State of Email Security 2023: Pushing Back in APAC

Most companies surveyed in Australia and Singapore expect an email-borne cyberattack to harm their business this year, but the types of attack, exposures to risk, and strategies for defense are changing. For example, ransomware attacks have subsided somewhat, many respondents say, but collaboration platforms raise risk in hybrid work models. New policies and technologies are being taken up in both countries, but Singapore is driving them more aggressively.

These findings on cybersecurity in the Asia-Pacific (APAC) region were recently published in Mimecast’s global State of Email Security 2023 (SOES 2023) report. They are based on a late 2022 survey of CISOs and other IT professionals across 12 industrial sectors and 13 countries, including Australia and Singapore.

Australia at a Cyber Crossroads

The Australian government is poised to rewrite cybersecurity rules amid a recent wave of major data breaches, and it recently called for public comment on a proposed 2023-2030 Australian Cyber Security Strategy.[i] The government’s discussion paper asks for input on mandatory cybersecurity standards, a prohibition on ransomware payments, and other key changes. It comes as the Office of the Australian Information Commissioner has reported a 26% increase in data breaches from the first to second half of 2022, impacting millions of citizens.[ii]

Mimecast’s SOES 2023 report delves into the issues Australian businesses face in their growing use of email and collaboration platforms, the entry points for most cyberattacks given today’s hybrid work model. Findings include:

• Likely Threats Ahead: About three-quarters of survey respondents believe their company will suffer a negative business impact from an email-borne attack in 2023. Around the same number expect their business to suffer a negative business impact from an attack originating via a collaboration platform.
• Growing Volume and Sophistication of Attacks: Seventy percent of security professionals in Australia say they faced a growing number of email attacks in the past 12 months. Nearly as challenging, they say, will be the increasing sophistication of attacks in the year ahead. 
• Collaboration Opens Gaps: A significant majority (83%) of Australian respondents say collaboration tools are essential to day-to-day operations. Nearly seven in 10 say these tools create security loopholes that urgently need to be addressed.
• Ransomware Eases: Fewer Australian survey respondents are reporting harm to their business from ransomware. While over half (52%) say their businesses saw a negative impact in the past 12 months, that represents a drop of 25 percentage points from 2021.
• Budget and Personnel Woes: In Australia, many security professionals say that their budgets fall short of their ideal. Around 12.5% of the overall IT budget, on average, is currently allocated to cybersecurity, where they would be more comfortable with 17.2%. Over one-quarter of respondents indicate that insufficient security staff will be one of their biggest challenges this year.
• Appreciation for APIs: More respondents in Australia this year have come to recognize the benefits of integrating their disparate security tools into a unified platform, especially in improving threat intelligence and detection.

Singapore Presses for Solutions

The Singapore government in 2022 instituted one of the world’s first licensing frameworks for cybersecurity service providers — specifically, those offering monitoring and penetration testing services.[iii] And it continues to introduce policies and rules to improve the nation’s defenses, including subsidized cyber health checkups for small to midsize businesses and a cybersecurity labeling scheme for medical devices.[iv]^,[v] These and other steps address the ongoing phishing and ransomware threats described in the most recent “Singapore Cyber Landscape 2021” report.[vi]

The SOES 2023 report finds that Singapore businesses are also applying increasing innovation to address mounting cyber risk, as described below.

• Attack Expectations: About three-quarters of security professionals polled in Singapore expect an attack launched via email or a collaboration platform to harm their business in 2023.
• Increasing Volume of Email Attempts: Nearly eight in 10 (78%) have had to fend off a growing volume of email attacks in the past year. Still, that represents a decrease from 2021, when 84% reported increased volumes.
• Collaboration at Risk: More than nine in 10 security professionals in Singapore consider collaboration tools essential to day-to-day operations. Three-quarters of respondents say such collaboration technology poses new threats that urgently need to be addressed.
• Ransomware Relief: Nearly two-thirds (63%) of those polled say ransomware impacted their business operations in 2022. While high, this statistic is down by 20 percentage points from 2021.
• Resource Issues: Money and skills are seen as tight in Singapore, with cybersecurity making up 12.3% of the average IT budget, compared to respondents’ ideal of 15.6%. Related, 40% say that an insufficient security staff is one of their biggest challenges this year.
• Deploying Solutions: More Singaporeans (56%) say they are using artificial intelligence or machine learning than the global average (49%), citing benefits including better threat prevention, faster remediation and reduced workload for cybersecurity teams. And more respondents have come to recognize the benefits of unified cybersecurity ecosystems over the past year, especially improvements to threat intelligence capabilities.

Boards of Directors on Notice

As in other regions, APAC companies’ boards of directors are expected to do more than ever to address persistent cybersecurity issues. “Around the globe … boards and top executives have begun to acknowledge the risk,” the SOES 2023 report says. “This is pivotal.” 

Board oversight is top-of-mind in the APAC region. Australia’s national cyber strategy discussion paper asks, “Should the obligations of company directors specifically address cybersecurity risks and consequences?” Meanwhile, an op-ed in The Business Times in Singapore stresses that, “Boards should not wait for the authorities to get tougher before they start taking cybersecurity seriously.”[vii] 

The Bottom Line

Australia and Singapore are battling many of the same cyber issues that other countries across the world are, as email and collaboration platforms continue to be weaponized by cyber criminals and nation-state actors. The search for technology and policy solutions to the problem is ongoing in both co

[i] “Discussion Paper: 2023-2030 Australian Cybersecurity Strategy,” Australian Government

[ii] “Cybersecurity Incidents Impact Data Breach Risk,” Office of the Australian Information Commissioner

[iii] “CSA Kicks Off Licensing Framework for Cybersecurity Service Providers,” Cyber Security Agency of Singapore

[iv] “CSA to Launch Scheme to Develop Cybersecurity Health Plans With Funding Support For Small-Medium Enterprises,” Cyber Security Agency of Singapore

[v] “Cybersecurity Labeling Scheme for Medical Devices,” Cyber Security Agency of Singapore 

[vi] “Ransomware and Phishing Attacks Continued to Threaten Singapore Organizations and Individuals in 2021,” Cyber Security Agency of Singapore

[vii] “Optus Hack Shows Companies Must Take Timely Reporting of Cybersecurity Breaches More Seriously,” The Business Times