You are right if you think board executives are unaware of cyber threats.
There is a broad assumption from executives that their companies will never get attacked, despite rising ransomware incidences, impact and cost, according to a research done by Sophos in collaboration with Tech Research Asia which collected 900 responses across Australia, India, Japan, Malaysia, Philippines, and Singapore.
Cybersecurity education is an issue, and it starts at the top
Survey results indicate that only 37% of companies in Singapore believe board executives truly understands cybersecurity, despite cybersecurity expenditure and self-assessed maturity increasing in Asia Pacific and Japan (APJ) organisations over the past 12 months.
The top frustration expressed by cybersecurity professionals in Singapore is that board executives assume cybersecurity is easy and cybersecurity professionals over-exaggerate threats and issues, Sophos pointed out.
In addition, surveyed cybersecurity professionals in the country pointed out that there is an over-reliance on fear and doubt messaging makes it hard to educate executives while cybersecurity is frequently relegated in priority.
In addition, 89% of respondents surveyed in Singapore also believe cybersecurity vendors do not provide them with the information they need to help educate executives while 75% of companies agree their biggest security challenge in the next 24 months will be the awareness and education of employees and leadership.
The top two attack vectors of concern for APJ organisations are directly addressable by ongoing education and awareness campaigns: phishing or whaling attacks, and weak or compromised employee credentials, Sophos said.
With ransomware attacks continuing to become more complex, organisations need a genuine, actionable cybersecurity education program, said Aaron Bugal, global solutions engineer, APJ, at Sophos.
“However, the current reactionary tendencies we’re seeing have created an ‘attack, change, attack, change …’ cycle regarding cybersecurity strategies, which is putting cybersecurity teams constantly on the backfoot,” he noted.
Shifting priorities to become more proactive must start at the top and requires direction from executives, including investments in awareness and education across entire organisations, Bugal advised.
Apart from the major frustrations facing cybersecurity professionals in Singapore, there are other issues when it comes to guarding companies against security threats:
- board executives thinking there is nothing that can be done to stop attacks
- inability to keep up with pace of security threats
- not enough investment and time into training general staff
Cybersecurity professionals will continue to face many frustrations in their roles this year, with many feeling their warnings and messages fall on deaf ears, Bugal said.
The level of security understanding among company boards is low and many are unlikely to invest in the necessary programs to alleviate these frustrations, he added.
“The issue isn’t technology, it’s education,” Bugal pointed out. “Increasing spend on cybersecurity won’t help unless organisations understand from the top down the true nature and critical threat that cyberattacks constitute to their organisational capabilities, their customers and their own existence.”
Cybersecurity education must become a focus, according to Bugal, recommending the following five-step approach to help bring organisations up to speed on cybersecurity education:
1. Boards need help to understand it’s impossible to protect everything, and learn to prioritise the most critical information, data and systems to protect.
2. Education courses on basic principles, genuine likelihood of an attack, attack vectors, threat actors, and other terminology should be available to all staff.
3. Once basics are clearly defined, organisations need to develop strategy and integrate with digital transformation programs.
4. The focus then becomes more operational in nature: applying legislation, breach response protocol, ransom payment policy, gap assessments, and future roles and obligations.
5. Businesses need to clearly understand compliance, the regulatory environment under which the business operates, what’s legally required when breached and what are the appropriate controls around data security and management.
Skill shortage continues to wreak havoc
Executive eduction aside, cybersecurity skill shortage continues to wreak havoc across the region as well as in Singapore, Sophos observed.
Survey results indicate that 72% of Singapore firms expect to have some problems with recruiting cybersecurity employees over the coming 24 months and 21% expect to face a major challenge.
As recruitment continues to remain an issue, companies have identified the priority areas they feel skills and capabilities need to be increased for internal security specialists, Sophos said.
These priority areas include:
- cloud security policies and architecture
- ‘train the trainer’ employee and executive cybersecurity training skills
- software vulnerability testing
- staying up to date with the latest threats
- policy compliance and reporting