Unpacking cybersecurity trends in APAC

The Asia-Pacific region (APAC) includes cybersecurity leaders such as Japan, Singapore and Australia, but maturity levels and regulations vary hugely across these markets.
As threats evolve and organisations struggle to keep up, companies are at risk of ransomware, business email compromise (BEC) and more. But is the threat landscape similar across APAC? What do policymakers and security planners need to consider when developing strategies for their region and their organisations? Let’s unpack and assess readiness, regulations and threats cross APAC.

The threat landscape of the APAC region

In 2021, Singapore was ranked sixth in the world for having the most databases exposed to the Web, which hackers could breach and exploit. In the same year, nearly every organization surveyed in Singapore (97%) in Mimecast’s State of Email Security report was the target of a phishing attack, with these attacks are becoming more frequent. What’s more,84% of the organisations surveyed are also receiving an increased number of email-based threats – the largest amount globally, marking Singapore and the APAC region as a key target for threat actors.

Some of these strikes have been large-scale, with crucial infrastructure hit in Indonesia and South Korea, distributed denial of service (DDoS) attacks taking New Zealand banks offline and an attack on a Queensland energy supplier almost shutting down two Australian power stations.

Cybersecurity maturity varies hugely across APAC

APAC’s lack of regulatory alignment on regulation and variations in cyber maturity makes a unified response difficult. “Although cyber threats cut across borders,” notes Deloitte, “cybersecurity regulation in the APAC region remains fractured and localised, with no significant moves toward harmonisation”.

The Global Cybersecurity Index offers a snapshot of maturity levels across Asia and the Pacific. Singapore (4th), Malaysia (5th) and Japan (7th) all make the global top ten, with India and Australia (10th and 12th) not far behind. Other nations, such as the Philippines (61st) and Myanmar (99th) fare less well, while smaller territories including the Solomon Islands (166th) and Timor-Leste (173rd) are near the bottom of the table.

Regulations are inconsistent – though progress is being made

These variations in awareness and resourcing are compounded by different data privacy laws and regulations in each country, often even among local states and territories. The good news is that there is a trend towards some common ground. The European Union’s General Data Protection Regulation (GDPR) measures are increasingly driving global alignment, and some nations’ standards, such as those of Japan, are recognized as comparable with the EU’s. Singapore recently changed its Personal Data Protection Act to tighten rules surrounding the misuse of data and mandatory reporting, while Thailand’s legislation was updated this year to more closely mirror GDPR. South Korea has required IT businesses to report hacks since 2004.

Yet while privacy laws across territories cover similar ground, there are notable differences – Australia’s Privacy Act, for example, does not distinguish between data controllers and data processors, unlike the EU. Others lag behind the standards set by GDPR, and while Australia is introducing tough new laws (particularly surrounding critical infrastructure), other highly developed economies, such as Hong Kong, are still waiting while legislation is developed. India still does not have an overarching cybersecurity framework, instead relying on a hotchpotch of laws and individual regulators.

Geopolitics and tight budgets are putting CISOs in a tough spot

A lack of standardised regulation is not the only problem facing APAC nations. State-sponsored attacks are on the rise, and tensions over Taiwan, the South China Sea and Ukraine mean such incidents are likely to increase. Factor in the rise of ransomware and the risk associated with increased remote working, and it's no surprise dark clouds are looming for many CISOs across the region. Almost three-quarters of respondents to an Ernst & Young survey noted an increase in the number of disruptive attacks in the last year – and 47% warning that their budgets are not sufficient to manage new challenges.

Technology and collaboration offer solutions

The degree to which cyber defences have been successfully implemented varies across the region, with one report finding that 40% of Australian firms were confident in the maturity of their software supply chain risk management, compared to only 26% of Japanese and 35% of Indian companies. Contrastingly, 31% of Japanese organisations had fully developed zero-trust frameworks, compared to only 16% in Australia.

Zero trust, along with extended detection and response (XDR) and better cloud management are among measures that can help businesses across APAC increase their cyber resilience in this challenging environment. But the vast majority of businesses believe governments must lead the change – around 9 in 10 respondents felt formal government initiatives would significantly reduce cyber risk.

There are threats and opportunities across APAC

With Asia and the Pacific now the number-one target of cyberattackers around the world, organisations must raise their cyber game. Building an effective cybersecurity strategy, and ensuring your organisation has the budget to realise it, is crucial. New threats require new solutions, including holistic cloud defences, effective use of automation and zero trust frameworks.

For CISOs, benchmarking their security against global cybersecurity frameworks is a good starting point, even if their local market doesn’t require it. It’s also apowerful way to enhance their organisation’s profile and gain access to new markets.

The other half of the puzzle comes from the top, with effective regulation and more collaboration required at governmental level. Cross-border initiatives, such as the Association of Southeast Asian Nations (ASEAN)’s continued cybersecurity collaboration and new legislation in countries across the region may help – but for the moment, businesses must take ownership for their defences.