A greater number of companies in Asia Pacific are incurring financial impact of over US$5 million from a cyber breach—which is higher than the global average, according to the newly-released 2019 CISO Benchmark Study.
Commissioned by Cisco, the fifth annual survey revealed 17% of companies in the key markets of Australia, China, India and Japan saw a financial impact of more than US$5 million from their most severe breach in the past year. This is more than double the global average of 8%.
“Cybersecurity is a numbers game, one that is skewed in favor of malicious actors,” said John Maynard, vice president of Global Security Sales Organization at Cisco.
“Businesses need to win all the time, while attackers need just one successful hit to make an impact.”
He said: “Every time the attackers succeed, there is a financial impact on the company targeted. This includes out-of-pocket expenses, legal fees, reputational damage and loss of business”..
Across the region as a whole, this figure is 16%of companies, which is still measurably greater than the 8%t global figure. Companies in Australia and Japan saw the highest increase year-on-year in this metric, with 47% of respondents in Australia and 12% in Japan reporting costs of greater than US$5 million, compared to 17% and 3% reported in both countries in 2018.
Not all bad news
However, the survey showed a greater number of companies are experiencing lower breach costs, with 39% of companies in the region able to contain the cost of a cyber breach to below US$500,000. This is six percentage points below the 33% recorded in 2018.
The survey did not ask respondents for specific reasons behind an increase or decrease in costs. However, the results highlight key trends that may have played a part.
While cost to the business is clearly a focus, security professionals are changing the way they measure their success based on security outcomes, with many respondents moving toward remediation as a key indicator of security effectiveness.
More security leaders are now focused on time to remediate than time to detect, and the metric has risen in popularity as a success metric globally—48% of respondents in Asia Pacific cited this, compared to 36% in 2018. This is in line with the worldwide results.
This is starting to reflect how quickly companies are recovering from a breach. The study highlighted that only 4% of companies saw an outage that lasted more than 24 hours.
“The fact that an increasing number of companies are being able to contain this cost is a sign that businesses are starting to gain more control and balance their risks when hit by a breach,” Maynard said.
While this is a move in the right direction, a lot more needs to be done, he pointed out.
Studies have shown that the faster a company can remediate a cyber breach, the lower the financial impact. A study released by management consulting firm A.T. Kearney in 2018 estimated that an almost instant detection of a cybersecurity breach within a large enterprise costs the business US$433,000. If detection is delayed by more than a week, the figure triples to an average of US$1,204,000.
APAC firms have more security solutions than global counterparts
According to the study, one of the big challenges that companies have faced has been around the difficulty in orchestrating alerts across multiple vendors and solutions in their security environment.
This is an acute problem in Asia Pacific with 17% of respondents saying they have more than 20 vendors in their environment, higher than the global average of 14%. More than half or about 54% of respondents in Asia Pacific cited having fewer than 10 vendors, lower than the global average of 63%.
This is clearly having an impact on the security preparedness as a staggering 93% of respondents in Asia Pacific said it was somewhat or very challenging to orchestrate cybersecurity alerts from multiple vendor products. The results are higher than the global average of 79%.
“Companies have traditionally approached building their security capabilities in a piecemeal manner by adopting solutions to address specific challenges at the time. While this may help patch individual vulnerabilities, it creates a bigger issue as having more point solutions that don’t work together increases their security effectiveness gap,” said Stephen Dane, managing director, Global Security Sales Organization, APJC at Cisco.
The study highlighted that companies across the globe are already starting to consolidate the number of vendors they work with. In 2018, 54% of respondents cited 10 or fewer vendors in their environment. This has risen to 63% in 2019.
“We need to remember that cyber criminals are constantly working together and are relentless in their pursuits of hacking networks and inflicting damage on their targets,” Dane said. “Defenders need to take a similar approach by collaborating more, sharing intelligence and ensuring they stay a step ahead of the attackers.”
“The first step in that direction is to have strategic approach to building a comprehensive security environment and ensuring that the solutions are integrated and can work together to defend against potential attacks,” he added.