principles, genuine likelihood of an attack, attack vectors, threat actors, and other terminology should be available to all staff.
3. Once basics are clearly defined, organisations need to develop strategy and integrate with digital transformation programs.
4. The focus then becomes more operational in nature: applying legislation, breach response protocol, ransom payment policy, gap assessments, and future roles and obligations.
5. Businesses need to clearly understand compliance, the regulatory environment under which the business operates, whatâs legally required when breached and what are the appropriate controls around data security and management.
Gloss