The Future of Cybersecurity in Asia Pacific and Japan revealed that despite the increased in cyberattacks (with 56% having suffered from a successful attack in 2021), cybersecurity budgets have remained stagnant and executive teams continue to underestimate the level of damage threats can do to organisations.
Released by Sophos, in collaboration with Tech Research Asia (TRA), the report did note a marked push to exert more centralised control and oversight with 64% of companies consolidating cybersecurity budgets within their IT groups, up 14% from 2019.
The report acknowledged that while there is some element of playing catch-up with new threats and new tools, organisations are focusing on operational excellence through improving culture, education, and the optimisation of the technology.
Drivers of awareness
Among the drivers of cybersecurity awareness, the report listed developments in regulatory requirements, the acceleration of digital transformation, learnings as organisations move to establish remote business operations in 2020, and sustained adoption of cloud technology.
Disturbing attitudes
Respondents to the survey acknowledged that the top 3 frustrations have largely remained the same, albeit in a slightly different order):
| Frustrations | Rank in 2021 | Rank in 2019 |
| Cybersecurity is easy and that IT over exaggerates the threats and issues | 1 | 3 |
| Not enough budget for cybersecurity | 2 | 2 |
| We do not employ enough cybersecurity professionals | 3 | 1 |
“Our research highlights a disturbing attitude that needs to be tackled head-on – executive teams claiming that cybersecurity incidents are exaggerated. It is confounding that this attitude prevails even when the end of 2020 showed us just how bad a global supply-chain attack could be."
Aaron Bugal
"If that wasn’t enough, the more recent zero-day vulnerabilities in widely deployed email platforms demonstrates the desperate need for unification when it comes to cyber resilience. Everybody needs to play a part. And to play a part, we all need to understand the risk,” said Aaron Bugal, global solutions engineer, Sophos.
Respondents to the survey concede the difficulty in achieving and maintaining consistent focus on security. The report said when it comes to security, like all other company initiatives including culture, capabilities, enthusiasm and education, there is no ‘constant state’.
Trevor Clarke, lead analyst and director, Tech Research Asia, concede that security is ultimately about rightsizing the risk.
“If the risk increases, budgets should also increase, but in this climate of uncertainty, we’ve seen organisations take a conservative approach to security spending, which is impacting their ability to stay ahead of cybercriminals. Despite improvements made, progress remains slow, reinforcing our belief that cybersecurity is never ‘finished’ and requires a constant focus, both from technological and cultural viewpoints,” he concluded.
