What Pragmatism Among Asia-Pacific Security Leaders Means for Cyber Risk

If security leaders in Europe and the United States have an abundance of confidence, those in the APJ region are a bit more measured, according to ExtraHop-sponsored research. Based on findings gathered by StollzNow Research, the ExtraHop Cyber Confidence Index—Asia Pacific shows how executive confidence can vary dramatically by region, even if underlying risks remain largely the same.

An earlier report, the ExtraHop Cyber Confidence Index 2022, found IT and security leaders in the U.S., the U.K., France, and Germany were likely overconfident about their organization's ability to prevent or mitigate security defenses. For example, 77% of IT decision makers (ITDMs) in the U.S. and Europe were not just confident but very or extremely confident in their organization's ability to defend against cyberattacks.

Despite the noted optimism, 85% of those same U.S. and European respondents reported having experienced at least one ransomware attack in the previous five years, and 74% had experienced multiple attacks. Even worse: 42% of organizations who reported a successful breach admitted to paying ransom most or all the time, and 62% admitted that attacks had succeeded because of shortcomings in the organization's cyberdefenses.

In contrast, ITDMs in Australia, Japan, and Singapore report more caution than confidence when it comes to defending against cyberthreats. In these countries, just 39% reported feeling very confident about defending against cyberattacks. That caution seems appropriate since 83% of organizations in the region have been breached by ransomware in the past five years.

Confidence is highest in Singapore. There, 52% of ITDMs are very or completely confident in their ability to handle cyber threats, and 88% are confident they can prevent attackers from breaking into their network. In contrast, 43% of ITDMs in Australia are confident about handling cyber threats. That number drops to 23% in Japan. In Australia, 77% are confident they can prevent attackers from breaking into their network, and almost the same percentage (76%) share that confidence in Japan.

Let's explore some of the factors that might contribute to the confidence or lack of confidence these security leaders reported. Along the way, we'll note how organizations in the Asia Pacific region compared to organizations in the U.S. and Europe.

Ransomware Attacks, Ransom Payments, and Transparency

In the U.S. and Europe, 55% of organizations had experienced 1–5 ransomware attacks in the previous 5 years, and 30% had experienced 6 or more. That means, on average, that 85% of organizations in these regions are experiencing one ransomware attack per year. Only 28% of these organizations never pay the ransom demanded by attackers. The rest of American and European organizations pay some or all the time.

In Asia Pacific, the numbers were similar: 48% had experienced 1–5 ransomware attacks in the past five years, and 35% had experienced 6 or more attacks. When attacked, 45% of organizations paid the requested ransom—even while acknowledging that doing so likely increases the number of attacks. What might make that payment easier to bear (at least for now) is that 44% of ITDMs say that their organization is covered by specific or general insurance policies that would reimburse some or all of this expense.

Only 32% of organizations in Asia Pacific are transparent about ransomware attacks, letting the public know that the attack has taken place. Almost half (48%) will let some people know about attacks but try to keep the matter as private as possible. 20% of organizations tell no one. Despite this guardedness, 66% of ITDMs feel that it would be better if the public knew that these attacks were taking place.

When it comes to transparency, the numbers for American and European ITDMs are similar to those in Asia Pacific. A few more ITDMs in America and Europe (39% vs. 32%) say they are willing to make information about ransomware attacks public. A smaller percentage of American and European security leaders (34% vs 48%) will notify some people—possibly regulators and government agencies—of an attack, but not disclose anything to the public, while a higher percentage (27% vs 20%) limit the news as much as possible.

Response Times to Vulnerabilities

Because about 60% of successful data breaches take advantage of known vulnerabilities in IT infrastructure, the speed at which a security team can patch vulnerabilities greatly determines that organization's overall resilience to attack.

Too often, known vulnerabilities—even critical ones—go unaddressed for days, weeks, or even longer, giving attackers plenty of time to compromise a network, install malware, or launch some other form of attack.

In the Asia-Pacific survey, response times to vulnerabilities varied. Almost two-thirds (64%) of ITDMs reported patching vulnerabilities in three days or less, with an admirable 26% responding in less than one day—fast enough to defend against most attacks. Another one-fifth (21%) of ITDMs take a week to respond, which may give well-organized attackers an opportunity to strike.

What was more troubling was the fact that 8% report taking a month or longer to address vulnerabilities. Another 7% didn't know their response times at all, suggesting their organizations lack any defined process for identifying, patching, and tracking critical vulnerabilities.

Overall, Asia Pacific ITDMs reported similar response times to their U.S. and European peers. In both regions, 26% respond in less than a day, and 39% respond in one to three days. In the U.S. and Europe, 24% take a week to respond to vulnerabilities as opposed to 21% in Asia Pacific.

But in the U.S. and Europe, all ITDMs were able to report their response times, in contrast to the 7% of Asia Pacific ITDMs who couldn't say how quickly their organization typically responds to vulnerabilities. That uncertainty suggests unaddressed risks involving tools, people, and processes.

Security Staffing Issues and Budgets

In the world of cyberdefense, the tools used for defense matter—but people matter just as much. Every security operations center needs both adequate budgets and adequate staff. In Singapore, 87% of organizations have a dedicated internal security team. That number drops to 76% for Australia and 75% for Japan.

For some regions, recruiting is a challenge: In Singapore, 66% of organizations reported difficulty filling security roles, and in Australia, 63% reported recruiting challenges. Meanwhile, Japanese organizations are having a much easier time recruiting: Only 24% of respondents reported difficulty recruiting security team members.

In all three countries, the majority of ITDMs said that remote work makes it easier to find employees. Interestingly enough, although ITDMs in Japan cited the least difficulty recruiting for security teams, those ITDMs found remote work to be less helpful in hiring than ITDMs do in Australia and Singapore. In Japan, only 54% said remote work made hiring easier. In Australia, that number jumps to 71%, and in Singapore, it's higher still at 77%.

Staffing is also an issue for U.S. and European security teams—and the challenges don't stop when new employees are hired. Among ITDMs in those Western countries, 39% cited problems with the length of time it takes to train employees, and 29% cited problems with low morale among security team members.

If staffing is a scarce resource, financial investments may be used to compensate. In Asia-Pacific regions, ITDMs expect their budgets to increase. Budget increases are expected by 66% of ITDMs in Australia, by 70% of ITDMs in Singapore, but by just 48% of ITDMs in Japan. Reduced budgets in Japan might explain that country's dramatically lower confidence in cyber capabilities. Recall that just 23% of ITDMs in Japan are confident about their cyber defenses—about half the rate of confidence of ITDMs in Australia and Singapore.

As for where those budgets will be applied, the list is long and varied:

• 24% plan to invest the most resources in perimeter-based threat detection.
• 32% want to apply most resources to detecting post-compromise threat detection.
• 42% will give equal weight to both perimeter and post-compromise threat detection.
• 42% plan to implement network detection and response (NDR) solutions.

Additional investments include training and staffing:

• 40% plan to hire a managed services company, augmenting or replacing their internal security staff.
• 40% plan to increase their internal dedicated security staff.
• 46% plan to invest in staff threat training.
• 47% plan to invest more in social engineering attack prevention, such as phishing and business email compromise.
• 49% hope to accelerate threat identification, enabling security teams to stop attacks before they can move laterally and cause widespread damage.

Outdated Security Postures

The planned investments are urgent for today's security leaders, as the attack surface—the sum total of all the possible attacker entry points into a network—is vast. With more devices, more distributed cloud services, and more remote users than ever before, the security of distributed attack surfaces can be easily jeopardized by outdated security postures, including:

• Unmanaged devices, including IoT and network-connected laptops and tablets used by employees working from home.
• Slow response times to patching vulnerable devices, including employee devices, application servers, and cloud systems.
• The use of outdated protocols such as SMBv1, which Microsoft officially stopped supporting in 2014 and has been used by WannaCry and other types of ransomware.

In Australia, Japan, and Singapore, half of all cybersecurity incidents are the result of outdated security postures, making it critical that organizations in these countries modernize their security capabilities. That means updating devices, improving visibility into the network, improving threat detection capabilities, and strengthening attack remediation capabilities.

Looking Ahead to Stronger, More Resilient Cyber Defenses

Singapore seems to be off to a strong start. In nearly every category, ITDMs in Singapore reported more confidence, more capabilities, more tools, and more budget. Australia came in second, and Japan came in third—sometimes a distant third.

In all these countries, it's going to be critical to implement improved perimeter and network defenses sooner rather than later. After all, across Asia, Europe, and the U.S., organizations are experiencing a ransomware attack every year. Given the high costs of those attacks in terms of IT expenses, lost business, damaged reputation, and—in some industries—regulatory fines, it's essential for organizations to do everything they can to defend against these attacks.

When organizations have truly strengthened their threat detection and mitigation capabilities, then the high confidence of ITDMs in any country will be well-founded, not misplaced.