Cyber leaders in APAC not confident in their organization’s cybersecurity, EY suggests boosting defense

  • Less than half consider their organization is well positioned to take on the cyber threats
  • Difficult balancing security and innovation is one of the top internal challenges for an organization’s cybersecurity approach
  • 51% say the war on cyber cannot be won, companies can only adapt faster

While the number of cyber threats and associated costs are increasing, cybersecurity leaders appear to be struggling with the effectiveness of their organization’s defenses, according to the EY 2023 Global Cybersecurity Leadership Insights Study.

The survey of cybersecurity leaders in the Asia-Pacific region (APEC) finds that less than half (49%) consider their organization to be well-positioned to take on the cyber threats of tomorrow. Half of respondents (51%) also appear skeptical about the effectiveness of the training that their organizations provide, and just 40% are satisfied with the levels of adoption of best practices by teams outside the IT department.

At the same time, cyber leader respondents report mounting costs associated with cybersecurity investment. The majority of CIOs (66%) say that their organizations spent approximately 1-5% of total revenue on the IT budget in 2022, while in 2023, 59% say the IT budget increases to 6-10% of total revenue. In terms of incidents and breaches experience in 2022, 45% of respondents said their organizations faced 25 to 49 incidents and 10-24 data breaches with 9% reporting the total cost of more than 6 million USD.

Pennapa Pookkarat, Partner and Technology Consulting Leader, EY Thailand says:

“A rise in the number of cyber-attacks globally has spurred the attention and investment in cybersecurity. The trend has also been observed in Thailand. Cybersecurity has become one of the investment priorities for companies, especially those in the sectors that are vulnerable to cyber-attacks such as financial services, healthcare, retail, and e-commerce. Regulatory requirements and continually evolving cyber threats are CIOs’ focus, which they take into consideration to construct solid walls to defend against the attacks.”

Barriers to adopt

Most organizations have already implemented at least one technology in their approach to cybersecurity. According to the survey, the most common technologies used are Artificial Intelligence (AI) and/or machine learning, zero trust framework, and passwordless authentication. While CIOs focus on improving their cyber defences, they have faces challenges to do so. The top three internal barriers include: too many attack surfaces (52%), difficult balancing security and innovation (50%), and inadequate cybersecurity budget (44%).

Kamonwan Tunpichai, Consulting Partner, EY Thailand says:

“Organizations have set their access control and complexity elimination for cybersecurity, but attack surfaces are their top internal challenge to deal with. Another pitfall lies in an unclear cybersecurity strategy. Executives can mix up the drive for innovation with the need for security. In addition, insufficient resources, including budget and skilled employees, can hinder the ability to effectively address cybersecurity, potentially leaving it unprepared to keep up with evolving threats.”

Simplify to survive

A wave of new cybersecurity technology adoption is imminent, bringing along new risks. More than half of APAC CIOs (52%) say the war on cyber cannot be won, companies can only adapt faster. The study reveals four practical actions that provide security through simplification: 1. Review legacy systems that are duplicative or poorly integrated 2. Consider automation-led approaches including DevSecOps and SOAR 3. Seek to adopt a platform-based approach to cybersecurity technology 4. Pursue co-sourcing and a managed services approach that simplifies infrastructure, increases visibility, and provides cost efficiencies.

Pennapa says: “Organizations cannot assume cyber risk is fully being handled by their service providers. Cybersecurity needs to be embedded throughout the organization by implementing a comprehensive awareness program to educate employees. Regular risk assessments to identify vulnerabilities and prioritize security measures are required as well as having a well-documented incident response plan and regular test to ensure effective response to different threats.

“Instilling a culture of being brilliant at the basics of cybersecurity across the organization can drive value, generate the confidence necessary to innovate, and create business opportunities.”