APAC firms see clueless employees as biggest security threat

Almost half of companies across five Asia-Pacific markets view employees' lack of cybersecurity awareness as the biggest threat, with 67 percent describing internal threat as a risk the organisation.
Written by Eileen Yu, Senior Contributing Editor

Nearly half of companies across five Asia-Pacific markets believe employees who are clueless about cybersecurity pose the biggest challenge, ranking them above external suppliers.

Another 67 percent said it was extremely or somewhat likely that internal threat, such as employees downloading unauthorised attachments and software, was a cybersecurity risk for their organisation, according to survey findings released by Palo Alto Networks. The study polled 500 respondents in Singapore, China, India, Australia, and Hong Kong.

Some 47 percent believed the lack of employee awareness was the biggest cybersecurity challenge for their organisation, compared to 36 percent who pointed to third-party service providers and suppliers and 31 percent who said cloud migration.

Another 29 percent believed legacy IT systems were their company's biggest cybersecurity challenge, while 25 percent pointed to the lack of management support.

Unsurprisingly, 46 percent said difficulty in keeping up with the changing cybersecurity landscape was their primary barrier in keeping their organisation secured. Some 41 percent said the lack of IT security professionals was the biggest barrier, while 36 percent pointed to insufficient budgets.

The study, however, revealed that 74 percent dedicated between 5 percent and 15 percent of their overall IT budget to cybersecurity. Amongst financial companies with more than 500 employees, this figure was 86 percent.

Across the region, 66 percent said their IT security budgets had increased over the previous year. This was highest in India, at 92 percent, followed by China's 78 percent. In comparison, 52 percent in Hong Kong saw bigger budgets this year as did 50 percent in Australia.

Notably, 33 percent of healthcare organisations across the region saw their IT security budgets shrink compared to the previous year.

Some 97 percent in China said their organisation had a dedicated cybersecurity team or department, followed by 95 percent in India and 86 percent in Singapore.

Amongst public sector organisations in the region, 97 percent had dedicated IT security teams as did 90 percent of financial companies.

Some 58 percent believed a "detect and respond" approach was more important than prevention. Furthermore, 69 percent had implemented antivirus tools, while 67 percent had firewalls and 53 percent used spam filters.

However, just 27 percent had adopted two-factor authentication and 25 percent had implemented anti-ransomware tools. Another 22 percent had biometrics.

When asked, 46 percent said their organisation had experienced between 1 and 10 security breaches in the past year, while 6 percent clocked at least 11 such incidents. Some 48 percent said their organisation had not been breached.

Amongst those that had experienced a cybersecurity breach, 16 percent estimated that the resulting financial damages were no more than US$10,000, while 17 percent said it was between US$10,001 and US$50,000. Some 3 percent said their organisation lost at least US$1 million as a result of cybersecurity breaches.

"Cyber threats are not problems you can solve simply by increasing budgets," said Sean Duca, Palo Alto Networks' Asia-Pacific chief security officer and vice president. He urged the need for leadership teams to support their organisation's cybersecurity efforts and for companies to understand the threat landscape, in order to implement more effective policies. This, Duca said, should include employee education.

Editorial standards