Top brass think they wont get attacked, despite rising incidents 

There is a lack of boardroom awareness of cybersecurity and a broad assumption from executives that their company will never get attacked, despite rising ransomware incidences, impact and cost, according to Sophos.

Sophos commissioned Tech Research Asia (TRA) for a research that involves a major quantitative survey covering 900 respondents across Australia, India, Japan, Malaysia, Philippines, and Singapore.

Findings show that despite cybersecurity expenditure and self-assessed maturity increasing in Asia Pacific and Japan (APJ) organisations over the past 12 months, only 37% of companies in Singapore surveyed believe their board truly understands cybersecurity. 

The top frustration expressed by cybersecurity professionals in Singapore is that executives assume cybersecurity is easy and cybersecurity professionals over exaggerate threats and issues.

Also, 89% of respondents surveyed in Singapore also believe cybersecurity vendors do not provide them with the information they need to help educate executives, and 75% of companies agree their biggest security challenge in the next 24 months will be the awareness and education of employees and leadership.

The top two attack vectors of concern for APJ organisations are directly addressable by ongoing education and awareness campaigns — phishing or whaling attacks, and weak or compromised employee credentials.

“Shifting priorities to become more proactive must start at the top and requires direction from executives, including investments in awareness and education across entire organisations,” Aaron Bugal, Sophos global solutions engineer in APJ.

The skills shortage continues to be a key focus area in organisations as 72% of Singapore firms surveyed expect to have some problems with recruiting cybersecurity employees over the coming 24 months, and 21% expect to face a major challenge.

With recruiting continuing to pose issues, companies have identified the priority areas they feel skills and capabilities need to be increased for internal security specialists. These include cloud security policies and architecture,‘train the trainer’ employee and executive cybersecurity training skills, software vulnerability testing, staying up to date with the latest threats, and policy compliance and reporting.

The survey also highlights that cybersecurity professionals face a variety of challenges and frustrations in their roles, most of which are related to awareness, perception, messaging, and education. 

The top three frustrations in Singapore are executives assuming cybersecurity is easy and cybersecurity personnel over exaggerate threats and issues, an over-reliance on fear and doubt messaging makes it hard to educate executives, and cybersecurity being frequently relegated in priority.

Additional frustrations experienced by cybersecurity professionals across the region include executives thinking there is nothing that can be done to stop attacks, inability to keep up with pace of security threats, and not enough investment and time into training general staff.