Enterprise cybersecurity in the Asia-Pacific region

Almost one in five business organizations in the Asia-Pacific (APAC) region experienced more than six security breaches in the past two years, a new ESET enterprise cybersecurity survey has revealed.

ESET polled over 1,835 managers and C-level executives working in organizations in a variety of industries in India, China, Hong Kong, Taiwan, Japan, Thailand and Indonesia, and also found that:

• 91 percent of organizations have a cybersecurity awareness program. The percentage reaches as high as 97 for China and 95 for Thailand and Indonesia, and is a surprising low of 82 for Japan
• 63 percent think it is critical for the countries to have a strong regulatory framework governing cybersecurity (Indonesian respondent more than others – 78 percent – while Japan is again bringing up the rear with 41 percent).

As these are extremely diverse countries with disparate laws and business realities, these and other discrepancies paint an interesting picture of each.

China and Japan

In China, for example, 86% of the respondents positively view the e-commerce law passed in August 2018, which aims to reduce the amount of counterfeit and knock-off merchandise on sale, but also hopes to address false advertising, consumer protection, data protection and cybersecurity.

57% of Chinese respondents feel that their government has been doing a good job in regulating cybersecurity practices and creating a safe environment for everyone.

“Many [Chinese] organisations have adopted multiple cybersecurity solutions and frequently utilise 2FA for added security,” ESET researchers found.

In contrast, and despite Japan being a technological powerhouse:

• 57 percent of Japanese respondents believe the government’s effort to revise the country’s cybersecurity guidelines for the different infrastructure sectors will have a negative or neutral impact
• 62 percent don’t believed that changing cybersecurity measures or systems can drive innovation
• 68 percent are “unfamiliar” or, at best, “averagely familiar” with their country’s cybersecurity regulations.
• 39 percent said that they were not likely to employ encryption in the future.

“Overall, while Japanese people may not have a positive impression of encryption, 64% of their IT teams place an emphasis on organisational security. This may be an indication that Japan is more preferential to conventional means of cybersecurity and that they have sufficient manpower and resources in place to keep them safe. Their reluctance to employ effective solutions will make them hesitant to adopt any new policies,” ESET noted.

“Additionally, their reliance on manpower could however lead to human errors, which has been identified globally as one of the top reasons for data breaches. Thus, it appears that the Japanese are not utilising their tech resources effectively to keep themselves secure.””

Hong Kong and Taiwan

Hong Kong’s Office of the Privacy Commissioner for Personal Data is looking to review the country’s data protection legislation, which has been last updated in 2012, and the move has been welcomed by local organizations.

Respondents from Hong Kong, though, are not as confident as Chinese mainlanders in the government’s cybersecurity efforts: only 25% of those surveyed indicating the government has been doing a good job in regulating cybersecurity practices.

Most Taiwanese respondents, on the other hand, are confident that Taiwan‘s Cyber Security Management Act (2018) will have a positive impact.

72 percent of them believe it to be adequate for ensuring a digitally secure environment. The rest would like to see the government employ dedicated cybersecurity experts to help corporations update their cybersecurity measures, increase education on the importance of cybersecurity, and more.

Indonesia, Thailand and India

“Overall, cybersecurity in Indonesia is perceived to be rudimentary. Survey findings revealed that basic levels of cybersecurity were more prevalent within organisations,” ESET noted.

“For example, IT departments in Indonesia take on the responsibility of basic services, with the first being optimising IT networks and systems (26%). Deployment of advanced, defensive capabilities to prevent data breaches however were ranked only third, at 19%.”

Most Indonesian respondents believe the current Data Protection Regulation is adequate in protecting consumer data, but would generally like to see stronger enforcement and be provided with clearer cybersecurity directives.

24 percent of the organisations surveyed in Thailand reported experiencing a security breach in the past two years.

Thought the two new laws recently passed by the Thai government – the Personal Data Protection Act and the Cybersecurity Act – are still too fresh for their effectiveness to be definitively known, they are mostly viewed positively.

Thai organizations’ cybersecurity efforts are challenged by difficulty in finding qualified cybersecurity professionals and risk from third-party service providers.

India, according to the findings, appears to be on the right track in prioritising cybersecurity.

“87% of respondents prioritise securing data as the top reason behind data encryption. 90% of businesses indicated investing in solutions for encryption residing at all endpoints, reinforced by 95% of organisations storing these encrypted files on cloud-based applications. In addition, businesses are still open to more security solutions, with a large majority indicating that they would adopt data encryption in the near future,” the survey showed.

The biggest problem for Indian organizations is their cybersecurity infrastructure, which should be updated and made more robust. Those efforts are stymied mostly by a lack of cybersecurity knowledge and more important investment priorities.

“The lack of investment also correlates with poor cybersecurity knowledge amongst employees. 52% of cyber-breaches in India were caused by human errors and employees’ mishandling of sensitive information,” ESET added.