A Frost & Sullivan study commissioned by Microsoft has revealed that 25% of APAC organisations have experienced a cybersecurity incident in the past year, but more worryingly than that, an additional 27% are not sure whether or not they have, as they have not carried out forensics or data breach assessment. 41% of organisations said they ‘either think about cybersecurity only after they start on the project or do not consider it at all.’
The apparent lack of concern about cybersecurity is made particularly worrying by what the study discovered about the potential economic impact of a breach, which in 2017 may have been as much as $1.75 trillion (USD), representing more than 7% of the region’s total GDP of $24.3 trillion.
Although the direct losses from cybersecurity breaches are most visible, they are but just the tip of the iceberg […] The economic loss for organizations suffering from cybersecurity attacks can be often underestimated
– Edison Yu, Vice President and APAC Head of Enterprise, Frost & Sullivan
This figure is based on the study’s findings that a security incident at a large APAC organisation (i.e. >500 employees) can incur an average of $30 million in combined losses. This total includes direct losses ($3.4 million), indirect losses such as opportunity costs and reputational damage ($9.7 million), and incidental losses ($17.2 million).
Large organisations incur much more substantial losses than the majority of companies, however, with this total being 300x higher than the average economic loss for a mid-sized company (250-499 employees), which the study finds to be only $96,000.
“Although the direct losses from cybersecurity breaches are most visible, they are but just the tip of the iceberg,” said Edison Yu, Vice President and APAC Head of Enterprise for Frost & Sullivan. “There are many other hidden losses that we have to consider from both the indirect and induced perspectives, and the economic loss for organizations suffering from cybersecurity attacks can be often underestimated.”
For example, the study found that a cybersecurity incident had led to job losses in 67% of organisations last year, and 59% said they had postponed digital transformation efforts due to cybersecurity concerns.
The report noted that even those companies which were committing to cybersecurity initiatives were not necessarily doing so in a mature way. Only 1 in 5 saw cybersecurity as a business differentiator, and though 75% said they were using or thinking of using AI solutions to protect their networks, the tendency to try to ‘buy’ security by opting for primarily technological rather than strategic or people-based fixes hasn’t paid off.
The survey showed that 23% of respondents with more than 50 cybersecurity solutions could recover from a cyberattack within an hour.
In contrast, almost twice as many respondents (40%) with fewer than 10 cybersecurity solutions responded that they can recover from a cyberattack within an hour.
This isn’t entirely unexpected – the organisations with more solutions are likely to be the bigger ones with more complex business infrastructure – but clearly the attempt to compensate by increasing the size of the cybersecurity stack has not been effective.
“The ever-changing threat environment is challenging, but there are ways to be more effective using the right blend of modern technology, strategy, and expertise,” said Eric Lam, Director of Microsoft Asia’s Enterprise Cybersecurity Group. “Microsoft is empowering businesses in Asia Pacific to take advantage of digital transformation by enabling them to embrace the technology that’s available to them, securely through its secure platform of products and services, combined with unique intelligence and broad industry partnerships.”