Cybersecurity budgets have remained stagnant and executive teams continue to underestimate the level of damage cyber threats can do to organisations, an Asia Pacific and Japan survey by next-generation cybersecurity leader Sophos has found.
The second edition of the Sophos survey report, The Future of Cybersecurity in Asia Pacific and Japan, created in collaboration with Tech Research Asia (TRA), is the result of a study of 900 business decision makers across Asia Pacific and Japan (APJ) – including 200 from Australia.
The report indicates that while COVID-19-accelerated digitisation was a catalyst for improving cybersecurity, systemic security issues persist.
Attacks rise, budgets stay the same
More than half (52 per cent) of Australian organisations surveyed suffered a data breach in 2020, up from 36 per cent in 2019 – this is despite 61 per cent of Australian organisations claiming to have a proactive or better security capability in place today.
This is still considerably better than the average across Asia Pacific and Japan, where 70 per cent of surveyed organisations reported a breach in 2020, which is a two-fold increase since 2019.
Of the successful Australian breaches, more than two-thirds (69 per cent) of companies rated the loss of data as either “very serious” or “serious”. Two-thirds (68 per cent) said the breach took longer than a week to remediate.
While attacks are increasing in frequency and severity, Australian cybersecurity budgets remained largely unchanged as a percentage of revenue between 2019 and 2021. At the same time, 64 per cent of Australian businesses stated their cybersecurity budget is below where it needs to be, showing little change from 2019.
However, surveyed businesses are expecting an incremental increase in the median percentage of technology budgets spent on cybersecurity, from six per cent today to nine per cent in two years.
“Ultimately, security is about right sizing the risk. If the risk increases, budgets should also increase, but in this climate of uncertainty, we’ve seen organisations take a conservative approach to security spending, which is impacting their ability to stay ahead of cybercriminals,” said Trevor Clarke, lead analyst and director, Tech Research Asia.
Top frustrations of Asia Pacific and Japan companies reflect boardroom indifference
Across APJ, the number one frustration identified by companies is that executives assume cybersecurity is easy and that cybersecurity threats and issues are exaggerated. A lack of budget ranked second, followed by struggles to fill cybersecurity roles.
“Our research highlights a disturbing attitude that needs to be tackled head on – executive teams claiming that cybersecurity incidents are exaggerated. It is confounding that this attitude prevails even when the end of 2020 showed us just how bad a global supply-chain attack could be,” said Aaron Bugal, global solutions engineer, Sophos.
“If that wasn’t enough, the more recent zero-day vulnerabilities in widely deployed email platforms demonstrates the desperate need for unification when it comes to cyber resilience. Everybody needs to play a part. And to play a part, we all need to understand the risk,” Bugal said.
Industry skills shortage continues to create challenges
In Australia, the Sophos survey indicates no improvement on the cybersecurity skills gap issue since 2019. Sixty-two per cent of Australian businesses agree their company’s lack of cybersecurity skills is a challenge, unchanged from 2019.
A lack of suitable staff and budget constraints continue to hinder organisations from obtaining the skills they require in-house. Sixty-three per cent of companies struggle to recruit candidates with the necessary skills, which is a slight improvement from 65 per cent in 2019. This is on par with the rest of the region.
COVID-19’s impact on remote working accelerated transformation, but exposed vulnerabilities
COVID-19 had a positive impact on cybersecurity measures across Australia, with 70 per cent of Australian companies agreeing the outbreak of COVID-19 was the strongest catalyst for upgrading cybersecurity strategy and tools in the past 12 months.
At the same time, three-fifths (60 per cent) of organisations indicated they were unprepared for the cybersecurity requirements driven by the sudden need for secure remote working at the onset of the pandemic.
“COVID-19 compelled companies to refresh their cybersecurity strategies, yet the transformational shift to remote working also exposed additional weaknesses. Businesses have transformed their workplace environments, undergone an accelerated period of digitisation, yet continue to confront systemic cybersecurity issues, including executive apathy, low budgets and a lack of skilled cybersecurity professionals,” Clarke said.
“Despite improvements made, progress remains slow, reinforcing our belief that cybersecurity is never ‘finished’ and requires a constant focus, both from technological and cultural viewpoints,” Clarke added.
Download the Sophos report here today!