75% of Indian organisations believe recruitment of cybersecurity professionals will be a challenge in the next 24 months
Bengaluru, NFAPost: Sophos, a global leader in next-generation cybersecurity, announced the findings of the third edition of its survey report, which states there is a lack of boardroom awareness of cybersecurity and a broad assumption from executives that their company will never get attacked, despite rising ransomware incidences, impact and cost.
The Sophos study is carried out in collaboration with Tech Research Asia (TRA) and titled “The Future of Cybersecurity in Asia Pacific and Japan.”
Cybersecurity education is an issue, and it starts at the top
Despite cybersecurity expenditure and self-assessed maturity increasing in Asia Pacific and Japan (APJ) organisations over the past 12 months, the report found that in India only 61% of companies surveyed believe their board truly understands cybersecurity.
In addition, the top frustration expressed by cybersecurity professionals is that their executives assume cybersecurity is easy and cybersecurity personnel over exaggerate threats and issues.
Among the respondents, 86% also believe cybersecurity vendors do not provide them with the information they need to help educate executives, and 93% of companies agree their biggest security challenge in the next 24 months will be the awareness and education of employees and leadership.
The top two attack vectors of concern for APJ organisations are directly addressable by ongoing education and awareness campaigns: phishing or whaling attacks, and weak or compromised employee credentials.
Sophos APJ Global Solutions Engineer Aaron Bugal said with ransomware attacks continuing to become more complex, organisations need a genuine, actionable cybersecurity education program.
“The current reactionary tendencies we’re seeing have created an ‘attack, change, attack, change …’ cycle regarding cybersecurity strategies, which is putting cybersecurity teams constantly on the backfoot,” said Sophos APJ Global Solutions Engineer Aaron Bugal
Sophos APJ Global Solutions Engineer Aaron Bugal said shifting priorities to become more proactive must start at the top and requires direction from executives, including investments in awareness and education across entire organisations.
The skills shortage continues to wreak havoc
The skills shortage continues to be a key focus area in organisations across the region. Seventy-five per cent of firms surveyed expect to have some problems with recruiting cybersecurity employees over the coming 24 months; 29% expect to face a major challenge.
With recruiting continuing to pose issues, companies have identified the priority areas they feel skills and capabilities need to be increased for internal security specialists. These include:
· Cloud security policies and architecture
· ‘Train the trainer’ employee and executive cybersecurity training skills
· Software vulnerability testing
Cybersecurity professionals’ top frustrations
The survey also highlights that cybersecurity professionals face a variety of challenges and frustrations in their roles, most of which are related to awareness, perception, messaging, and education. The top three frustrations in India are:
1. Executives assume cybersecurity is easy cybersecurity personnel over exaggerate threats and issues
2. There’s too much ‘fear and doubt’ messaging that makes it hard to talk accurately about cybersecurity
3. Cybersecurity is frequently relegated in priority
Sophos APJ Global Solutions Engineer Aaron Bugal said cybersecurity professionals continue to face many frustrations in their roles this year, with many feeling their warnings and messages fall on deaf ears.
“Apart from lacking skilled security specialists, many of the other frustrations are directly addressable through education and awareness programs, starting at the executive and board level. The challenge for cybersecurity professionals faced with low levels of security understanding among company boards is that many are unlikely to invest in the necessary programs to alleviate these frustrations,” said Sophos APJ Global Solutions Engineer Aaron Bugal.
Sophos APJ Global Solutions Engineer Aaron Bugal said the issue isn’t technology, it’s education. “Increasing spend on cybersecurity won’t help unless organisations understand from the top down the true nature and critical threat that cyberattacks constitute to their organisational capabilities, their customers and their own existence,” said Sophos APJ Global Solutions Engineer Aaron Bugal.
Cybersecurity education must become a focus
The following is a five-step approach to help bring organisations up to speed on cybersecurity education:
1. Boards need help to understand it’s impossible to protect everything, and learn to prioritise the most critical information, data and systems to protect.
2. Education courses on basic principles, genuine likelihood of an attack, attack vectors, threat actors, and other terminology should be available to all staff.
3. Once basics are clearly defined, organisations need to develop strategy and integrate with digital transformation programs.
4. The focus then becomes more operational in nature: applying legislation, breach response protocol, ransom payment policy, gap assessments, and future roles and obligations.
5. Businesses need to clearly understand compliance, the regulatory environment under which the business operates, what’s legally required when breached and what are the appropriate controls around data security and management.
Sophos commissioned Tech Research Asia (TRA) to undertake this research into the Asia Pacific and Japan cybersecurity landscape. This includes a major quantitative survey where a total of 900 responses were captured across Australia, India, Japan, Malaysia, Philippines, and Singapore.
Sophos is a worldwide leader in next-generation cybersecurity, protecting more than 500,000 organisations and millions of consumers in more than 150 countries from today’s most advanced cyberthreats.
Powered by threat intelligence, AI and machine learning from SophosLabs and SophosAI, Sophos delivers a broad portfolio of advanced products and services to secure users, networks and endpoints against ransomware, malware, exploits, phishing and the wide range of other cyberattacks.
Sophos provides a single integrated cloud-based management console, Sophos Central – the centrepiece of an adaptive cybersecurity ecosystem that features a centralised data lake that leverages a rich set of open APIs available to customers, partners, developers, and other cybersecurity vendors.
Sophos sells its products and services through reseller partners and managed service providers (MSPs) worldwide. Sophos is headquartered in Oxford, U.K. More information is available at www.sophos.com.