Stagnant budgets a major cybersecurity barrier

0

While attacks are increasing in frequency and severity, cybersecurity budgets remained largely unchanged as a percentage of revenue between 2019 and 2021. At the same time, 54 per cent of businesses in Malaysia stated that their cybersecurity budget is below where it needs to be, a slight improvement from 60 per cent in 2019. — AFP photo

KUCHING: The Covid-19 pandemic has generally accelerated digitisation across Asia but cybersecurity expert Sophos pointed out that countries such as Malaysia continue to underestimate the impact of cyberattacks.

Based on its recent survey report ‘The Future of Cybersecurity in Asia Pacific and Japan’, in collaboration with Tech Research Asia (TRA), it highlighted that despite cyberattacks increasing, cybersecurity budgets have remained stagnant and executive teams continue to underestimate the level of damage threats can do to organisations.

In a press statement, it said, 44 per cent of Malaysian organisations say they fell victim to a successful cybersecurity attack in the last 12 month and nearly 50 per cent of organisations surveyed suffered one to 10 attacks, per week.

According to Deputy of Communications and Multimedia Minister Datuk Zahidi Zainul Abidin, local incidents involving cybersecurity have increased by 109 per cent since the Covid-19 outbreak.

While attacks are increasing in frequency and severity, cybersecurity budgets remained largely unchanged as a percentage of revenue between 2019 and 2021. At the same time, 54 per cent of businesses in Malaysia stated that their cybersecurity budget is below where it needs to be, a slight improvement from 60 per cent in 2019.

“Ultimately, security is about right sizing the risk. If the risk increases, budgets should also increase, but in this climate of uncertainty, we’ve seen organisations take a conservative approach to security spending, which is impacting their ability to stay ahead of cybercriminals,” said TRA lead analyst and director Trevor Clarke.

Across Asia Pacific and Japan (APJ) the number one frustration identified by companies is that executives assume cybersecurity is easy and that cybersecurity threats and issues are exaggerated. A lack of budget ranked second, followed by the struggle to fill cybersecurity roles.

“The end of 2020 showed us just how bad a global supply-chain attack could be and when this was followed by the more recent zero-day vulnerabilities in widely deployed email platforms, it is clear that the boardroom needs to lead by example and demonstrate unification when it comes to cyber resilience. Every employee from the top down is responsible for cybersecurity,” said Sophos Malaysia country manager Wong Joon Hoong.

Nearly 60 per cent of Malaysian businesses agreed that their company’s lack of cybersecurity skills is challenging for their organisation with nearly 50 per cent agreeing that their organisation does not have the team in place to properly detect, investigate and respond to security incidents. This signifies there is a gap in cybersecurity skills in Malaysia.

However, recruiting quality cybersecurity talent remains a challenge. A lack of suitable staff and budget constraints continue to hinder organisations from obtaining the skills they require in-house.

It also pointed out that 68 per cent of companies in Malaysia struggle to recruit candidates with the necessary skills.

“Covid-19’s impact on remote working accelerated transformation, but exposed vulnerabilities Covid-19 had a positive impact on cybersecurity, with 71 per cent of companies agreeing that the outbreak of Covid-19 was the strongest catalyst for upgrading cybersecurity strategy and tools in the past 12 months,” it said.

At the same time, 59 per cent of businesses in Malaysia agreed that they were unprepared for the security requirements that were driven by the sudden need for secure remote working caused by Covid-19.

“Covid-19 compelled companies to refresh their cybersecurity strategies, yet the transformational shift to remote working also exposed additional weaknesses. Businesses have transformed their workplace environments, undergone an accelerated period of digitisation, yet continue to confront systemic cybersecurity issues, including executive apathy, low budgets and a lack of skilled cybersecurity professionals.

“Despite improvements made, progress remains slow, reinforcing our belief that cybersecurity is never ‘finished’ and requires a constant focus, both from technological and cultural viewpoints,” said Clarke.