Sophos, a global player in next-generation cybersecurity, recently announced the findings of the second edition of its survey report, The Future of Cybersecurity in Asia Pacific and Japan, in collaboration with Tech Research Asia (TRA). The study reveals that despite the increase in cyberattacks, budgets have remained stagnant, and cybersecurity threats and damage to organizations have continued to be underestimated by executive teams.
Attacks rise, budgets stay the same in the Philippines
More than one third (31 percent) of Philippine organizations surveyed suffered a data breach in 2020. While this figure is lower than the regional average of 44 percent in Asia Pacific and Japan (APJ), it remains a cause for concern as it is an increase from 24 percent in 2019.
Although the Philippines has the most considerable percentage of organizations claiming to have the highest cybersecurity maturity level in the region (30 percent), 31 percent have fallen victim to a successful cybersecurity attack in the past 12 months. As much as 39 percent of the attacks were severe, with more than half (55 percent) taking longer than a week to remediate.
While attacks are increasing in frequency and severity, there is no expected increase in the median percentage of technology budgets that is spent on cybersecurity, which is at 10 percent today and expected to remain the same for the next 24 months. However, 44 percent of Philippine businesses are concerned that their cybersecurity budget is currently below where it needs to be.
“Ultimately, security is about right-sizing the risk. If the risk increases, budgets should also increase. Yet, in this climate of uncertainty, we’ve seen organizations take a conservative approach to security spending, which is limiting their ability to stay ahead of cybercriminals,” said Trevor Clarke, lead analyst and director at Tech Research Asia.
The top frustrations of Asia Pacific and Japan companies reflect boardroom indifference
Across Asia Pacific and Japan (APJ), the number one frustration is that executives assume cybersecurity is easy and that cybersecurity threats and issues are overblown. A lack of budget ranked second, followed by the difficulty to fill cybersecurity roles.
“Our research highlights a disturbing attitude – executive teams claiming that cybersecurity incidents are exaggerated. It is confounding that this attitude prevailed even when the end of 2020 showed us just how bad a global supply-chain attack could be. If that weren’t enough, the more recent zero-day vulnerabilities in widely deployed email platforms would demonstrate the desperate need for unification in cyber resilience. Everybody needs to play their part as we all need to understand and mitigate the risk,” said Aaron Bugal, global solutions engineer of Sophos.
The industry skills shortage continues to create challenges
The cybersecurity skills gap continues to be a problem for businesses in the Philippines. Nearly 45 percent of Philippine businesses have said that lack of cybersecurity skills is challenging for their organization.
While a lack of qualified staff and budget constraints continue to hinder organizations in the Philippines from obtaining the skills they require in-house, there is a slight improvement in recruiting skilled cybersecurity professionals – almost half of the organizations (48 percent) surveyed said they struggled to recruit candidates with qualified skills in 2020, compared to 62 percent in 2019.
COVID-19’s impact on remote working accelerated transformation but exposed vulnerabilities
COVID-19 had a positive impact on cybersecurity, with 73 percent of Philippine companies agreeing that the outbreak of COVID-19 was the most robust catalyst for upgrading cybersecurity strategy and tools in the past 12 months.
At the same time, 41 percent of local organizations indicated they were unprepared for the security requirements driven by the sudden need for secure remote working at the pandemic’s onset.
“COVID-19 compelled companies to refresh their cybersecurity strategies, yet the transformational shift to remote working also exposed additional weaknesses. Businesses have transformed their workplace environments, undergone an accelerated digitization period, yet continue to confront systemic cybersecurity issues, including executive apathy, low budgets, and a lack of skilled cybersecurity professionals.
“Despite improvements made, progress remains slow, reinforcing our belief that cybersecurity is never ‘finished’ and requires a constant focus, both from technological and cultural viewpoints,” said Trevor Clarke.