According to the findings of the third edition of Sophos’s investigative report, there is a lack of cybersecurity awareness among corporate boards and a broad assumption by executives that their business will never be attacked, despite the the growing incidence, impact and cost of ransomware, The future of cybersecurity in Asia-Pacific and Japan in collaboration with Tech Research Asia.
Cybersecurity education is a problem, and it starts at the top
Despite increases in cybersecurity spending and self-rated maturity across Asia-Pacific and Japan (APJ) organizations over the past 12 months, only 52% of Australian companies surveyed believe their board of directors really understands cybersecurity.
Moreover, the main frustration expressed by cybersecurity professionals in Australia is that cybersecurity is often relegated to priority.
80% of Australian respondents also believe that cybersecurity vendors are not giving them the information they need to help educate leaders and 95% of Australian businesses agree that their biggest security challenge over the next 24 months will be the awareness and education of employees and managers.
The two main threats of concern to APJ organizations can be addressed through ongoing education and awareness campaigns: phishing or whaling attacks and weak or compromised employee credentials.
“With ransomware attacks becoming increasingly complex, organizations need a real, actionable cybersecurity education program. The current reactionary trends we are seeing have created an “attack, change, attack, change” cycle. …” regarding cybersecurity strategies, which constantly challenges cybersecurity teams. Changing priorities to become more proactive must start at the top and requires leadership from the top, including investments in awareness and training. education across organizations,” says APJ Aaron Bugal, Global Solutions Engineer at Sophos.
The skills shortage continues to take its toll
Sixty-nine percent of Australian companies surveyed expect to have problems recruiting cybersecurity employees over the next 24 months. Fifteen percent expect to face a major challenge.
With recruitment continuing to pose challenges, companies have identified priority areas they believe require an increase in the skills and capabilities of internal security specialists. These include:
Cloud security policies and architecture
Training employees and leaders cybersecurity skills “Train the trainer”
Software vulnerability test
Keep up to date with the latest threats
Policy Compliance and Reporting
Top Frustrations of Cybersecurity Professionals
The survey also highlights that cybersecurity professionals face challenges and frustrations in their roles, most of which relate to awareness, perception, messaging and education. The three main frustrations in Australia are:
1. Cybersecurity is often relegated to priority
2. There is not enough budget for security
3. Leaders assume cybersecurity is easy and cybersecurity personnel exaggerate threats and problems
Additional frustrations encountered by cybersecurity professionals in the region include:
1. Leaders think there is nothing they can do to stop the attacks
2. Inability to keep pace with security threats
3. Not enough investment and time in general staff training
“Cybersecurity professionals continue to face many frustrations in their roles this year, with many feeling that their warnings and messages are falling on deaf ears. In addition to the lack of qualified security specialists, many of the other frustrations can be addressed directly through education and awareness programs, starting at the executive and board level. The challenge for cybersecurity professionals faced with low levels of security understanding among corporate boards is that many are unlikely to invest in the programs needed to alleviate these frustrations,” Bugal says.
Bugal says the problem isn’t technology, it’s education.
“Increased spending on cybersecurity will only help if organizations understand from the top down the true nature and critical threat that cyberattacks pose to their organizational capabilities, their customers, and their very existence.”
Sophos says cybersecurity education must become a priority. Here is a five-step approach to help organizations stay current with cybersecurity training:
1. Boards of directors need help to understand that it is impossible to protect everything and learn to prioritize the most critical information, data and systems to protect.
2. Training courses on the basics, the true likelihood of an attack, attack vectors, threat actors, and other terms should be available to all personnel.
3. Once the basics are clear, organizations need to develop a strategy and integrate with digital transformation programs.
4. The focus then becomes more operational: law enforcement, breach response protocol, ransom payment policy, gap assessment, and future roles and obligations.
5. Businesses need to clearly understand compliance, the regulatory environment in which they operate, what is legally required in the event of a breach, and what are the appropriate security and data management controls.