Sophos’ second edition of its survey report, The Future of Cybersecurity in Asia Pacific and Japan, reveals that despite cyberattacks increasing, cybersecurity budgets have remained stagnant and executive teams continue to underestimate the level of damage threats can do to organisations.
Attacks rise, budgets stay the same
Nearly 30 per cent of Singaporean organisations surveyed suffered a data breach in 2020 – the least compared to other markets surveyed in Asia Pacific and Japan (APJ). However, this figure remains a cause for concern as it is an increase from 26 per cent in 2019.
Of these successful breaches, 33 per cent of companies rated the loss of data as either “very serious” (4 per cent) or “serious” (29 per cent). Nearly 15 per cent of Singaporean organisations surveyed suffered at least 50 attempted security attacks or mistakes, per week.
A large majority (75 per cent) of organisations also revealed that they took more than a week to remediate these cybersecurity breaches. In comparison to other countries surveyed in Asia Pacific and Japan, Singapore took the longest to recover from cybersecurity attacks, with Japan reportedly able to remediate and recover the fastest (62 percent of Japanese organisations were able to recover in less than a week).
Sumit Bansal, managing director of ASEAN, Sophos said, “Even though organisations in Singapore reported the least number of attacks in 2020, it is worrying that they are taking longer than any other market in APJ to recover from the attacks. With more than a third of these breaches being ‘very serious’ or ‘serious’, business leaders need to prioritise recovery sooner rather than later.”
While attacks are increasing in frequency and severity, cybersecurity budgets remained largely unchanged as a percentage of revenue between 2019 and 2021. In Singapore, 61 per cent of businesses stated that their cybersecurity budget is below where it needs to be, the same percentage it was in 2019.
“Ultimately, security is about right sizing the risk. If the risk increases, budgets should also increase, but in this climate of uncertainty, we’ve seen organisations take a conservative approach to security spending, which is impacting their ability to stay ahead of cybercriminals,” said Trevor Clarke, lead analyst and director, Tech Research Asia.
The top frustrations of Asia Pacific and Japan companies reflect boardroom indifference
Across Asia Pacific and Japan (APJ), the number one frustration identified by companies is that executives assume cybersecurity is easy and that cybersecurity threats and issues are exaggerated. A lack of budget ranked second, followed by the struggle to fill cybersecurity roles.
“Our research highlights a disturbing attitude that needs to be tackled head on – executive teams claiming that cybersecurity incidents are exaggerated. It is confounding that this attitude prevails even when the end of 2020 showed us just how bad a global supply-chain attack could be. If that wasn’t enough, the more recent zero-day vulnerabilities in widely deployed email platforms demonstrates the desperate need for unification when it comes to cyber resilience. Everybody needs to play a part. And to play a part, we all need to understand the risk,” said Aaron Bugal, global solutions engineer, Sophos.
The industry skills shortage continues to create challenges
There has been no improvement on the cybersecurity skills gap issue in 2021. Nearly 60 per cent of businesses in Singapore agree that their company’s lack of cybersecurity skills is challenging for their organisation, compared to 51 per cent in 2019.
A lack of suitable staff and budget constraints continue to hinder organisations from obtaining the skills they require in-house. Nearly 60 per cent of companies in Singapore struggle to recruit candidates with the necessary skills, which is a small improvement since 2019.
COVID-19’s impact on remote working accelerated transformation, but exposed vulnerabilities
COVID-19 had a positive impact on cybersecurity, with three-quarters (75%) of companies in Singapore agreeing that the outbreak of COVID-19 was the strongest catalyst for upgrading cybersecurity strategy and tools in the past 12 months.
At the same time, more than half of organisations indicated they were unprepared for the security requirements driven by the sudden need for secure remote working at the onset of the pandemic.
D-19 compelled companies to refresh their cybersecurity strategies, yet the transformational shift to remote working also exposed additional weaknesses. Businesses have transformed their workplace environments, undergone an accelerated period of digitisation, yet continue to confront systemic cybersecurity issues, including executive apathy, low budgets and a lack of skilled cybersecurity professionals.
“Despite improvements made, progress remains slow, reinforcing our belief that cybersecurity is never ‘finished’ and requires a constant focus, both from technological and cultural viewpoints,” said Trevor Clarke.