Cybersecurity budgets still not keeping up with threats — report
Cybersecurity budgets have largely remained stagnant, even as instances of cyber-attacks continue to increase globally, according to new research released today by Sophos.
Executive teams are failing to recognise the level of damage cyber-threats pose to organisations, the report says, many of them taking a ‘conservative approach' to cybersecurity expenditure.
In Australia, there was a marked increase in data breaches in 2020: 52% of organisations in the country reported suffering a data breach — up from 36% in 2019. But cybersecurity budgets as a percentage of revenue in Australia largely remain unchanged in response to this shift.
Meanwhile, 64% of Australian businesses stated their cybersecurity budget is below where it needs to be.
“Ultimately, security is about right-sizing the risk,” says Tech Research Asia lead analyst and director Trevor Clarke.
“If the risk increases, budgets should also increase, but in this climate of uncertainty, we've seen organisations take a conservative approach to security spending, which is impacting their ability to stay ahead of cybercriminals.
On the bright side, businesses expect an incremental increase in the median percentage of technology budgets spent on cybersecurity from 6% today to 9% in two years.
Across the wider Asia Pacific and Japan region, the report found that fanciful perceptions about the state of cybersecurity are hindering organisations: many executives, according to Sophos, assume cybersecurity is easy and that threats are exaggerated.
“Our research highlights a disturbing attitude that needs to be tackled head on — executive teams claiming that cybersecurity incidents are exaggerated,” says Sophos global solutions engineer Aaron Bugal.
“It is confounding that this attitude prevails even when the end of 2020 showed us just how bad a global supply-chain attack could be. If that wasn't enough, the more recent zero-day vulnerabilities in widely deployed email platforms demonstrate the desperate need for unification when it comes to cyber resilience.
“Everybody needs to play a part. And to play a part, we all need to understand the risk.”
Back in Australia, another significant issue the industry faces is the cybersecurity skill gap. 62% of Australian businesses agree their company's lack of cybersecurity skills is a challenge, unchanged from 2019, according to the report.
A lack of qualified staff and budget constraints hinder organisations from obtaining the skills they require in-house. 63% of companies struggle to recruit candidates with the necessary skills, which is slightly improved from 65% in 2019. This is on par with the rest of the region.
COVID-19 had a positive impact on cybersecurity across Australia, with 70% of Australian companies agreeing the outbreak of COVID-19 was the strongest catalyst for upgrading cybersecurity strategy and tools in the past 12 months.
At the same time, 60% of organisations indicated they were unprepared for the cybersecurity requirements driven by the sudden need for secure remote working at the onset of the pandemic,” says Clarke.
“COVID-19 compelled companies to refresh their cybersecurity strategies, yet the transformational shift to remote working also exposed additional weaknesses.
“Businesses have transformed their workplace environments, undergone an accelerated period of digitisation, yet continue to confront systemic cybersecurity issues, including executive apathy, low budgets and a lack of skilled cybersecurity professionals,” Clarke adds.
“Despite improvements made, progress remains slow, reinforcing our belief that cybersecurity is never ‘finished' and requires a constant focus, both from technological and cultural viewpoints.