Organisations across South East Asia are currently waging war on two fronts. On one front is the ominous and omnipresent threat of a cyber security attack. On the other is the increasingly fraught scramble to hire qualified individuals in the cyber security sector. Both are of high concern for the region’s business community, with the majority of leaders preparing for data theft, advanced persistent threat and ransomware attacks.
Organisations may simply outsource their security operations to a vendor or managed services provider and call the job done. However, such an approach should not be an organisation's sole posture. Instead, SEA business leaders need to be prepared to tackle emerging cyber security threats head-on, both protecting themselves and the entire community from within.
Intervention and investment needed
During the past two years, an unprecedented wave of lucrative ransomware attacks and harmful software supply chains have hit the marketplace. The former, whereby attackers lock up or encrypt an organisation’s files in exchange for high, crypto-based ransoms, have cost businesses billions of dollars. The latter has put companies on alert in the wake of the 2020 revelation of Russia’s infiltration of SolarWinds' Orion software in the US Federal Government. Organisations remain locked in a game of cat and mouse with cyber attackers, who remain 10 steps ahead with creating new threats against the cloud, software supply chains and now the metaverse. And as attackers increasingly use artificial intelligence (AI) and machine learning (ML) to create convincing scams, more individuals and organisations risk falling victim to a major attack.
One thing is certain: without the necessary skills, SEA organisations will be powerless against these evolving threats. Yet, a recent study found that just 5 percent of IT professionals in the region have the technical knowledge and experience to analyse attacks on their networks. In addition, organisations are struggling to hold onto their existing talent. A global report found that cyber security teams were struggling with increased workloads and a high burnout rate. On top of this, many were left with unfilled open job requisitions.
In part, these employment gaps are understandable. The last decade has witnessed an unprecedented level of technological advancement, in particular the shift en-masse to cloud computing and software-as-a-service models. Meanwhile, advancements in AI, APIs and the metaverse have created a host of new technical challenges. In essence, this incredible rise of digital transformation has caught many organisations off-guard, leaving them both unprepared for evolving cyber threats and with many gaps in their IT and network architectures.
Training and upskilling an entirely new fleet of cyber professionals is a long-term game. In the short-term though, business leaders may look to boost their own talent numbers by looking beyond traditional cardboard cutout cyber security professionals. Hiring managers need to expand their breadth of candidates from simply people with four-year degrees in computer science. Businesses may elect to be open to applicants with non-traditional backgrounds, including those whose employment history sits outside the IT industry. Doing so means investing in technical skills through on-the-job training and industry certifications. Executives in SEA can at least take solace in that they are not alone in their dearth of cyber security talent. Microsoft recently claimed that there will be 3.5 million cyber security jobs open globally by 2025 - a 350 per cent increase over eight years. Without intervention and investment, SEA businesses could see more threats slipping through the cracks.
So just how can businesses strengthen their systems and prevent cyber attacks? The first step is to foster a healthy, open company culture from top to bottom. Employees should be made to feel comfortable reporting cyber risks or information-sensitive behavioural concerns. They should also be adept enough to spot suspicious cyber activity, such as potential email phishing scams. This can be achieved by increasing employee awareness of the latest system updates and new cyber threats circulating. Prioritising cyber resiliency also necessitates investing in cyber expertise, particularly chief information security officers (CISOs), and empowering them to make business-critical decisions in real time. Business leaders who work closely with CISOs and security talent, including inciting them into the c-suite, will see maximum benefit from their investment.
The trickle-down effect of this will be more skills development and growth opportunities for mid-level and junior cyber security and tech staff. Finally, continuous financial investment in systems, tools and education so that tech teams are abreast of the latest technology and trends, and are well-equipped to fight fire with fire, is essential. At their best, cyber security threats are a nuisance. At their worst, they can be both devastating and highly disruptive for the victims. However, by planning, determining any gaps within the company and staffing, and partnering with the right government bodies, organisations can avoid becoming a threat actor’s next prey.
