While executive confidence in cyber resilience is taking hits around the world due to the massive increase in activity in recent years, a Marsh and Microsoft survey published in June finds that it remains high in the Asia-Pacific region despite 64% of businesses now reporting that they have been hit by a cyber attack.
The rise in attacks sparked by the Covid-19 pandemic and rapid onboarding of digital services has not shaken the confidence of 70% of organizations in the region, though almost half acknowledge there is still room for improvement. The Microsoft/Marsh survey examines whether this confidence in cyber resilience stems from truly strong defensive posture, or a misunderstanding of the threat landscape.
Cyber resilience survey: Confidence may be misplaced as organizations overlook necessary controls
The survey includes the input of 660 decision makers throughout the region, in roles ranging from CEO to CISO to risk management. Over 69% said that they are confident in their organization’s risk management program, in spite of over half now having been targeted for a cyber attack (and a regional rate of attacks that is 5% greater than the global average). This optimism is somewhat tempered, however, as only 11% said they were “highly” confident in their cyber resilience; an additional 58% said that they were “fairly” confident.
48% of respondents did say that their programs could use some improvement; if this overlaps with the 31% that said they were “not confident” in their cyber resilience, it would mean that only 17% of the confident respondents feel their programs currently have flaws. However, there are signs in the survey that a much greater number may have issues that they are not aware of.
One is that regional evaluation of cyber risk trails well below the global average. 63% of global respondents say that they actively evaluate their risk, but only 50% of respondents in Asia report doing so. Also, these evaluations have some tendency to be more reactive than proactive; the rate of organizations in Asia that say they evaluate after a cyber attack or incident has already happened is about double the global average.
Asia is also lagging in active improvement of device, system and network security. 74% made improvements in this area in the prior year, which at first glance might seem like a reasonable number. However, it trails a global average of 91%. This is also in spite of reporting that data breaches and privacy issues were the leading security concern. The region lags in several other risk management categories: improving data protection capabilities, conducting penetration tests, and integrating cybersecurity into business continuity plans. However, it is also ahead of the global average in a number of areas: redefining organizational cybersecurity roles and responsibilities, conducting vendor and supply chain risk assessments, conducting business interruption valuations, adopting DevSecOps, and conducting post-mortem reviews after a cyber attack.
Across the board, organizations in Asia also lag behind in implementing vital cyber security risk controls: endpoint detection and response, cybersecurity and phishing awareness training, keeping secure and encrypted backups, email filtering and making use of web security measures.
Reasons and solutions
Why are organizations in Asia tending to not actively evaluate their cyber resilience? Internal business consensus is roughly even with the global average, so that is not the issue. The big differences are in lack of data and lack of talent. Companies primarily seem to be having problems hiring the skilled professionals needed to conduct evaluations. This includes evaluation of financial exposure, the rate of which is under half the global average. The cybersecurity expert market is tight for businesses just about everywhere, but a recent ISC2 study found that Asia is carrying nearly two-thirds of the unfilled positions in this shortfall.
And when they do happen, cyber resilience evaluations may not be tracking with what is actually present in the threat landscape. For example, organizations in Asia name privacy breaches as their biggest worry, but the results from around the globe indicate that ransomware is the biggest threat.
What can be done to close these cyber resilience gaps? The study concludes by recommending a focus on advanced analytics and benchmarking, financial exposure quantification and regular cyber security assessments. It also recommends key controls that should be implemented: multi-factor authentication, privileged access management (PAM), email filtering, phishing testing and replacement of end-of-life systems among them.
But Marsh Cyber Risk Practice Leader Tom Reagan cautions that building resilience requires a holistic approach; simply tuning up one or two elements or adding a couple of new security features will not substantially improve existing deficits. Reagan advises that this should begin with improved cross-enterprise communication to bridge gaps and ensure that all departments and employees understand their particular response and defense responsibilities.