Share this article on:
Findings of the third edition of Sophos’ survey report, The Future of Cybersecurity in Asia Pacific and Japan, revealed a lack of boardroom awareness of cyber security and a broad assumption from executives that their company will never get attacked, despite rising ransomware incidences, impact and cost.
A collaboration with Tech Research Asia (TRA) and Sophos the report has found that despite rising ransomware incidents, cyber security education is an issue, and it starts at the top.
Despite cyber security expenditure and self-assessed maturity increasing in Asia-Pacific and Japan (APJ) organisations over the past 12 months, only 52 per cent of Australian companies surveyed believe their board truly understands cyber security. In addition, the top frustration expressed by cyber security professionals in Australia is that cyber security is frequently relegated in priority.
Eighty per cent of Australian respondents also believe cyber security vendors do not provide them with the information they need to help educate executives, and 95 per cent of Australian companies agree their biggest security challenge in the next 24 months will be the awareness and education of employees and leadership.
The top two attack vectors of concern for APJ organisations are directly addressable by ongoing education and awareness campaigns: phishing or whaling attacks and weak or compromised employee credentials.
With ransomware attacks continuing to become more complex, organisations need a genuine, actionable cyber security education program, according to Aaron Bugal, global solutions engineer, APJ, at Sophos.
“The current reactionary tendencies we’re seeing have created an ‘attack, change, attack, change …’ cycle regarding cyber security strategies, which is putting cyber security teams constantly on the backfoot.
“Shifting priorities to become more proactive must start at the top and requires direction from executives, including investments in awareness and education across entire organisations,” Bugal said.
The skills shortage continues to wreak havoc
The skills shortage continues to be a key focus area in organisations across the region.
Sixty-nine per cent of Australian firms surveyed expect to have some problems with recruiting cyber security employees over the coming 24 months; 15 per cent expect to face a major challenge.
With recruiting continuing to pose issues, companies have identified the priority areas they feel skills and capabilities need to be increased for internal security specialists. These include:
Cyber security professionals’ top frustrations
The survey also highlights that cyber security professionals face a variety of challenges and frustrations in their roles, most of which are related to awareness, perception, messaging and education.
The top three frustrations in Australia are:
Additional frustrations experienced by cyber security professionals across the region include:
According to Bugal, cyber security professionals continue to face many frustrations in their roles this year, with many feeling their warnings and messages fall on deaf ears.
“Apart from lacking skilled security specialists, many of the other frustrations are directly addressable through education and awareness programs, starting at the executive and board level.
“The challenge for cyber security professionals faced with low levels of security understanding among company boards is that many are unlikely to invest in the necessary programs to alleviate these frustrations.
“The issue isn’t technology, it’s education. Increasing spend on cyber security won’t help unless organisations understand from the top down the true nature and critical threat that cyber attacks constitute to their organisational capabilities, their customers and their own existence,” Bugal said.
Cyber security education must become a focus
The following is a five-step approach to help bring organisations up to speed on cyber security education:
[Related: Citrix Systems launches general availability for cloud-delivered, ZTNA offering]