Mid-year state of cyber security: APAC

Contents

1. About the respondents
2. The current state of cyber security
3. Cyber security threats and challenges
4. Final remarks

Foreword

As the threat landscape develops, region-specific trends are revealed. The Asia-Pacific region sees a large range of targeted threats including key employee/role targeting, malicious or unsafe cloud apps and malware.

In 2022, 59 percent of businesses in the Asia-Pacific region reported being the victim of a cyber attack, and 32 percent reported being the victim of multiple cyber attacks. This coupled with the region facing a shortage of 2.1 million cyber security professionals in 2022, it will be important to explore how the region responds to the cyber threats of 2023 in the face of these challenges.

With this in mind, Cyber Security Hub has conducted a survey of 89 cyber security professionals from across the Asia-Pacific region to gain key insights into the current trends, challenges and investment opportunities in the world of cloud security.

The report contains an analysis of the data collected in addition to insights from cybersecurity practitioners at Mizuhuo Bank, EC Council and the Singapore University of Social Sciences.

About the respondents

This section will explore the job roles of the respondents, in addition to the industries, regions and cyber security budget size of the companies they work for. 

Figure 1: Which best describes your job role? 

Figure 2: Which industry vertical best describes where your organization sits?

Figure 3: What percentage of your organization’s overall IT budget is dedicated to cyber security? 

Section two: The current state of cyber security  

Figure 4: Thinking about your organization’s approach to cyber security in 2022, please rate how much you agree or disagree with the following statements: 

When it comes to the current state of cyber security across APAC, respondents appear to be generally confident in their company’s cyber security capabilities.

More than a third (39 percent) say that their company has a good understanding of threats now than in years previously. Likewise, more than two fifths (43 percent) say their organization has a high prioritization of cyber security, and more than one in three (36 percent) say their company’s general understanding of cyber security compliance/training has also both increased during this time.

Arun Dhanaraj, VP of cloud and security practices at Mizuhuo Bank, the region's growing digitization has increased hackers' attack surface, leading to cyber criminals targeting the area due to insufficient cybersecurity knowledge and restrictions. This increase in cyber crime occurrences has boosted awareness of cybersecurity compliance/training and current threats during the last year as companies and employees must be more guarded against attacks.

This training and education will also lead to increased awareness and visibility of threats, as cited by 43 percent of respondents. 

Despite this increased visibility and education, over a quarter (28 percent) said that the rate and volume of cyber attacks against their company had increased in the past 12 months.

Mizuhuo Bank’s Dhanaraj says that companies can better defend against cyber attacks such as these by fostering a cyber security culture within the business and investing in key security controls.

“[Creating a cyber security culture] involves frequent training, clear danger communication and strong security rules,” he explains.  “Advanced security tools and technology may also integrate cybersecurity into business culture and increase threat visibility. Multi-factor authentication, encryption and intrusion detection systems are the best cybersecurity safeguards for enterprises”. 

Section three: Cyber security threats and challenges

Figure 5: What is the most serious kind of attack your company experienced in 2022? 

Figure 6: What are the top three cyber security threats that you think will have the biggest impact in 2023? 

Figure 7: What are the top three challenges you face as a cyber security practitioner, unrelated to cyber security threats?

The top cyber security threats

When asked about cyber attacks, only 12 percent of respondents reported not experiencing a cyber attack in the past 12 months. The threat vectors seen across the regions are wide-ranging, although the top three are key employee/role targeting, malicious cloud apps and malware.

There have been a number of high-profile cyber security incidents linked to each of these threat vectors, one of the largest being the Medibank data breach, which saw the theft of 9.7 million customers’ data.

The data, which was partially posted online in an attempt to extort Medibank, was stolen after a hacker used a stolen Medibank username and password used by a third-party IT service provider to gain unauthorized access to Medibank’s network. The hacker was aided by the fact that Medibank had a misconfigured firewall which did not require an additional digital security certificate.

To protect customer data during cyber attacks, fellow of cyber security and governance at the Singapore University of Social Sciences, Anthony Lim, says that managers and cyber security professionals need to need to ensure basic data cyber security policies, solutions and practices are in place, including:  

• Proper password and authentication regime including the use of two-factor authentication.
• Data encryption wherever feasible. 
• A data-leakage prevention solution. 
• Network segmentation and access control. 
• Least privilege and zero-trust principles. 
• Firewall, anti-virus or anti-malware software. 
• Monitoring and logging of network and data movement activity.  
  Consistent patching and updating of software applications, operating systems, middleware and other software.

When looking to the future, the top threats the respondents thought would have the most impact in 2023 were distributed-denial-of-service (DDoS) attacks, malicious code commits and key employee/role targeting. 

These predictions are significant as there have been significant data breaches and cyber attacks within APAC over the past 12 months related to these threats. 

On February 23, 2023, a record DDoS attack was seen within the Asia-Pacific region. At its peak, the attack traffic was at 900.1GB per second. The attack was registered and mitigated by cyber security company Akami, whose primary business is content delivery networks (CDNs), who noted that the attack was launched against one of its customers within APAC. The attack itself was described as “intense and short-lived" with the 900.1GB peak lasting just a minute and the entire attack lasting just under five minutes.

Non-threat related challenges

The top cyber security challenges unrelated to cyber attacks were difficulty integrating cyber security into company culture, a lack of company-wide training/understanding of cyber security and a lack of visibility for threats. 

Dr Meisam Eslahi, Executive Director of Cyber Security at EC-Council Global Services notes that maintaining a comprehensive inventory of assets is fundamental for cyber security, as this enables cyber security teams to identify and catalog all digital and physical assets, such as servers, devices, software, data, and applications. This inventory is key in understanding an organization's digital landscape, enabling accurate risk assessment and resource allocation. 

“Accordingly, regular attack surface discovery helps cyber security teams to identify digital entry points as well as human and physical vulnerabilities. By mapping the attack surface, cyber security professionals gain insight into potential weak links that adversaries could target. Proactive threat modeling enables organizations to design and implement appropriate security controls, minimizing the likelihood of successful cyber attacks. Threat modeling ensures that security measures are aligned with potential risks, helping to prioritize resources effectively and ultimately enhance the overall security posture,” he explains.

Dr Eslahi also shares that cyber security teams can use threat modeling, asset inventory, and attack surface discovery to gain a comprehensive understanding of their organization's security landscape. This, combined with regular training can help foster a culture of continuous improvement within the team, helping them to keep up with security best practices and emerging cyber attack techniques.

When it comes to improving cyber security awareness and culture Dr Eslahi suggests companies implement security awareness training, tailored training programs, gamification and simulations. 

“To improve the cyber security culture across an entire organization, change must be promoted and implemented through a top-down approach in which C-suite executives and other company leadership members actively support and participate in cyber security initiatives. Incorporating knowledge-sharing sessions and cyber drills is highly recommended to actively involve higher management in cyber security efforts and facilitate integrating cyber security into the company culture,” he shares.

Section four: Cyber security investments and opportunities

Figure 9: How much do you agree with the statement: ‘our budget relating to cyber security has increased in the past 12 months’? 

Figure 10: Will you/your organization will spend more on cyber security in 2023 than in 2022? 

Figure 11: What cyber security controls are you/your business currently investing in? 

Figure 12: What are the three biggest priorities for cyber security investment for 2023?

When it comes to cyber security investment, it is undoubtedly increasing. When asked if their cyber security spending will increase in 2023, 64 percent of respondents said they will spend ‘slightly’ or ‘significantly’ more (Figure 10). This is in-keeping with the 36 percent of cyber security respondents said their budget had increased in the past 12 months (Figure 9).

The overall budget range dedicated to cyber security investment tends to be between 6-20 percent of a company’s overall IT budget (Figure 4), with 28 percent reporting a 6-10 percent budget allocation and 24 percent reporting an 11-20 percent budget allocation.

When asked what they are currently investing in, cyber security professionals said their companies are investing in email security, access management tools and endpoint security. Considering the top threats in 2022 (Figure 6) were key employee/role targeting, malicious cloud apps and malware and the predicted threats for 2023 (Figure 7), revolve around DDoS attacks, malicious code commits and key employee/role targeting, these investment choices make sense. Companies are attempting to guard themselves against these threat vectors by increasing the security controls that these attacks target.

EC Council’s Eslahi notes that investment in proactive controls is highly recommended as these controls are focused on detecting malicious activities at early stages and preventing vulnerabilities from being exploited.

“Secure configurations and proactive vulnerability management are crucial. Secure configurations prevent vulnerabilities through best practices aided by automated tools. Proactive vulnerability management identifies and addresses weaknesses promptly, reducing the risk of successful attacks,” he explains.

When it comes to specific investments, cyber security professionals said that their companies will be investing in cloud security, secure data management and employee security awareness and training in 2023 (Figure 12). 

These investment choices match up with the threat predictions and general cyber security difficulties cited earlier in the report. If DDoS attacks, malicious cloud commits and key employee or role targeting are going to be the top threat vectors companies are facing, investing in tools to increase cloud and data protection and security is wise. 

Additionally, investing in tools to help employees as a whole to understand, detect, respond to and mitigate threats will be of overall benefit to cyber security teams and companies as a whole. All these investments will help prevent cyber attacks, while also helping to protect key data and help business keep running as usual if there is a cyber security incident.

Final remarks:

There are unique challenges that cyber security professionals across APAC face. These include both threat-based hurdles as well as challenges they face in their day-to-day roles outside of cyber attacks.

Of the threat-based hurdles APAC-based cyber security professionals must face, the three most prominent threat vectors are DDoS attacks, malicious code commits and key employee/role targeting. Cyber security professionals can help guard against these by encouraging investment in cyber security tools that will provide protection from these threat vectors such as email security, access management tools and endpoint security.

Other challenges include non-threat-related issues, including difficulty integrating cyber security into company culture, lack of company-wide training or understanding of cyber security and lack of visibility for threats.

To mitigate these issues, C-suite executives and other company leaders must promote and implement cyber security initiatives. By incorporating knowledge-sharing sessions and cyber drill, higher management can become actively involved in cyber security efforts and facilitate integrating cyber security into the company culture

By doing this, cyber security professionals can protect their companies from the threats specific to their region, while also combating the role-related challenges that impact cyber security as a whole.