Sophos: Companies must create strong cybersecurity culture

Sophos, a company focused on the next-generation endpoint and network security, released its report “The Future of Cybersecurity in the Asia Pacific and Japan–Culture, Efficiency, Awareness,” which highlights that companies need to beef up its cybersecurity efforts as awareness continue to grow.

The report noted that many organizations in the region have recorded high levels of security maturity with less than one-third of the respondents said they are at the top “optimized” maturity level. The majority of organizations acknowledge that they have “low-level of security maturity.”

The comprehensive research program conducted by Tech Research Asia that Sophos commissioned included multiple methodologies involving 900 cyber and information decision-makers in Australia, India, Japan, Malaysia, the Philippines, and Singapore.

However, awareness is not enough to prevent data breaches or cyber-attacks that not only compromise user data but the company’s reputation as well. Unfortunately, companies only realize the magnitude of a sub-optimal approach to cybersecurity when it has already experienced an attack. There is a need for firms to drill into their heads that attacks happen every day. There could be small-scale attacks that were not reported and high-profile data breaches that affected millions.

Skills shortage

In spite of the noise cyber attacks have generated in the past year alone, the Sophos report underscores the continuing skills shortage in cybersecurity. While other areas of technology enjoy a deluge of talents, cybersecurity has been lagging behind in developing officers even if this area is becoming more and more crucial every day.

Sumit Bansal, managing director, Sophos Asean and Korea, noted how one organization has two chief information security officers (CISO) serving 8,000 employees.

The report noted, “It was evident that communication, education, strategy determination, and resourcing demand a dedicated cybersecurity lead that is not at risk of being subsumed into and distracted by the broader IT environment issues.” Two-thirds of the organizations struggle to recruit and find it difficult to stay up to date with the pace of developments, research, and news.

It highlights that the “human” factor is one of the key issues being considered in the company’s security journey. More than 70% say the education of employees and leadership is the biggest challenge and 60% struggle to provide it. This is in spite of the findings that 50% of incidents are caused by internal employees or partners.

There is still a long list of reasons cybersecurity has not been among the priorities, this despite the potential threat companies that have undergone digital transformation face every day.

Bansal said lack of budget, lack of understanding of the complexity of issues, misleading messaging of security vendors, and lack of resources contribute to the relegation of cybersecurity solutions to the least prioritized departments in operational expenses.

The report reflects the challenges security professionals have when talking to business leaders with 2 in 3 respondents struggling to convince businesses that security must be a priority. Across the region, there is a perception at the C-level that security isn’t that hard and one can just buy “over-the-counter” kind of solutions to keep the threats away, which is utterly wrong.


Underequipped, underfunded, and undereducated security teams are unlikely to be able to detect breaches in their most critical early stages. These days, attacks have evolved into a different breed. Cybercriminals leverage disruptive technologies as much as organizations. There are automated attacks and attacks done remotely. It means that generic forms of solutions can’t always protect companies.

The report recommends that companies must take not only of the many technical issues related to cybersecurity today. There are multiple vulnerabilities and risks that relate to technology alone. There are considerable improvements to be made in non-technical areas in addition to technology investments.

Sophos suggests that companies must combine highly skilled experts and robust platform with improved operational and cultural emphasis if they want to improve their cyber hygiene to prevent, detect, and stop attacks.