Asia-Pacific Companies Challenged by Pace of Change and Resource Allocation in the Face of Rising Cybersecurity Threats

Study reveals cyberattack disruptions are increasing but it is taking organizations longer to fix the underlying issues

Hong Kong, July 17, 2019 – Cybersecurity, is a moving target. As companies adopt new technologies, so do hackers, and this is making it an increasingly challenging task to identify and remove risk for today’s organizations, both in Asia and throughout the world.

This is one of the key findings from the fifth annual Vendor Risk Management Benchmark Study from Shared Assessments Program and Protiviti, which underscores the fact that all risk management programs are running harder just to stay in place. This has major potential impact on management goals, security postures and regulatory mandates.

This comprehensive study exposes what recent news events have shown: the threat landscape is morphing almost daily, with nation state threats, advanced cyberattacks, new forms of activism, potential liability shifts and other factors bringing new importance to vendor risk management practices and programs.

How Asia-Pacific is Coping with Risk

The study reveals that, even as cyberattack disruptions are increasing, it is taking organizations longer to fix the underlying issues. As a result, businesses in the region are turning to new technologies to support with Risk Management.

58.5% of APAC businesses plan to use AI for Risk Management - for example identifying and forecasting risks, running scenarios and simulations - in the next two years. While, 60% of businesses in the region are currently using AI to combat cybersecurity threats and predict cyber breaches; and plan to either maintain or increase their usage of it in years to come.

However, the adoption of these new technologies brings its own risks. When implementing advanced AI, nearly a quarter (23.3%) of APAC businesses say that considering the cybersecurity and data privacy risks involved was the most important lesson they learnt in the process. Those who persevere are rewarded however, with 66% of APAC respondents saying the advanced AI has had a moderate to significantly positive impact on their ability to detect and predict cyber breaches.

“From data breaches, bad actors and increasingly complex cyberattacks, through to regulatory changes and rapidly evolving business structures, today’s threat landscape is constantly evolving, and a company’s carefully established reputation can suffer lasting damage following just one high-profile attack. In order to avoid these devastating scenarios, businesses across Asia-Pacific need to critically assess and enhance their vendor risk management programs to keep up,” comments Adam Johnston, Managing Director for Protiviti in Hong Kong.

“As a result, our study reveals that an increasing number of organizations are moving away from high-risk vendor relationships as they seek to have better oversight of cyber security threats. A majority of organizations — 55 percent — are extremely or somewhat likely to move or exit risky vendor relationships this year, a 2 percent increase compared to last year’s survey.”

Global Vendor Risk Management Trends

Throughout the world, disruptions from breaches are increasing, and it is taking organizations longer to fix the underlying issues. Nearly 67 percent more organizations reported that they had experienced a significant disruption from a cyberattack or hacking incident compared to last year. However, the overall maturity of vendor risk management programs is virtually unchanged since last year. This suggests many organizations must work diligently to simply sustain the current performance and sophistication of their VRM programs.

A more troubling cybersecurity issue has also emerged: it is taking organizations longer to respond to breaches. Respondents who were able to fix issues relating to successful cyberattacks in just one month declined by 17 percent. Last year, only 28 percent of respondents reported that these fixes took between three months to one year; this year that number has leapt to 37 percent.

When it comes to combating risk, organizations with high levels of board engagement with, and understanding of, vendor risk management issues are more than twice as likely to have VRM programs that are operating at or above target level, compared with organizations that have low levels of board engagement in these issues.

“As well as external parties, risk management teams must continually monitor their own weak spots. Our research has shown that untrained, non-IT staff represent the greatest cybersecurity danger, higher than unsophisticated hackers, cyber criminals and social engineers. That explains why many information security and IT groups are devoting more effort to improving pivotal facets of internal cybersecurity — such as user access controls, employee security awareness, and periodic penetration testing — that also affect vendor risk management activities. In sum, vendor risk management improvement is a never-ending job,” adds Johnston.

###

For more information, contact:

 

Notes to the Editor

For the purposes of this study, the term “advanced artificial intelligence (AI)” is an umbrella term for several different technologies that allow computer systems to perform tasks that normally require human intelligence, such as visual perception, speech recognition and decision-making.

About the Survey

The survey polled 554 risk management practitioners and C-suite executives on the detailed criteria in the Shared Assessment Vendor Risk Management Maturity Model (VRMMM), an industry standard framework for evaluating the maturity of vendor risk programs, including cybersecurity, IT, privacy, data security and business resiliency controls. Broken into eight categories, the model explores 211 program elements that should form the basis of a robust, well-run VRM program.