Even with the rising incidents of ransomware and reports of high-profile data breaches, only 47% of Philippines companies surveyed in Sophos’ research believe their board truly understands cybersecurity.

Sophos’ study “The Future of Cybersecurity in the Asia Pacific and Japan,” in collaboration with Tech Research Asia (TRA) “reveals a lack of boardroom awareness of cybersecurity, and a broad assumption from executives that their company will never get attacked.”

The report surveyed a total of 900 responses from respondents across Australia, India, Japan, Malaysia, the Philippines, and Singapore.

Conti, Karma ransomware launch attacks at the same time — Sophos
Ransomware attacks drive Zero Trust security adoption — Sophos

Eighty-nine percent (89%) of respondents from the Philippines also believe cybersecurity vendors do not provide them with the information they need to help educate executives, and 95 % of Philippine companies agree their biggest security challenge in the next 24 months will be the awareness and education of employees and leadership.

Attack vectors

The top two attack vectors of concern for APJ organizations are directly addressable by ongoing education and awareness campaigns: phishing or whaling attacks, and weak or compromised employee credentials.

“With ransomware attacks continuing to become more complex, organizations need a genuine, actionable cybersecurity education program,” said Aaron Bugal, global solutions engineer, APJ, at Sophos.”The current reactionary tendencies we’re seeing have created an ‘attack, change, attack, change …’ cycle regarding cybersecurity strategies, which is putting cybersecurity teams constantly on the backfoot. Shifting priorities to become more proactive must start at the top and requires direction from executives, including investments in awareness and education across entire organizations,”

Cybersecurity education must become a focus, according to Sophos. The following is a five-step approach to help bring organizations up to speed on cybersecurity education:

1. Boards need help to understand it’s impossible to protect everything and learn to prioritize the most critical information, data, and systems to protect.
2. Education courses on basic principles, the genuine likelihood of an attack, attack vectors, threat actors, and other terminology should be available to all staff.
3. Once the basics are clearly defined, organizations need to develop strategies and integrate them with digital transformation programs.
4. The focus then becomes more operational in nature: applying legislation, breach response protocol, ransom payment policy, gap assessments, and future roles and obligations.
5. Businesses need to clearly understand compliance, the regulatory environment under which the business operates, what’s legally required when breached, and what are the appropriate controls around data security and management.