An IT specialist performs a hacking demonstration. (Photo by DENIS CHARLET / AFP)

How cyber ready is APAC:  Understanding today’s cybersecurity trends

Article by Stanley Hsu, Regional Vice President of Asia at Mimecast

Despite many organizations investing in cybersecurity, the threat landscape today remains challenging because of businesses undergoing digital transformations, hybrid workplace models, and interconnected digital supply chains expanding the attack surface. With cyber threats evolving, organizations are at increased risk, whether it’s ransomware, business email compromise (BEC), impersonation fraud, spear-phishing, tech support fraud, or identity theft.

Rise of industrial cyber attacks

Ransomware attacks have grown drastically in the last few years with modern ransomware gangs now not only stealing data but also encrypting it and thus compromising the availability of critical resources required to carry out daily business processes.

Moreover, attacks have started targeting a wider range of industries that historically faced fewer cyber threats, leading them to lower their guard regarding cybersecurity. With these industries having viewed themselves as safe from cyberattacks, cybercriminals have realized that they have large vulnerabilities in terms of their awareness and protection. Hence, these industries have become soft targets.

For instance, engineering and construction companies can be at risk for cyberattacks due to their knowledge of physical security while being underprepared for cybersecurity. Similarly, legal firms face attacks like phishing and BEC, and these attacks can be a financial burden as well as a reputational one.

Manufacturing firms are at a heightened risk of cyberattack due to their valuable data, while the financial services industry is facing challenges with customer data coming under attack, reputation at risk, and compliance mandates to meet.

Educational institutions are encountering increasingly sophisticated threats to their intellectual property and student’s and staff’s personal details. Healthcare and medical organizations which store enormous electronic healthcare records containing huge quantities of personal information and financial details are also being targeted.

The increase in data breaches and security breaches for state and local government agencies is reaching unprecedented levels, whether spying, hacktivists trying to promote their political views or cyber criminals.

Navigating the cyber landscape in Asia Pacific

cybersecurity of

Stanley Hsu, Regional Vice President of Asia at Mimecast

Low barriers to entry for criminals, greater sophistication of attackers’ operations and targeting, and a broader range of threats (with ransomware and nation-state threats increasing in particular) mean that attacks are now more frequent and varied, and potentially costly. At the same time, as interlinked, web-connected devices are burgeoning, the digital and physical are blending. Supply chains are extending and interconnecting, and remote and hybrid working models are being adopted via collaboration tools, all of which are expanding the attack surface.

According to Forrester, last year 68 % of Asia Pacific (APAC) organizations were breached in 2021, up from 61% in 2020, highlighting that the overall APAC region is unprepared for the storm of cybersecurity breaches. In the same year, nearly every organization surveyed in Singapore (97%) in Mimecast’s State of Email Security report was the target of a phishing attack, with these attacks becoming more frequent. Moreover, 84% of the organizations surveyed also received an increased number of email-based threats – the largest amount globally, marking Singapore and the APAC region as key targets for threat actors.

Large-scale strikes also rose, seeing Indonesia and South Korea taking a hit on their crucial infrastructures, distributed denial of service (DDoS) attacks taking banks in New Zealand offline, and Australian power stations shutting down due to an attack on an energy supplier.

Inconsistent cybersecurity maturity across APAC a challenge

The lack of alignment on regulation and variations in cyber maturity across APAC makes a unified response difficult. Despite cyber threats crossing borders, cybersecurity regulation in the region remains fractured and localized, with a lot to be done toward harmonization. As per the Global Cybersecurity Index, the maturity levels across APAC have Singapore (4th), Malaysia (5th) and Japan (7th) making it to the global top ten, with India and Australia (10th and 12th) not far behind. Other nations, such as the Philippines (61st) and Myanmar (99th) fare less well, while smaller territories including the Solomon Islands (166th) and Timor-Leste (173rd) are near the bottom of the table.

Cybersecurity advancement despite inconsistent regulations

Disparities in awareness and resourcing are heightened by different data privacy laws and regulations in each country, often even among local states. There is an emerging trend toward common ground. The European Union’s (EU) General Data Protection Regulation (GDPR) measures are increasingly driving global alignment, and some nations’ standards, such as those of Japan, are comparable with the EU’s.

Singapore recently changed its Personal Data Protection Act to tighten rules surrounding the misuse of data and mandatory reporting, while Thailand’s legislation was updated this year to more closely mirror GDPR. South Korea has required IT businesses to report hacks since 2004.

While privacy laws across territories cover similar ground, there are differences. For example, Australia’s Privacy Act does not make a distinction between data controllers and data processors, unlike the EU. Others lag behind the standards set by GDPR, and while Australia is introducing tough new laws (particularly surrounding critical infrastructure), other highly developed economies, such as Hong Kong, are still waiting while legislation is developed. India still doesn’t have an overarching cybersecurity framework, instead relying on a hotchpotch of laws and individual regulators.

Geopolitics, tight budgets affecting CISOs

The lack of standardized regulation is not the only problem facing APAC nations. An increase in state-sponsored attacks, territorial tensions and wars is further adding to complications. Adding the rise of ransomware and the risk associated with increased remote working, it’s no surprise dark clouds are looming for many chief information security officers (CISOs) across the region. Almost three-quarters of respondents to an Ernst & Young survey noted an increase in the number of disruptive attacks in the last year – and 47% warned that their budgets are not sufficient to manage new challenges.

Finding a way: Technology and Collaboration

Successful implementation of cyber defenses fluctuates across APAC. A recent cyber readiness report stated that 40% of Australian firms were confident in the maturity of their software supply chain risk management, compared to only 26% of Japanese and 35% of Indian companies. Contrastingly, 31% of Japanese organizations had fully developed zero-trust frameworks, compared to only 16% in Australia.

In this challenging environment, zero trust, extended detection and response (XDR) and better cloud management are among the measures that can help businesses across APAC increase their cyber resilience. However, the majority of businesses believe governments must lead the change – around 9 in 10 respondents felt formal government initiatives would significantly reduce cyber risk.

Finding cybersecurity opportunities despite the threats 

With APAC now the number-one target of cyber attackers around the world, organizations must raise their cyber game. Building a competent cybersecurity strategy and making sure that the organization has the funds and resources to realize it, is essential. New threats require new solutions, including holistic cloud defenses, effective use of automation, and zero-trust frameworks.

A good starting point for CISOs would be to benchmark their security against global cybersecurity frameworks, even if their local market doesn’t require it. It’s also an authoritative approach to enhance their organization’s profile and gain access to new markets.

To bring this to fruition, effective regulation and more collaboration are required at the governmental level. Cross-border initiatives, such as the Association of Southeast Asian Nations (ASEAN)’s continued cybersecurity collaboration and new legislation in countries across the region may help – but for the moment, businesses must take ownership of their defenses.


The views in the article are of the author and may not represent the views of Tech Wire Asia.