Research released this year by Microsoft and the global research firm Frost & Sullivan has found that more than half – 51 percent -- of companies in the Asia Pacific region have either experienced a cybersecurity incident or are not even sure if they have had a cybersecurity incident. They are paying for it in the form of stolen information and money.
Not only have these episodes cost these companies dearly, they are also hurting productivity: nearly three in five – 59 percent -- have delayed the progress of digital transformation projects due to the fear of cyberattacks.
It might not be of much comfort to the companies affected, but separate research has also found that most of these cybersecurity incidents could have easily been prevented. Research by the Online Trust Alliance calculated that in 2018, 95 percent of all breaches could have been avoided through simple and common-sense approaches to improving security.
This raises a simple question: if so many of these attacks could have been prevented, why weren’t they? There is a simple answer: there are nowhere near enough qualified, experienced cybersecurity workers in Asia.
The Skills Gap
This cybersecurity skills gap is not just a problem for Asia. Far from it. New research by the international, nonprofit membership association ISC2 estimates that there are currently almost 3 million unfilled vacancies in the cybersecurity sector and that all regions of the world are affected. Though the EU is leading the world in cybersecurity, it still lacks 142,000 trained professionals.
The cybersecurity skills gap in Asia, though, is on a different scale. The Asia-Pacific region, partly due to the rapid increase in the use of web technologies in the region, has (by far) the biggest gap. At the beginning of 2019, it was estimated that Asia needs 2.14 million extra cybersecurity workers.
Those in the industry are aware of this shortage. In the same research, fewer than a third of companies – 28 percent – have what respondents consider the right amount of cybersecurity staffing. That could soon change since 48 percent of the organizations plan to hire more cybersecurity professionals in the next year or so. Still, almost as many – 39 percent – expect to see no change in cybersecurity staffing, with 5 percent actually expected to experience a reduction.
Why The Gap?
There are a number of key reasons for the current skills gap in cybersecurity. The first is simply that companies in Asia are facing a hugely increased threat level. This, in turn, is due to a number of underlying factors.
One of these is that as the region develops, hackers have seen an opportunity to steal money and data. The second is that as IT infrastructure develops companies in Asia are turning to practices that expose them to risk. Remote working in the region – either for companies based in Asia or for workers visiting from abroad – is a huge source of risk unless employees use a quality VPN service to protect themselves, and take some basic steps to stay safe, especially when working remotely.
The second reason for the skills gap relates to morale. It is not uncommon for cybersecurity conferences to now feature dedicated streams which discuss how to handle work stress, depression, and burn-out. In fact, the demands put on those staff who are properly trained has led to a vicious cycle: companies are putting huge expectations on the small security staff, who then become overworked and quit the profession, which increases the workload on those who stay.
The third reason for the skills gap is undoubtedly a financial one. Though companies in Asia have begun to prioritize budgets for security, they are lagging behind the world when it comes to this. Research has shown that while 49 percent of companies say cybersecurity is a budget priority, 60 percent said it should be a higher priority. In addition, 55 percent of organizations expect to boost their budgets in the next year but 70 percent of respondents said the increase will not be enough.
In this context, it's not surprising that Asian graduates in cybersecurity are looking elsewhere for good employment prospects.
What Can Be Done?
Different companies and governments are taking different approaches to deal with this skills gap, though on such a huge and diverse continent it is difficult to see any integrated approach emerging.
Some countries have taken matters into their own hands. Vietnam has recently introduced draconian cybersecurity laws which, the government says, are designed to protect citizens and businesses from cyber threats. The rise of social media in Cambodia has also forced the government there to consider state-level legislation.
Critics of these approaches point out, however, that these laws do not protect businesses from the most advanced threats, and can also be used by the government to collect and seize commercial data, a concern that was at the heart of the recent Huawei scandal. Companies in Asia might have to take matters into their own hands. Recent research has shown that companies in Asia are exploring two ways to increase their defenses in the absence of trained engineers.
One is the use of threat analysis software. This software can automate threat detection and response and can allow one cybersecurity professionals to do the work of many. The other recent advance is artificial intelligence. Research has shown that more than 80 percent of businesses in the US are “already seeing a difference” from using AI and machine learning technologies as part of their security strategy and that such technologies could even be indispensable to an organization’s ability to detect advanced threats.
A Long-Term Solution
These solutions might work in the short term, but it’s also apparent that the cybersecurity skills gap is not going away anytime soon. Instead, we will need to train more cybersecurity workers to provide a sustainable solution to the problem.
If, in short, Asian countries are serious about leading the world when it comes to technology, they will also need to lead the world when it comes to cybersecurity.
Samuel Bocetta is a retired security analyst.